The Domino AppDev Pack kit comes with a Domino add-in task called
Proton. Proton runs on the Domino server and provides service to applications
written with the
domino-db Node.js module.
domino-db based applications
send requests to Proton over a network connection. Generally, these requests
are exchanged over a TLS connection. The instructions below configure Proton
to accept TLS requests.
Use the Proton Configuration page for a complete
description of the settings. Set the following settings in your Domino
server's configuration settings document in
adpconfig.nsf. You may need to
create a new configuration document in the database for the Domino server.
- Set Listen Address to
0.0.0.0. This will allow Proton to listen for connections on all IP addresses available on the Domino server.
- Set Listen Port to
3003. This defines the port that Proton will use to accept connections.
- Set Enable SSL/TLS connections to enabled. Proton will accept only TLS encrypted connections.
- Set Keyring File to
appsdb1.kyr. This is the keyfile, created earlier, which contains the server key and trusted certificates.
- Set Client authentication to
appsdb1.kyr. Proton will require client connections to provide their client certificate for authorization.
- Set Enable Act-as-User Tokens to disabled, for now. Additional steps to configure and enable it are described later in this guide.
When you load proton, it will report something like this:
load proton [13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Build 0.5.0 [13E0:0002-1250] 11/25/2019 12:48:43.13 PM PROTON> Server initializing [13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Listening on 0.0.0.0:3003, SSL-ENABLED [13E0:0002-1250] 11/25/2019 12:48:43.16 PM PROTON> Server initialized
In addition, you should add
proton on your
ServerTasks entry so that proton loads automatically when the
Domino server starts.
show tasks Domino console command to verify that the task is ready to operation:
show task [05DC:0006-02F4] Task Description [05DC:0006-02F4] Database Server Perform console commands ... [05DC:0006-02F4] PROTON Listening on 0.0.0.0:3003, SSL-ENABLED ...
Verify Proton is listening and presenting the correct identity
Use the following command to verify that the Proton task is responding to connect requests and is reporting the expected certificate.
c:\>openssl s_client -connect appsdb1.jumbocloudservices.com:3003 --quiet -CAfile c:\certs\internalca.crt depth=1 O = Jumbo Cloud Services, CN = Internal Certificate Authority verify return:1 depth=0 O = Jumbo Cloud Servers, CN = appsdb1 verify return:1 write:errno=0
Optionally, you can remove the
--quiet flag to get a more detailed log of
the TLS handshake.
Proton reports the following expected error on the Domino server console:
[1248:0006-0F98] 12/04/2019 05:13:39.03 PM PROTON> Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.
This error is expected because the connect command above does not present a client certificate to the server. The server refuses all clients that do not present a client certificate.