domino/notes 9.0 upgrade to take advantage of nfl, wfl and cors technologies

Domino/Notes 9.0 upgrade to take advantage of NFL,WFL and CORS technologies

Andrew Luder | Director/Developer | NotesTools Pty Ltdnotestools.com.au

June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015

About Me• Started my business NotesTools Pty Ltd 5 years ago initially providing formal

business support to OpenNTF project “DominoDefrag”. Have expanded business to provide wider range of products and services.

• IBM R8.5 Certified Application Developer with over 15 years experience in providing Lotus Domino/Notes/Sametime infrastructure and application development services to Australian government primarily:– Department of Defence (DOD)

– Department of Health, Therapeutic Goods Administration (TGA).

• Just completed a R901 Domino and Notes upgrade project @ TGA.

• Many years experience in providing open source solutions such as "DominoDefrag“ (2009) and "R5 Database Manager“ (2004) to the Lotus Notes community

• I was given public recognition in May 2010 with "DominoDefrag“, where it was honored by OpenNTF as project of the month and then Bruce Elgort / Nicklas Heidloff later presented it at Lotusphere 2011 in Orlando as a featured project.


Presentation Coverage• My experience from a 6 month project @ TGA to upgrade all infrastructure to

Domino/Notes 9.0.1 to extend the life of its Domino web and Notes application environment by providing Single Sign On (SSO) and data sharing capabilities. Briefly cover:– Background

– Business and Technology Goals

– Terminology and Infrastructure

• Fill in the knowledge gaps when implementing technologies such as:– Microsoft's Active Directory Federation Services (ADFS)

– Notes Federated Login (NFL)

– Web Federated Login (WFL) – only Web SAML SSO

– Cross Origin Resource Sharing (CORS)

– Providing Domino web services to other consumers such as Microsoft Dynamics Customer Relationship Management System (CRM)

– Securely consume Internet Information Services (IIS) web services with Domino Java Agents


Background• Over the past decade most Commonwealth departments and agencies have

moved their mail from Domino to Exchange not considering impact on existing Domino business apps.

• A lot of money has been wasted in attempts to get business apps across to SharePoint / ?.NET cause a migration tool or external auditor said so…

• Most Commonwealth work places still have their business apps running off v6.5/7.0/8.0/8.5 Domino infrastructure and thankfully Domino just works when that next Windows upgrade comes round!

• TGA was one of the last Domino mail places migrated to Exchange last year and the quick “one-size fits all” Microsoft approach would NOT work because our revenue is generated from public Domino web and internal Notes client business apps…

• So given Government spending constraints and the need to ensure business continuity to keep generating money there’s not much room to reinvent the wheel. So how do you leverage your existing Domino apps???


Business Goals• Provide a new customer TGA Business Services (TBS) Microsoft dashboard

portal to compliment existing eBusiness Services (eBS) Domino work portal

• Keep existing Domino business applications

• Provide employees with one set of authentication credentials (Internal users)

• Provide customers with one set of authentication credentials (DMZ users)

• Ensure Commonwealth password complexity rules

• Stream line customer account management and directories

• Share data seamlessly between Domino and Microsoft systems

• Share code between Domino and Microsoft systems


Technology Goals• Upgrade Domino and Notes environments to R901 to support Single Sign On

(SSO) capabilities using Microsoft Active Directory Federation Services (ADFS) on Windows 2012 R2.

• Implement Notes Federated Login (NFL) for the Notes 901 client using ADFS and Integrated Windows Authentication (IAW) / SPNEGO.

• Implement Web Federated Login (WFL) for Domino 901 web site using ADFS SAML Web SSO

• Implement Domino web Cross-Origin Resource Sharing (CORS) solution using IBM HTTP stack and ADFS SAML Web SSO.

• Implement internal web services for data exchange between Domino and Microsoft systems using IAW / SPNEGO.

• Implement external Domino java agents for secure data exchange with internal Microsoft web services.

