IAM uses a Domino database to store its data. This page describes how to set up the Domino server to host the IAM database.
Set up Proton
To set up Proton, follow the steps in the Proton Administration guide. Be sure to enable the following two settings:
- TLS/SSL connection: PROTON_SSL=1
- Client certificate authentication: PROTON_AUTHENTICATION=client_cert
Set up an ID Vault
The sensitive information stored inside the Domino database need to be encrypted. To provide the encryption support for the data, an ID vault is required. Please follow the official guide to set up the ID vault.
Create functional ID for IAM
Create a Domino functional ID for IAM and ensure that the ID file is synced into ID vault:
- Open Domino Administrator's People & Groups tab, click Tools -> People -> Register... in the right sidebar.
- When prompted, provider the password for the server Cert ID.
- In the opened Register Person dialog, provide a user name and password for the functional ID.
- In the ID Info tab, please ensure that the ID location is in the ID vault.
- Click the green checkmark and Register All button to create the user. The newly created user would be added into ID vault after it created.
Note: Please ensure the functional ID is in ID vault.
Create Proton client certificate for IAM
Create a Proton client certificate bound with the IAM's functional ID. IAM requires this certificate to access Domino. For information on how to create the certificate, see the Proton Administration guide. Below is a cheat sheet of the steps:
- Create private key with passphrase:
openssl genrsa -des3 -out iamapp.key 4096
- Create CSR for the client certificate:
openssl req -new -key iamapp.key -out iamapp.csr -subj "common name" -sha256
Note: you need to update "common name" to the IAM's functional ID's canonical name. The name format looks like:
- Sign with Proton's CA:
The csr file then needs to be signed by your Proton server's Certificate Authority. If the CA is managed by yourself, you can use openssl to sign the certificate like below:
openssl x509 -req -days 365 -in iamapp.csr -CA ca.crt -CAkey ca.key -out iamapp.crt -CAserial ca.seq
Note: the ca.crt, ca.key and ca.seq are the same ones used to sign your Proton Domino server certificate.
- Import the client certificate into functional ID user document.
Generate IAM storage database
The Domino template file
template/iam-store.ntf is provided with the IAM
installation package. Complete the following steps to create a database from it
and to configure the database to store the IAM data.
Create the database with template
Important: Before you create the database, make sure that:
- Your environment supports ODS 53, which is required by the IAM database.
Transaction Loggingis enabled.
For more information, see:
- Copy the
iam-store.ntfinto Domino server
- Open the Files tab in the HCL Domino Administrator.
- Click Top Left menu: File -> Application -> New...
- In the opened dialog, choose your server name from the drop-down list,
input the title as
iam-store, and update the File name to
- In the 'Specify Template for New Application' section, choose your server and select the 'iam-store.ntf' template.
- Click OK to create the application.
- In Files tab, press F9 to refresh the file list to see iam-store.nsf.
Give the IAM's functional ID access to the database
IAM's functional ID needs to be added to the DB's ACL:
- In Domino Administrator, in Files tab, find and select the iam-store.nsf.
- Click the
Manage ACL...from the right sidebar under Database section.
- Click 'Add...' button to add the Functional ID in the opened dialog.
- Check the [_ReadAllItems] role for the above Function ID you added and click OK.
Add the database to the design catalog
iam-store.nsf needs to be added to the design catalog
to make it searchable:
In Domino's server console, issue this command:
load updall iam-store.nsf -e
The server console shows output similar to the following:
$ Updating views in /local/notesdata/iam-store.nsf 0 catalog documents removed, 12 view designs cataloged out of 12 total with 24 collations in 66.842 msecs $ Index update process shutdown
After the command completes, iam-store.nsf is included in GQFDsgn.cat, located in the /local/notesdata directory.
As a result of the previous steps, now you have:
- IAM's Domino Functional ID in ID vault.
- IAM storage database with correct access in the ACL.
- Proton client certificate bound with the functional ID.
- The key of the client certificate with passphrase protection.
- If Proton uses a non-trusted CA, please also prepare the PEM format CA file.
You can refer the Troubleshooting page if you encounter error when connecting to Proton.