Configure Proton as a resource provider

This section describes how to configure Proton so that it can accept and process an AccessToken from a Domino-db based application. When Proton receives a Domino-db request which includes an AccessToken makes an introspection call to the IAM service to verify the access token and to obtain the user information associated with the access token.

Verify the connection to the IAM introspection endpoint

Proton makes the introspection call to the IAM service with an HTTPS request. Run the following command from the Domino server console to verify that it can connect to the IAM service endpoint and to inspect the certificates for the connection.

c:\>echo "badreq" | openssl  s_client -connect auth.jumbocloudservices.com:7443 --quiet
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = auth.jumbocloudservices.com
verify return:1
HTTP/1.1 400 Bad Request
Connection: close

read:errno=0

The Bad Request text in the output is expected. You can ignore it.

HTTP/1.1 400 Bad Request
Connection: close

The command above reports the certificates used by the IAM service that it connects to. Verify that the certificates reported, except for the last one, are installed into the Domino server keyring file as trusted roots. This guide uses the keyring file name appsdb1.kyr.

C:\> kyrtool.exe show roots -k appsdb1.kyr
Using keyring path 'appsdb1.kyr'

Trust Anchors:

Anchor 0 (name)

CN=DST Root CA X3/O=Digital Signature Trust Co.

Anchor 0 (cert)

Subject:        CN=DST Root CA X3/O=Digital Signature Trust Co.
Issuer:         CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 09/30/2000 05:12:19 PM
Not After:  09/30/2021 10:01:15 AM
Public Key Alg: rsaEncryption
Fingerprint:    Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
Key length:     2048 bits
Signature Alg:  sha1WithRSAEncryption

Anchor 1 (name)

CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US

Anchor 1 (cert)

Subject:        CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US
Issuer:         CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 03/17/2016 12:40:46 PM
Not After:  03/17/2021 12:40:46 PM
Public Key Alg: rsaEncryption
Fingerprint:    YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Key length:     2048 bits
Signature Alg:  sha256WithRSAEncryption

...

Configure the resource provider

Use the IAM Admin (e.g. https://auth.jumbocloudservices.com:8443) to create the resource provider for Proton. In this step you provide:

1. The Domino Resource Provider name, which is a unique name in IAM Admin.
2. The Domino Resource Provider description, which is a free-form description field.

The IAM Admin generates the following data:

1. Domino Resource Provider id
2. Domino Resource Provider secret

The id and secret are the introspection credentials.

Configure the introspection credentials

This step adds the introspection configuration into the credential store. The introspection configuration includes:

1. The configuration name. This name must be configured in Proton.
2. The introspection credentials as generated above.
3. The introspection URI. This is the URL to IAM service endpoint verified above.

Use the oauthcfg tool to manage the introspection configuration for the Domino server. Run the tool from the command line, not the Domino server console. This is some basic help from the tool:

C:\>oauthcfg
Usage: oauthcfg [--version] 

Supported commands:
   create      
   delete   Delete introspection configuration
   list  List introspection configurations matching name. Blank name lists all.

Use the following command to create a new introspection configuration entry with the name proton-addin.

C:\>oauthcfg create proton-addin 34378bf4-777c-4a7b-9eaa-9e8b630b38c9 LG958uYNQUm7UQyDnIBTUf0dDkQ/Dq4r2HkMRQaPTbUaC40cvTsRUMiy/DJm8QRx https://auth.jumbocloudservices.com:7443/token/introspection
Credentials created successfully

Verify the contents of the introspection configuration using the following command. The Domino Resource Provider secret is not shown.

C:\>oauthcfg list
name:proton-addin id:34378bf4-777c-4a7b-9eaa-9e8b630b38c9 URI:https://auth.jumbocloudservices.com:7443/token/introspection

Configure Proton

Use the Proton Configuration page for a complete description of the settings. Set the following settings in your Domino server's configuration settings document in adpconfig.nsf. There should already be a new configuration document in the database for the Domino server and you will need to update it.

• Set Enable Act-as-User Tokes to enabled.
• Set IAM Client Configuration Name to proton-addin to specify the oauth-key-name for the credentials that Proton will use to access the IAM service.

Use the restart task proton Domino server console command to restart Proton.

> restart task proton
[0648:0002-0BCC] 12/12/2019 08:32:21.09 AM PROTON> Server stopping
[0648:0002-0BCC] 12/12/2019 08:32:21.12 AM PROTON> Server exited
[06A8:0002-06AC] 12/12/2019 08:32:25.98 AM PROTON> Build 0.5.0
[06A8:0002-06AC] 12/12/2019 08:32:25.98 AM PROTON> Server initializing
[06A8:0002-06AC] 12/12/2019 08:32:26.04 AM PROTON> Listening on 0.0.0.0:3003, SSL-ENABLED
[06A8:0002-06AC] 12/12/2019 08:32:26.04 AM PROTON> Server initialized