• Implement Team Foundation Server (TFS) solution to branch manage code in Domino XML (DXL) and share code with all developers easily

• Move customer account management functionality from Domino into CRM


Terminology Acronyms• ADFS - Active Directory Federation Services

• CORS – Cross Origin Resource Sharing

• IdP – Identity Provider

• IWA – Integrated Windows Authentication (uses SPNEGO)

• NFL – Notes Federated Login

• WFL – Web Federated Login (only use SAML Web SSO)

• SAML - Security Assertion Markup Language

• SP – Service Provider

• SPNEGO – Simple and Protected GSSAPI Negotiation Mechanism

• TLS – Transport Layer Security

Some terms explained through presentation, but I aim to fill in the gaps from what I experienced wasn’t available from the standard materials.


Terms - Active Directory Federation Services (ADFS)• Active Directory Federation Services (ADFS) is a software component

developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organisational boundaries. It uses a claims-based access control authorisation model to maintain application security and implement federated identity.

• In ADFS, identity federation is established between two organisations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity.Source: http://en.wikipedia.org/wiki/Active_Directory_Federation_Services

• Domino v9.0.1 supports ADFS as an Identity Provider (IdP).

• The Windows 2012 R2 ADFS service (v3.0) provides support for the SAML 2.0 protocol. TGA has also customized its ADFS service login page to look like…..

http://en.wikipedia.org/wiki/Active_Directory_Federation_Services

http://en.wikipedia.org/wiki/Active_Directory_Federation_Services


Terms – ADFS - TBS Login Page for AD credentials


Terms - Security Assertion Markup Language (SAML)• Security Assertion Markup Language (SAML) is an XML-based, open-standard

data format for exchanging authentication and authorisation data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards. The single most important requirement that SAML addresses is web browser single sign-on (SSO).Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

• Domino v9.0.1 supports the secure SAML 2.0 protocol version.

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language


Terms – Cross Origin Resource Sharing (CORS)• Cross-origin resource sharing (CORS) is a mechanism that allows many

resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. In particular, JavaScript’s AJAX calls can use the XMLHttpRequest mechanism.

• Such “cross-domain” requests would otherwise be forbidden by web browsers, per the same-origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request. It is more useful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests. Source: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

• TGA has implemented a secure CORS solution where through a web browser the TBS site makes “cross-domain” requests to the eBS site to obtain JSON data. This is done seamlessly using the client’s ADFS Login credentials.

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing


Infrastructure - SAML Federated Identity Architecture• SAML Identity Provider (IdP) .

– ADFS 3.0 service creating the SAML 2.0 assertion

• Service Provider (SP).– Domino 9.0.x service processing the SAML 2.0 assertion

• Clients used for accessing services.– Web Browser / Notes 9.0.x standard client embedded browser


Infrastructure - TGA Internal and DMZ Domains• Domino & Notes 9.0.x resources authenticate using ADFS services inside new

Windows 2012 R2 Internal and DMZ Active Directory domains. There is one domain in each forest.

• Notes Federated Login (NFL) and Integrated Windows Authentication (IAW) - SPNEGO authentication used for Notes client and Domino web service technologies in the Internal AD Domain.

• Web Federated Login (WFL - ADFS SAML SSO) used for Cross Origin Resource Sharing (CORS) between the Domino and ASP.NET web sites and client browser access to them.

• DMZ Domino Java agents securely consume internal IIS restful web services


Infrastructure - TGA Internal ADFS & Domino• Upgraded Domino & Notes 9.0.x Windows 2008 R2 domain resources

authenticate using new Windows 2012 R2 domain ADFS services by way of two-way transitive trusts between these AD forests.


Infrastructure - TGA DMZ ADFS & Domino• Upgraded Domino 9.0.x server and ADFS web service are in the DMZ Windows

2012 R2 AD domain and use the same security token service (STS) which in this case is ADFS v3.0.

• Each web site has a separate relying party (RP) configured within ADFS, one configured with the use of WS-Fed (Business Portal) https://business.tga.gov.au and one configured to use SAML 2.0 (eBS Domino) https://www.ebs.tga.gov.au

Authenticated Public

Users

Active Directory

External Users

Business Portal eBS Domino

SAML 2.0

HTTPS

AD FS 3.0

Business Relying Party

eBS Relying Party

WS-Fed

https://business.tga.gov.au/

https://www.ebs.tga.gov.au/


Notes Federated Login (NFL)• Notes Federated Login (NFL) is a federated-identity authentication process that

uses using the Security Assertion Markup Language (SAML) standard to relieve Notes client users of the need to enter a Notes password.

