Install the IAM service
The following installation steps are typical of a Node.js-based application:
- create a new directory.
- expand a .zip or .tgz file as distributed by the developer into the new directory.
- install prerequisite packages using the package manager.
- [optionally] create or provide additional files needed by the Node.js application.
- [optionally] execute a setup script and provide additional configuration data.
Create the IAM service directory
For this installation, the IAM service code and some configuration data exist
in the c:\iam
directory. Create a new directory, expand the
domino-iam-service-1.5.0.tgz
into the empty directory.
Recent versions of Windows include tar.exe to expand the .tgz file which comes with the Domino AppDev Pack. If your version of Windows does not include tar.exe you will need to install a tool for expanding the .tgz file.
c:\>mkdir c:\iam
c:\>cd \iam
c:\iam>c:\windows\System32\tar.exe xvf \temp\domino-iam-service-1.5.0.tgz
x ./
x ./admin-client/
x ./config/
x ./dependencies/
x ./iam-server.js
x ./package-lock.json
x ./package.json
x ./template/
x ./utility/
x ./views/
x ./admin-client/favicon.ico
x ./admin-client/i18n/
x ./admin-client/iam-admin-client.cdee103e.js
x ./admin-client/index.html
x ./config/certs/
x ./dependencies/domino-domino-db-1.6.0.tgz
x ./dependencies/domino-ldapjs-1.0.4.tgz
x ./template/iam-store.ntf
x ./utility/changePassword.js
x ./utility/setup.js
x ./views/_layout.ejs
x ./views/error.ejs
x ./views/interaction.ejs
x ./views/interactionComponent.ejs
x ./views/login.ejs
x ./views/loginComponent.ejs
x ./views/logout.ejs
x ./views/scopeComponent.ejs
x ./views/static/
x ./admin-client/i18n/zh-cn-js.cdee103e.js
x ./config/certs/ca/
x ./views/static/bootstrap-4.3.0.min.css
x ./views/static/service_bg.png
x ./config/certs/ca/README.md
Download and install required packages
Next, install prerequisite packages. npm
is installed with Node.js. The following command downloads and installs
all the packages that the IAM service needs to run. They are installed in c:\iam\node_modules
directory.
c:\iam>npm ci
> grpc@1.19.0 install c:\iam\node_modules\grpc
> node-pre-gyp install --fallback-to-build --library=static_library
node-pre-gyp WARN Using request for node-pre-gyp https download
[grpc] Success: "c:\iam\node_modules\grpc\src\node\extension_binary\node-v64-win32-x64-unknown\grpc_node.node" is installed via remote
> @domino/domino-db@1.4.0 install c:\iam\node_modules\@domino\domino-db
> node install.js
> ejs@2.7.3 postinstall c:\iam\node_modules\ejs
> node ./postinstall.js
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
added 369 packages in 19.799s
Install the client certificate and private key used to connect to Proton
Next, we copy the following files from the Internal CA directory into the IAM service directory where IAM expects to find them.
iamapp.crt
-- the certificate related to the IAM functional id, signed by the Internal CA.iamapp.key
-- the password-protected private key for the IAM functional id.internalca.crt
-- the root certificate for the Internal CA. This is copied into the special directory where IAM uses as the trusted roots trust store. Any certificate found in theconfig\certs\ca
directory is a trusted root.
c:\iam>copy \certs\iamapp.crt config\certs\
1 file(s) copied.
c:\iam>copy \certs\iamapp.key config\certs\
1 file(s) copied.
c:\iam>copy \certs\internalca.crt config\certs\ca\
1 file(s) copied.
Verify TLS handshake with Proton
Verify that the IAM service can connect to the Proton add-in task. This test is successful when:
- Proton does not report any errors on the Domino server console related to the test
- The
openssl
command does not report any errors
This test verifies that:
- The server that is responding is trusted by the Internal CA as identified by the
-CAfile
option - Proton is running on the expected hostname/port as specified by the
-connect
option - Proton can authenticate the client certificate and private key as specified by the
-cert
and-key
options
This test does not verify that the client certificate is an authorized user in the Domino directory and has access to any database.
Run the following command to test the connection:
c:\iam>echo x | openssl s_client -connect appsdb1.jumbocloudservices.com:3003 -cert config\certs\iamapp.crt -key config\certs\iamapp.key -CAfile config\certs\ca\internalca.crt -quiet > nul
Enter pass phrase for config\certs\iamapp.key:******
depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority
verify return:1
depth=0 O = Jumbo Cloud Servers, CN = appsdb1
verify return:1
read:errno=0
You can remove the -quiet
option to view a more detailed long.
Install Let's Encrypt server certificate for IAM service web front end
Next, copy the following files from the well-known CA into the IAM service directory where IAM expects to find them.
auth.jumbocloudservices.com.crt
-- the certificate for the IAM service addressauth.jumbocloudservices.com.encrypted.key
-- the password-protected private key associated with the certificate abovechain.crt
-- the certificate chain for the well-known CA. It is copied into the trusted roots trust store.
c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.crt config\certs\
1 file(s) copied.
c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.key temp.key
1 file(s) copied.
c:\iam>openssl rsa -aes256 -in temp.key -out config\certs\auth.jumbocloudservices.com.encrypted.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
c:\iam>del temp.key
c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\chain.crt config\certs\ca\
1 file(s) copied.