Domino AppDev Pack

1.0.17

Configure Proton

The Domino AppDev Pack kit comes with a Domino add-in task called Proton. Proton runs on the Domino server and provides service to applications written with the domino-db Node.js module. domino-db based applications send requests to Proton over a network connection. Generally, these requests are exchanged over a TLS connection. The instructions below configure Proton to accept TLS requests.

Configuration options

Use the Proton Configuration page for a complete description of the settings. Set the following settings in your Domino server's configuration settings document in adpconfig.nsf. You may need to create a new configuration document in the database for the Domino server.

  • Set Listen Address to 0.0.0.0. This will allow Proton to listen for connections on all IP addresses available on the Domino server.
  • Set Listen Port to 3003. This defines the port that Proton will use to accept connections.
  • Set Enable SSL/TLS connections to enabled. Proton will accept only TLS encrypted connections.
  • Set Keyring File to appsdb1.kyr. This is the keyfile, created earlier, which contains the server key and trusted certificates.
  • Set Client authentication to appsdb1.kyr. Proton will require client connections to provide their client certificate for authorization.
  • Set Enable Act-as-User Tokens to disabled, for now. Additional steps to configure and enable it are described later in this guide.

Running Proton

When you load proton, it will report something like this:

> load proton
[13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Build 0.5.0
[13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Server initializing
[13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Listening on 0.0.0.0:3003, SSL-ENABLED
[13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Server initialized

In addition, you should add proton on your ServerTasks entry so that proton loads automatically when the Domino server starts.

Use the show tasks Domino console command to verify that the task is ready to operation:

> show task

[05DC:0006-02F4]       Task                 Description

[05DC:0006-02F4]  Database Server      Perform console commands
...
[05DC:0006-02F4]  PROTON               Listening on 0.0.0.0:3003, SSL-ENABLED
...

Verify Proton is listening and presenting the correct identity

Use the following command to verify that the Proton task is responding to connect requests and is reporting the expected certificate.

c:\>openssl s_client -connect appsdb1.jumbocloudservices.com:3003 --quiet -CAfile c:\certs\internalca.crt
depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority
verify return:1
depth=0 O = Jumbo Cloud Servers, CN = appsdb1
verify return:1
write:errno=0

Optionally, you can remove the --quiet flag to get a more detailed log of the TLS handshake.

Proton reports the following expected error on the Domino server console:

[1248:0006-0F98] 12/04/2019 05:13:39.03 PM PROTON> Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.

This error is expected because the connect command above does not present a client certificate to the server. The server refuses all clients that do not present a client certificate.

Configure the server keyring fileConfigure LDAP and web engine