• Users' IDs must be stored in an ID vault whose Domino server is configured with host names for identity provider (IdP) partnership with Microsoft’s Active Directory Federation Services (ADFS). Notes client users' ID file contents are stored in memory on the client after being downloaded from the ID vault.

• Good reference materials are:– Andy Pedisich/Rob Axelrod - “Connect 2014 SSO Materials” (‘show100.ppt’) http://

www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm

– Jane Marcus -“Intro to Notes Federated Login (SAML)” (26 Mar 14) http://www-01.ibm.com/support/docview.wss?uid=swg27041524

– Gabriella Davis - “A Technical Guide To Deploying Single Sign On” (26 May 14) http://www.slideshare.net/gabturtle/sso-tech

– Walter Tobin - "Security Assertion Markup Language (SAML) NFL“ (27Aug13) http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Federated_Login

http://www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm


http://www-01.ibm.com/support/docview.wss?uid=swg27041524


http://www.slideshare.net/gabturtle/sso-tech

http://www.slideshare.net/gabturtle/sso-tech

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Federated_Login




NFL - Process Diagram

Source: Jane Marcus presentation


NFL - ADFS - Installation on member server • Install the ADFS service on a member server. When I installed on a domain

controller I had lots of intermittent problems getting the ADFS service to consistently start. Found the best places for services in a small environment were:– Domain controller -> Certificate Services, Domain Services and Domain Name

Services (DNS).

– Member server -> ADFS and IIS.


NFL- ADFS - Site name in DNS• Create the ADFS web site name as a host name (A) record and not a CNAME

is DNS. I could not get NFL to work using a CNAME.


NFL - ADFS - Create Domino Friendly Certificate Template• The ADFS service certificate needs to be created with a modified Windows

2012 R2 CA certificate template including the “Signature of proof of origin (nonrepudiation)” Key Usage extension. Otherwise, certificate will not import into the Domino Directory for cross certification with the ID Vault certificate.


NFL – ADFS - Certificate Permission• Ensure the ADFS service account has full control to the ADFS service

certificate otherwise will not run properly.


NFL – ADFS - Extended Protection PowerShell• Extended Protection needs to be turned off through PowerShell so Integrated

Windows Authentication (IWA) works. This is on by default to prevent “man-in-the-middle” (MITM) attacks, but is low risk in internal networks and needs to be off for IWA to work. Use PowerShell command:

– Set-ADFSProperties –ExtendedProtectionTokenCheck None

• Restart the ADFS service


NFL – ADFS - Supported User Agents PowerShell• Add “Mozilla/5.0” to the list of Supported User Agents in PowerShell. This is

what the internal Notes 9.0.1 standard client browser engine identifies itself as to ADFS. Use PowerShell commands:– Set-AdfsProperties -WIASupportedUserAgents("Mozilla/5.0","MSIE 6.0", "MSIE

7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "MSIE 11.0","Trident/7.0", "MSIPC", "Windows Rights Management Client")

– Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents


NFL – Domino - ID Vault and IDP Cat Names• ID Vault config name needs to match IDP catalogue name. An ID Vault name

such as “vault.home.net.local” does not need to be DNS resolvable and the vault Domino server not need the HTTP task running.


NFL – Domino - Explicit Policy for Notes 9 Users• Create Explicit ADFS policy rather than Organisational (found easier to manage

if was Citrix user)


NFL - Domino - Push cross-certificates using security policy• Use security policy to push the ID vault user creation certificate and ADFS

cross-certificate to Notes 9.0.1 client.

• Do not use the ‘Deploy.nsf’ technique mentioned in some NFL presentations. I have not managed to get it to work properly yet and raised a PMR.


NFL-Domino - Compliment with Notes Shared Login (NSL)• Define NFL in combination with Notes Shared Login (NSL) in security policy to

allow ID Vault off-line Notes client use. NSL does not work with Citrix users.

