Domino AppDev Pack

1.0.4

Configure Proton

The Domino AppDev Pack kit comes with a Domino add-in task called Proton. Proton runs on the Domino server and provides service to applications written with the domino-db Node.js module. domino-db based applications send requests to Proton over a network connection. Generally, these requests are exchanged over a TLS/SSL connection. The instructions below configure Proton to accept TLS/SSL requests.

Configuration options

On the Domino server console set the following notes.ini variables for the proton add-in task:

> set config proton_listen_address=0.0.0.0
> set config proton_listen_port=3003
> set config proton_ssl=1
> set config proton_authentication=client_cert
> set config proton_keyfile=appsdb1.kyr
> set config proton_actasuser=0

See the Proton Administration page for a complete description of the settings. In summary, these notes.ini variable configure the following:

  • Proton listens for connections on port 3003 over any ip address available on the server machine.
  • Proton accepts only TLS/SSL connections, authenticated with client certificates, using the key and trusted certificates in the appsdb1.kyr keyring.
  • The Proton Act As User feature is disabled, for now. Additional steps to configure and enable it are described later in this guide.

Running Proton

When you load proton, it will report something like this:

> load proton
[13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Build 0.5.0
[13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Server initializing
[13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Listening on 0.0.0.0:3003, SSL-ENABLED
[13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Server initialized

In addition, you should add proton on your ServerTasks entry so that proton loads automatically when the Domino server starts.

Use the show tasks Domino console command to verify that the task is ready to operation:

> show task

[05DC:0006-02F4]       Task                 Description

[05DC:0006-02F4]  Database Server      Perform console commands
...
[05DC:0006-02F4]  PROTON               Listening on 0.0.0.0:3003, SSL-ENABLED
...

Verify Proton is listening and presenting the correct identity

Use the following command to verify that the Proton task is responding to connect requests and is reporting the expected certificate.

c:\>openssl s_client -connect appsdb1.jumbocloudservices.com:3003 --quiet -CAfile c:\certs\internalca.crt
depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority
verify return:1
depth=0 O = Jumbo Cloud Servers, CN = appsdb1
verify return:1
write:errno=0

Optionally, you can remove the --quiet flag to get a more detailed log of the TLS handshake.

Proton reports the following expected error on the Domino server console:

[1248:0006-0F98] 12/04/2019 05:13:39.03 PM PROTON> Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.

This error is expected because the connect command above does not present a client certificate to the server. The server refuses all clients that do not present a client certificate.

Configure the server keyring fileConfigure LDAP and web engine