Domino AppDev Pack

1.0.7

Install the IAM service

The following installation steps are typical of a Node.js-based application:

  1. create a new directory.
  2. expand a .zip or .tgz file as distributed by the developer into the new directory.
  3. install prerequisite packages using the package manager.
  4. [optionally] create or provide additional files needed by the Node.js application.
  5. [optionally] execute a setup script and provide additional configuration data.

Create the IAM service directory

For this installation, the IAM service code and some configuration data exist in the c:\iam directory. Create a new directory, expand the domino-iam-service-1.6.1.tgz into the empty directory.

Recent versions of Windows include tar.exe to expand the .tgz file which comes with the Domino AppDev Pack. If your version of Windows does not include tar.exe you will need to install a tool for expanding the .tgz file.

c:\>mkdir c:\iam

c:\>cd \iam

c:\iam>c:\windows\System32\tar.exe xvf \temp\domino-iam-service-1.6.1.tgz
x ./
x ./admin-client/
x ./config/
x ./dependencies/
x ./iam-server.js
x ./package-lock.json
x ./package.json
x ./utility/
x ./views/
x ./admin-client/favicon.ico
x ./admin-client/i18n/
x ./admin-client/iam-admin-client.cdee103e.js
x ./admin-client/index.html
x ./config/certs/
x ./dependencies/domino-domino-db-1.7.0.tgz
x ./dependencies/domino-ldapjs-1.0.4.tgz
x ./utility/changePassword.js
x ./utility/setup.js
x ./views/_layout.ejs
x ./views/error.ejs
x ./views/interaction.ejs
x ./views/interactionComponent.ejs
x ./views/login.ejs
x ./views/loginComponent.ejs
x ./views/logout.ejs
x ./views/scopeComponent.ejs
x ./views/static/
x ./admin-client/i18n/zh-cn-js.cdee103e.js
x ./config/certs/ca/
x ./views/static/bootstrap-4.3.0.min.css
x ./views/static/service_bg.png
x ./config/certs/ca/README.md

Download and install required packages

Next, install prerequisite packages. npm is installed with Node.js. The following command downloads and installs all the packages that the IAM service needs to run. They are installed in c:\iam\node_modules directory.

c:\iam>npm ci

> grpc@1.19.0 install c:\iam\node_modules\grpc
> node-pre-gyp install --fallback-to-build --library=static_library

node-pre-gyp WARN Using request for node-pre-gyp https download
[grpc] Success: "c:\iam\node_modules\grpc\src\node\extension_binary\node-v64-win32-x64-unknown\grpc_node.node" is installed via remote

> @domino/domino-db@1.4.0 install c:\iam\node_modules\@domino\domino-db
> node install.js


> ejs@2.7.3 postinstall c:\iam\node_modules\ejs
> node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

added 369 packages in 19.799s

Install the client certificate and private key used to connect to Proton

Next, we copy the following files from the Internal CA directory into the IAM service directory where IAM expects to find them.

  • iamapp.crt -- the certificate related to the IAM functional id, signed by the Internal CA.
  • iamapp.key -- the password-protected private key for the IAM functional id.
  • internalca.crt -- the root certificate for the Internal CA. This is copied into the special directory where IAM uses as the trusted roots trust store. Any certificate found in the config\certs\ca directory is a trusted root.
c:\iam>copy \certs\iamapp.crt config\certs\
        1 file(s) copied.

c:\iam>copy \certs\iamapp.key config\certs\
        1 file(s) copied.

c:\iam>copy \certs\internalca.crt config\certs\ca\
        1 file(s) copied.

Verify TLS handshake with Proton

Verify that the IAM service can connect to the Proton add-in task. This test is successful when:

  1. Proton does not report any errors on the Domino server console related to the test
  2. The openssl command does not report any errors

This test verifies that:

  • The server that is responding is trusted by the Internal CA as identified by the -CAfile option
  • Proton is running on the expected hostname/port as specified by the -connect option
  • Proton can authenticate the client certificate and private key as specified by the -cert and -key options

This test does not verify that the client certificate is an authorized user in the Domino directory and has access to any database.

Run the following command to test the connection:

c:\iam>echo x | openssl s_client -connect appsdb1.jumbocloudservices.com:3003 -cert config\certs\iamapp.crt -key config\certs\iamapp.key -CAfile config\certs\ca\internalca.crt -quiet > nul
Enter pass phrase for config\certs\iamapp.key:******

depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority
verify return:1
depth=0 O = Jumbo Cloud Servers, CN = appsdb1
verify return:1
read:errno=0

You can remove the -quiet option to view a more detailed long.

Install Let's Encrypt server certificate for IAM service web front end

Next, copy the following files from the well-known CA into the IAM service directory where IAM expects to find them.

  • auth.jumbocloudservices.com.crt -- the certificate for the IAM service address
  • auth.jumbocloudservices.com.encrypted.key -- the password-protected private key associated with the certificate above
  • chain.crt -- the certificate chain for the well-known CA. It is copied into the trusted roots trust store.
c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.crt config\certs\
        1 file(s) copied.

c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\auth.jumbocloudservices.com.key temp.key
        1 file(s) copied.

c:\iam>openssl rsa -aes256 -in temp.key -out config\certs\auth.jumbocloudservices.com.encrypted.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

c:\iam>del temp.key

c:\iam>copy \letsencrypt-certs\auth.jumbocloudservices.com\chain.crt config\certs\ca\
        1 file(s) copied.
Configure IAM functional IDConfigure IAM service database