• Go to the “Notes Shared Login” tab and then make sure following values set:– Enable Notes shared login with operating system: "Yes"

– How to apply this setting: "Set value whenever modified"


NFL – Domino - Federated Logon security policy settings • Go to the “Federated Login” tab and then make sure following values set:

– Enable Notes Federated login with SAML IdP: "Yes"

– How to notify users when enabled : "System dialog"


NFL – Domino - ID Vault security policy settings • Go to the “ID Vault” tab, make sure following values set:

– Allow Notes-based programs to use the Notes ID Vault: "Yes"

– Allow automatic ID downloads: "Yes"


NFL – Domino - ID Vault Password Reset Authority• Make sure Password Reset Authority Notes administrators / helpdesk users

defined so can reset user passwords in ID Vault


NFL – Notes – Do NOT install AD Sync service• Do not install the Notes Single Login Feature (old Notes AD synchronization

service) as not compatible with either NFL or NSL


NFL – Notes - C:\ProgramData\IBM\Notes\Data\notes.ini• The Notes 9 standard client multi-user Notes INI should at least contain the

following settings: [Notes]

KitType=1

SharedDataDirectory=C:\ProgramData\IBM\Notes\Data\Shared

InstallType=6

InstallMode=1

NotesProgram=c:\Program Files (x86)\IBM\Notes\

ConfigFile=C:\ProgramData\IBM\Notes\config.txt


NFL – Notes - C:\ProgramData\IBM\Notes\config.txt• The Notes 9.0.x standard client multi-user config file should at least contain the

following settings: UserName=%USERNAME%

Domino.Name=THUNDERSTRUCK/ACDC

Domino.Server=1

Domino.Port=TCP/IP

AdditionalServices=-1

• Notes Federated Login user can't use common name to set up Notes client when ‘deploy.nsf’ is used. Believe this extends to my use of %Username% too and have raised PMR. Related technote: http://www-01.ibm.com/support/docview.wss?uid=swg21628894





NFL – Notes - User Creation• Create Notes users as roaming, with ID in vault and assign an Explicit Notes 9

ADFS policy.

• For Notes initial setup to work using NFL ensure the Domino Directory person document created with:– The “ShortName” field value matching AD common name value from %USERNAME

% in the config file

– The “InternetAddress” field value matches the AD user object mail attribute value


NFL – Notes - Multi-user setup process• The initial client setup process requires for each computer:

1. Initial ID vault default password interaction with user

2. NFL downloads user.ID from vault once with messages

3. NSL is applied to user.ID in the C:\Users\%username%\AppData\Local\IBM\Notes\Data folder with status bar message notifying applied and on restart no password required


NFL – Notes - Client quick fix process for helpdesk• The Notes standard 9.0.x client quick fix process for helpdesk:

– To set default password in ID vault for user (if not password)

– Simply remove “C:\Users\%username%\AppData\Local\IBM\Notes\Data” folder and let rebuild


Web Federated Login (WFL) - SAML Web SSO• Web Federated Login (WFL) - SAML Web SSO is a federated-identity

authentication process that uses the SAML standard to relieve Domino web client users of the need to enter a HTTP password.

• The Domino service provider (SP) is configured in partnership with the ADFS identity provider (IdP) to ensure clients only require an Active Directory (AD) user name and password to access Domino web resources.

• Good material references are:– Andy Pedisich/Rob Axelrod “Connect 2014 SSO Materials” (‘show100.ppt’) http://

www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm

– Yvonne Devlin – “Web Federated Login (SAML) with iNotes & IAW” (21 May 14) http://www-01.ibm.com/support/docview.wss?uid=swg27041552





WFL- SAML Web SSO Process Diagram

Source: Yvonne Devline presentation


WFL – SHA-256 Certificate Purchase• Purchase SHA-256 (typically RSA) issued certificates from vendor such as Verisign for

public facing ADFS, IIS and Domino web service sites. SHA-1 has limited life till end of 2016.


