Install the IAM service
The following installation steps are typical of a Node.js-based application:
- create a new directory.
- expand a .zip or .tgz file as distributed by the developer into the new directory.
- install prerequisite packages using the package manager.
- [optionally] create or provide additional files needed by the Node.js application.
- [optionally] execute a setup script and provide additional configuration data.
Create the IAM service directory
For this installation, the IAM service code and some configuration data exist
c:\iam directory. Create a new directory, expand the
domino-iam-service-1.6.1.tgz into the empty directory.
Recent versions of Windows include tar.exe to expand the .tgz file which comes with the Domino AppDev Pack. If your version of Windows does not include tar.exe you will need to install a tool for expanding the .tgz file.
c:\>mkdir c:\iam c:\>cd \iam c:\iam>c:\windows\System32\tar.exe xvf \temp\domino-iam-service-1.6.1.tgz x ./ x ./admin-client/ x ./config/ x ./dependencies/ x ./iam-server.js x ./package-lock.json x ./package.json x ./template/ x ./utility/ x ./views/ x ./admin-client/favicon.ico x ./admin-client/i18n/ x ./admin-client/iam-admin-client.cdee103e.js x ./admin-client/index.html x ./config/certs/ x ./dependencies/domino-domino-db-1.7.0.tgz x ./dependencies/domino-ldapjs-1.0.4.tgz x ./template/iam-store.ntf x ./utility/changePassword.js x ./utility/setup.js x ./views/_layout.ejs x ./views/error.ejs x ./views/interaction.ejs x ./views/interactionComponent.ejs x ./views/login.ejs x ./views/loginComponent.ejs x ./views/logout.ejs x ./views/scopeComponent.ejs x ./views/static/ x ./admin-client/i18n/zh-cn-js.cdee103e.js x ./config/certs/ca/ x ./views/static/bootstrap-4.3.0.min.css x ./views/static/service_bg.png x ./config/certs/ca/README.md
Download and install required packages
Next, install prerequisite packages.
npm is installed with Node.js. The following command downloads and installs
all the packages that the IAM service needs to run. They are installed in
Install the client certificate and private key used to connect to Proton
Next, we copy the following files from the Internal CA directory into the IAM service directory where IAM expects to find them.
iamapp.crt-- the certificate related to the IAM functional id, signed by the Internal CA.
iamapp.key-- the password-protected private key for the IAM functional id.
internalca.crt-- the root certificate for the Internal CA. This is copied into the special directory where IAM uses as the trusted roots trust store. Any certificate found in the
config\certs\cadirectory is a trusted root.
c:\iam>copy \certs\iamapp.crt config\certs\ 1 file(s) copied. c:\iam>copy \certs\iamapp.key config\certs\ 1 file(s) copied. c:\iam>copy \certs\internalca.crt config\certs\ca\ 1 file(s) copied.
Verify TLS handshake with Proton
Verify that the IAM service can connect to the Proton add-in task. This test is successful when:
- Proton does not report any errors on the Domino server console related to the test
opensslcommand does not report any errors
This test verifies that:
- The server that is responding is trusted by the Internal CA as identified by the
- Proton is running on the expected hostname/port as specified by the
- Proton can authenticate the client certificate and private key as specified by the
This test does not verify that the client certificate is an authorized user in the Domino directory and has access to any database.
Run the following command to test the connection:
c:\iam>echo x | openssl s_client -connect appsdb1.jumbocloudservices.com:3003 -cert config\certs\iamapp.crt -key config\certs\iamapp.key -CAfile config\certs\ca\internalca.crt -quiet > nul Enter pass phrase for config\certs\iamapp.key:****** depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority verify return:1 depth=0 O = Jumbo Cloud Servers, CN = appsdb1 verify return:1 read:errno=0
You can remove the
-quiet option to view a more detailed long.
Install Let's Encrypt server certificate for IAM service web front end
Next, copy the following files from the well-known CA into the IAM service directory where IAM expects to find them.
auth.jumbocloudservices.com.crt-- the certificate for the IAM service address
auth.jumbocloudservices.com.encrypted.key-- the password-protected private key associated with the certificate above
chain.crt-- the certificate chain for the well-known CA. It is copied into the trusted roots trust store.
c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.crt config\certs\ 1 file(s) copied. c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.key temp.key 1 file(s) copied. c:\iam>openssl rsa -aes256 -in temp.key -out config\certs\auth.jumbocloudservices.com.encrypted.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: c:\iam>del temp.key c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\chain.crt config\certs\ca\ 1 file(s) copied.