This is the 2nd post in my "IAM dabbeling" sequence - as a preamble let me say upfront that I am not an administrator and no expert in the TLS/SSL arena. I am a (web) developer who wants to use OUATH2 in my Node.JS applications with Domino. That said, some experts out there might be finding easier/better ways to achieve this goal - I'm happy to learn. What I do here is to write down the path that worked for me - yours might be different/easier/quicker - feel free to comment.

With that, let's get started with the basics of setting up IAM which is: Setting up the proton task on your domino server and securing it using SSL encryption and Authorization.


First thing up - as we install the Domino appdev pack, we have to run the proton server add-in task on a linux Domino server. The current version (february 2019) is only available on Linux. This is the proton protocol task for Domino only - domino-db as the Node.js package can be run on any platform - in my case all the test node applications (proton clients) are running on MacOS.


I will not go into any details regarding the setup of a Domino server on Linux - there are other guides out there that shold help you along like here:

http://www.devinolson.net/devin/spankysplace.nsf/downloads/DOLN-AFKK4N/$File/Domino9onCentos6.pdf

Also, please do yourself a favour and use the brilliant start script of lifetime champion Daniel Nashed, you can request it here:

https://www.nashcom.de/nshweb/pages/startscript.htm

I am not using Docker containers for now, I decided that a VM running CentOS 7.5 would be sufficient for me. In case you want to use Docker, keep an eye on Daniel Nasheds Blog as well as he is heavily envolved in making these happen. Also check out the following repo from Thomas Hampel as starting point for Docker and Domino:

https://github.com/IBM/domino-docker

So let's assume you have a VM with CentOS 7.x and Domino 10.0.1 installed. You have a user for Domino that ideally is part of the SUDOs group.


My Domino Server paths are the following, please take note of yours accordingly:


Server BIN: /opt/ibm/domino/bin

Server-Files: /opt/ibm/domino/notes/latest/linux

Data-Directory: /local/proton/domiodata (yeah, I know, why use standards?!)


Make sure that your user for domino as r/w access rights in these directories and files.


I downloaded the Appdev pack to my /install directory.


Make sure that OpenSSL is working on your VM (Command line: openssl version should be giving something like: OpenSSL 1.0.2k-fips  26 Jan 2017)


Step 1: Take note of your hostnames.


My Domino server cerrtifier is: CN=Proton1/O= C3UG/C= CA

My Domino host name is: proton1.c3ug.ca which is an alias for:

My VM's hostname: proton1.fritz.box which is coming from my DHCP server (to find out your current hostname use:

hostnamectl status


on the command line. using hostnamectl set-hostname


allows you to set/change your hostname if needed.


I also added the basic alias proton1 to my hosts file in the CentOS VM to 127.0.0.1 as an additional alias as well as my Domino alias proton1.c3ug.ca


Step 2: Firewall Considerations


CentOS 7.x runs systemd firewall per default. using Webmin or other visual tools you can open up the ports needed by the various tools or do as I did and disable the VMs firewall as it is always running behind the Macs firewall plus the routers firewall. DO NOT DO THIS IN PRODUCTION - this is for dev/test purposes only !!!


To disable system3 use these commands as root:


systemctl disbale firewalld


and


systemctl stop firewalld


(to reverse that:
systemctl enable firewalld

and

systemctl start firewalld


to check the state use: systemctl status firewalld)


Step 3: Install Node.js


Now, to run the IAM server on top of the Domino server, we need to install Nodes.js. Currently (February 2019) IAM supports Nodejs V8.12.0 which can be found here:

https://nodejs.org/download/release/v8.12.0/

The link cluding the package name is:


https://nodejs.org/download/release/v8.12.0/node-v8.12.0-linux-x64.tar.gz

Then, we have to install node manually as we can not use the latest stable release. I found this pretty helpful:


Install a Package from the Node Site

One option for installing Node.js on your server is to simply get the pre-built packages from the Node.js website and install them.

You can find the Linux binary packages
here. Since CentOS 7 only comes in the 64-bit architecture, right click on the link under "Linux Binaries (.tar.gz)" labeled "64-bit". Select "Copy link address" or whatever similar option your browser provides.
On your server, change to your home directory and use the
wget utility to download the files. Paste the URL you just copied as the argument for the command:
cd ~
wget
https://nodejs.org/download/release/v8.12.0/node-v8.12.0-linux-x64.tar.gz

Note: Your version number in the URL is likely to be different than the one above. Use the address you copied from the Node.js site rather than the specific URL provided in this guide.

Next, we will extract the binary package into our system's local package hierarchy with the
tar command. The archive is packaged within a versioned directory, which we can get rid of by passing the --strip-components 1 option. We will specify the target directory of our command with the -C command:
sudo tar --strip-components 1 -xzvf node-v* -C /usr/local


This will install all of the components within the
/usr/local branch of your system.
You can verify that the installation was successful by asking Node for its version number:

node --version

v8.12.0


The installation was successful and you can now begin using Node.js on your CentOS 7 server.