WFL – SHA-256 Certificate Domino Configuration • Configure SHA-256 certificates with either Domino 9.01 FP3 IF2 or IBM HTTP Server to

use TLS 1.2 with FIPS140-2 support (turns off RC4 ciphers) to mitigate vulnerabilities such as POODLE (which stands for "Padding Oracle On Downgraded Legacy Encryption")

• In the Domino service IBM HTTP Apache ‘domino.config’ file add the following:Listen 0.0.0.0:443

## IPv6 support:

#Listen [::]:443

<VirtualHost x.x.x.x:443>

ServerName ASP.NET website FQDN

SSLEnable

## Simply turn off RC4 ciphers by enabling FIPS140-2 support ... http://www-01.ibm.com/support/docview.wss?uid=swg21701072

SSLFIPSEnable

SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

# Enable strict CBC padding

SSLAttributeSet 471 1


WFL – SHA-256 Certificate Test• Go to https://www.ssllabs.com/ssltest to test website SHA-256 certificates and

configuration. Better chance of getting A+/-

https://www.ssllabs.com/ssltest




WFL – Another Useful Claim Rule Attribute• Commonly the AD user object Mail attribute (E-Mail-Addresses) is used as the

LDAP attribute to map to the Domino Directory person document InternetAddress (Name ID) when creating a Claim Rule for a Relying Trust Party with Domino in ADFS.

• Another useful LDAP attribute to use in Claim Rules is the User-Principal-Name (UPN) for uniquely identifying users. E.g. AD UPN = andrew.luder@addomain


WFL – Single Log Out ADFS SSOLifeTime PowerShell• With the introduction of the ADFS SAML SSO session the concept of the old

Domino 30 minutes idle session time is now defunct. Also to “logout” properly prior requires the browser closed as Domino 9.0.x currently does not support single logout for ADFS SAML 2.0.

• The life time of the SAML session token ADFS issues to Domino has a hard set limit of 480 minutes specified by the SSOLifeTime property. The PowerShell command: Set-AdfsProperties –SSOLifeTime x sets this


WFL – Single Log Out Domino SAML Session• Given the ADFS SSOLifeTime 480 minute limit, it was pointless to have Domino

set to 30 mins as this was upsetting functionality of XPage web applications particularly freezing sometimes after 30 mins of activity or idleness.

• Ensure Domino SAML single server session expiration matches ADFS SSOLifeTime default of 480 mins


WFL – Single Log Out ADFS & Domino Time Differences • In practice both the ADFS 3.x and Domino 9.x services should be using the

same time servers. As a rule to ensure Domino can deal with a session time difference use the following SAML Notes INI parameters:

– SAML_NotOnOrAfterSkewInMinutes=10– SAML_NotBeforeSkewInMinutes=10

• This will ensure Domino can handle ADFS time variations of 10 minutes either way to the 8 hours given to Domino session cookies


Cross Origin Resource Sharing (CORS)• CORS aims to have two websites (sites, pages, APIs etc.) agree on what kind

of resources and types of requests one website will provide to another. Both must agree exactly on what is being shared and how.

• There’s a few parties who need to participate to enable CORS – the two parties involved, of course, and the user’s browser. Both sites need to request and respond to each other in an expected manner, and browsers need to be aware of, and in some cases make special requests to ensure CORS works correctly.

• In essence, what happens is that both websites agree on how resources will be shared. The requesting site must be known as an “allowed origin” by the site providing the resources. The response also must contain headers which contain scope for acceptable resource sharing, e.g. naming allowable methods (e.g. GET, PUT) and whether credentials are supported. Browsers themselves are the last key – they must respect the restrictions established by the requesting site and the resource site.

Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-sharing-cors

http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-sharing-cors



CORS – TGA Background Part 1• In the early stages of the development and deployment of the ASP.NET

Business Portal, as most of the data associated with external users resided within the existing Domino 9.0.x web application (eBusinessServices – eBS), there was an early need to be able to consume Domino as a data provider.

• Under the claims-based design approach, both the new Business Portal and the eBS Domino web sites had the ability to authenticate external users to produce SAML or WS-Fed claims. In theory, one site could make HTTPS requests across the domain, as the sites would exist within the same domain.


CORS – TGA Background Part 2• This introduced a need to support CORS (modern web browsers support) to get

menu, news and application JSON data from the eBS Domino 9.0.x web site across to the new ASP.NET Business portal.


CORS – TGA Problem Domain• The initial problem was getting an ASP.NET based web site, using Windows

Identity Framework (WIF) and WS-Federation to be able to make a valid HTTPS GET request of the existing Domino 9.x web site, which uses SAML 2.0 claims.

• Domino provides JSON responses to requests to views which it defines and hosts. In theory, a valid request should produce a response containing the requested data in JSON format.

• The “single sign on” approach, whereby a user could authenticate to both existing and new web sites with a single set of credentials, and only be prompted once per session was working.

• Require to use SAML Web SSO authenticated CORS. Only evidence of successful Domino/IBM HTTP stack CORS usage is anonymous data exchange. NO Pre-flight request required when anonymous.

– E.g. Header always set Access-Control-Allow-Origin “*”


CORS – TGA Errors and Pre-flight Issues• The first time a cross-site request was made (and subsequent attempts) the

browser JavaScript console logged the following error:XMLHttpRequest cannot load https://<DOMINO_SERVER>/.....nsf/?ReadViewEntries&outputformat=json... The request was redirected to 'https://<ADFS_SERVER>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https:// ://<ASP.NET_SERVER>', which is disallowed for cross-origin requests that require preflight.

• With the following failed pre-flight information recorded against the network traffic…


CORS – So what’s a Pre-flight Request?• In some cases, a browser might make a special type of request known as an

OPTIONS request, which is sort of like an initial handshake before performing the actual request specified (e.g. a GET request).

• In essence, an OPTIONS request attempts to determine what supported methods and other information is available from a resource sharing server. In browser terms, this is known as a “pre-flight” request and is often attempted automatically by the browser.

• The first time a cross-site request might fail (and in subsequent attempts) the browser’s JavaScript console might log something similar to the following error:XMLHttpRequest cannot load https://<DOMINO_SERVER>/.nsf?ReadViewEntries&outputformat=json. The request was redirected to ‘https://<ASP.NET_SERVER>’, which is disallowed for cross-origin requests that require preflight.

Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-sharing-cors



CORS – Domino Pre-flight solution parameters• The solution was to solve the CORS pre-flight issue which was preventing

successful cross-site OPTIONS request prior to the GET request.

• Domino needed the ability to respond to an anonymous HTTP OPTIONS request with a HTTP status code of 200 in order for pre-flight to succeed, in accordance with the W3C preflight-request standard https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request

https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request


CORS – Domino Pre-flight IBM HTTP Apache solution• The solution was to get the Domino 9.0.x IBM HTTP Apache stack to respond

with a 200 SUCCESS on every OPTIONS request from the ASP.NET site.

• This meant loading the rewrite module in the ‘Domino.config” file by uncommenting:

LoadModule rewrite_module modules/mod_rewrite.so

• Adding following lines to the 443 virtual host section in the ‘Domino.config’ file:#CORS Support Start – Response Headers

Header always set Access-Control-Allow-Origin "https://<ASP.NET_SERVER>"

Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept,Access-Control-Request-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Allow-Credentials"

Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT, HEAD"

Header always Set Access-Control-Allow-Credentials "true"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request

RewriteEngine On

RewriteCond %{REQUEST_METHOD} OPTIONS

RewriteRule ^(.*)$ $1 [R=200,L]

#CORS Support End


CORS – Client / Query Request Chrome Results• Once Domino 9.0.x was configured to respond with a Status of 200 for

OPTIONS requests, CORS began to work as expected. The validation of claims, however, seemed to only work with Chrome when using a simple AJAX JavaScript query like below:

var DominoQuery = function()

{

var url = 'https://<Domino_Server>/.nsf?ReadViewEntries&outputformat=json….';

$.ajax(url, {

type: "GET",

contentType: "application/json; charset=utf-8",

success: function(data, status, xhr) {

alert(data);

},

xhrFields: {

withCredentials: true

},

crossDomain: true

});

}


CORS – Client / Query Request Other Browser Results• In Internet Explorer 11 and Firefox 30 another solution was to explicitly

authenticate to Domino by programmatically creating an iFrame and having the user authenticate first before making a query. This approach worked when using a little more complicated JavaScript XMLHttpRequest.

• See http://caniuse.com/#feat=cors below for CORS browser support

http://caniuse.com/#feat=cors

http://caniuse.com/#feat=cors


CORS – Completed Business Portal• Successfully used CORS and WFL (Domino Web SSO) to get menu, news and

application JSON data from Domino 9.0.x for the new ASP.NET Business portal


CORS – Domino IBM HTTP Apache Future• IBM plans to remove support for IBM HTTP Server (IHS) in a future Domino

maintenance release now that native Domino TLS 1.2 functionality has been added to the product. IBM HTTP Server proved a good solution for Domino customers who needed better security functionality over the native Domino HTTP protocol on a Windows server platform. However, that solution is limited in scope since it covers only HTTPS and Windows.

Source http://www-01.ibm.com/support/docview.wss?uid=swg21697303

• TGA will use keep using the Domino 9.0.1 IBM HTTP stack for CORS capability for foreseeable future. Alternative proxy server solution may be considered.



Web Services – Consumer Domino 9.0.x Java Setup• During the TGA upgrade project some DMZ Domino client agents were

developed in Java to securely (use HTTPS) consume internal IIS web services for AD account creation.

• Domino needed IIS root CA X509 public key of the IIS site certificate installed in its Java key store CACERTS file using iKeyMan utility.


Web Services – Consumer Domino 9.0.x Java Experience• Domino 9.0.x uses a slightly older edition of Java (v1.6) which does not support

a HTTPS TLS feature called ‘Server Name Indicator’ (SNI). As IIS server hosts multiple websites (all with own HTTPS bindings and services), Domino is not able to complete a TLS handshake successfully and receives an incorrect certificate resulting in a Domino console “host name does not match” error when the Java service consumer agent runs.

• The solution is to use a wildcard certificate as the default site HTTPS binding on the internal IIS web server, “Require Server Name Indication” unticked and the “Host name” field left blank resulting in Domino consumer Java agent client flow below.


Web Services – Consumer Domino 9.0.x Java Patching• Use a “\Domino\JVM\Lib\Security\java.pol” file to cover different security

requirements for running Java agents to the standard “java.policy”. See technote https://www-304.ibm.com/support/docview.wss?uid=swg21679242 .

• Back up “\Domino\JVM\Lib\Security\cacerts” key store and “java.policy” files prior to patching as can get lost. Copy back in after patching activity such as below. See blog http://linqed.eu/2014/06/25/considering-a-domino-upgrade-beware-of-custom-java-security-policies/

https://www-304.ibm.com/support/docview.wss?uid=swg21679242

http://linqed.eu/2014/06/25/considering-a-domino-upgrade-beware-of-custom-java-security-policies/

http://linqed.eu/2014/06/25/considering-a-domino-upgrade-beware-of-custom-java-security-policies/


Web Services – Provider Domino 9.0.x Setup• During the TGA upgrade project some internal web services providers were

developed in Domino to be consumed by Microsoft Dynamics Customer Relationship Management System (CRM) so it could update corresponding documents in Domino Directory after its own account updates.

• Internal Domino 9.0.x servers were set up to use SPNEGO SSO for HTTP authentication such that CRM would use its AD service account to seamlessly communicate with Domino. The CRM service account needs to by identified in the Domino Directory and only requires Reader access to the database where the Service Providers reside.


Web Services – Provider Domino 9.0.x Experience• Found the Domino Notes INI Setting

WIDE_SEARCH_FOR_KERBEROS_NAMES=1 caused lots of problems for CRM when it and the service account "svc_crm@ADDOMAIN" was specified in person document Kerberos field under the Administration tab. Just used ShortName with this setting off and works fine.

• Ensure “HTTP persistent connections” set to Disabled in server document. When enabled CRM would hang consuming Domino services.


Code Management - Team Foundation Server (TFS)• Quick mention! To share code in the TGA project team and branch manage

code properly it was required for the developers to:– Export each Domino database into a corresponding On-Disk Project (ODP) in

Domino XML (DXL) format using the Domino Designer 9.0.x Source Control functionality. Also used AGECOM DXL Import / Export utilities to assist. See https://www.agecom.com.au/

– Branch manage ODP in TFS 2013 using Microsoft Team Explorer Everywhere Eclipse Plugin @ http://www.microsoft.com/en-au/download/details.aspx?id=40785

https://www.agecom.com.au/



http://www.microsoft.com/en-au/download/details.aspx?id=40785

http://www.microsoft.com/en-au/download/details.aspx?id=40785


Questions?• ?????

domino/notes 9.0 upgrade to take advantage of nfl, wfl and cors technologies

Technology

domino web services

domino infrastructure

existing domino business

background business

public domino web

business continuity

r901 domino

existing domino apps