This is the link where I shamlessly copied the above paragraph:


https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-a-centos-7-server

Step 4: Setup PROTON on the Domino Server


Stop your domino server.


open a command line and switch to

/opt/ibm/domino/notes/latest/linux


make sure libnotes.so is present (ls -l libnotes.so)


expand the proton-addin archive (in my case from /install)


sudo tar -xvf /install/proton-addin-.tgz
("TAB" is your friend here !)


fixup file permissons and ownership


sudo sh -v ./setup_proton.sh


start the Domino server


at the console you should see


PROTON> Build -xxxxxxxxxxxxxxxxx
PROTON> Listening on 127.0.0.1,
port 38770, INSECURE
PROTON> Note: Requested
port was 0, Actual listen port is 38770
PROTON>
Server initialized
PROTON>
Server only allows Anonymous access.

if not, issue a "load proton" command and check outputs


if necessary, add the PROTON task to the SERVERTASKS= line in the notes.ini in /local/proton/dominodata/notes.ini in my case.


The proton task should now be up and running


Step 5: Securing PROTON with SSL and Client Authentication


Step 5.1: Downloading and installing the KYR-Tool


If you ever dealt with SSL and Domino you might be familiar with the KYR-Tool. If not, this is a special tool to package SSL Certificates in a keyring file in a way that Domino can consume. This tool is not be default part of the domino server install and has to be downloaded seperately. You can find the download here:


https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer

You will need the Linux 64 bit version and have your IBM-ID at hand :-)


the resulting file "kyrtool" must be placed in /opt/ibm/domino/bin/tools/


This position causes some issues with the scripts IBM/HCL provided to create our certificates in the next section.


Step 5.2: Creating the certificates that are needed.


In this tutorial, we will focus on self-signed SSL certificates and the scripts that are provided therefor by IBM/HCL in the appdev pack.

First, we have to create the base Certification Authority (CA) and the CRT and KEY files for the proton server and the technical user.


This is done by the script:


make_certs.sh


Of course, we have to make some changes to this script before running it - it has to be tailored to your domino server.


using nano, edit the script. Here are my changes (athe top and the  the bottom section of the file)


top:


if [[ -f ca.key || -f ca.crt ]]

then

       echo "CA already exists."

else

       # Generate CA private key

   (set -x ; openssl genrsa -passout pass:1234 -des3 -out ca.key 4096)

   # Self-Sign CA key

   (set -x ; openssl req -passin pass:1234 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/O= C3UG/CN= C3UG-Test-CA" -sha256)


These changes are related to my certifiers in Domino. I would think they are not needed but I had issues importing the client certs later for the technical users without them. Might as well be only me but this worked for me.
SO PLEASE USE YOUR CERTIFIER STRINGS here accordingly !

bottom:


create_key server "/O= C3UG/CN=PROTON1" "DNS:proton1.fritz.box"

create_key app1 "/O= C3UG/CN=app1" ""

create_key app2 "/O= C3UG/CN=app2" ""


After some talks on slack with Oliver Busse, please make sure that your file access to the Domino paths is correct for the notes user. Sometimes even running the scripts using sudo gives you errors with certain files, e.g. server.key. In this case, check your permissions, delete the old stuff from a previous run and try again. Running as root is a option but you will have to chown your user right after running the scripts for the notes user or you have the next pitfall. Don't worry, running those scripts does not do anything harmfull to your environment so you can run them until the result is ok. patience is of the essence here.


This will create "server.key, server.crt, app1.crt, app1.key, app2.crt, app2.key, ca.crt and ca.key, etc.)

Step 5.3: Create the Domino Keyring file


In a great effort, Oliver Busse fixed the scripts, so download make_keyring.sh from here:


https://gist.github.com/zeromancer1972/74ddbdc655bf15616cdc1928d522730b

and copy them to /opt/ibm/domino/notes/latest/linux/


using nano, edit the kyrtool function of your make_keyring.sh file to point to your notesdata folder, in my case /local/proton/notesdata


I also recommend to rename the keyring and the stashfile names "sample1.kyr" and "sample1.sth" into something more meaningfull like your servername, in my case proton1.kyr and proton1.sth


running this script, you will end up having 2 new  files in /tmp:

- proton1.kyr

- proton1.sth


copy those files to /opt/local/proton/dominodata


Step 5.4: Setting up SSL for PROTON


Stop your domino server.


Got to /local/proton/dominodata (your data directory that is)


edit notes.ini using nano.


Add the following lines to your notes.ini if not yet there:


PROTON_LISTEN_ADDRESS=0.0.0.0

PROTON_LISTEN_PORT=3002

PROTON_SSL=1

PROTON_KEYFILE=proton1.kyr


restart the domino server, PROTON TASK should start saying secure and anonymous access only.


Step 5.5: Create technical user and import client certificate


refer to this section here:


Client authentication

Proton authenticates client application requests based on the setting of the PROTON_AUTHENTICATIONnotes.ini setting. Valid options are:

client_cert: The client certificate is mapped to a Person document in the server's directory. Access to data is calculated based on this identity. Proton must be enabled for TLS/SSL for this option.

anonymous: All requests are made as the Anonymous user identity. This name does not need to appear in the directory, but it does need to exist in database ACL. This option is available with and with out TLS/SSL being enabled.

The default behavior when the setting does not exist is to provide Anonymous access to Domino databases.







Client certificate authentication

To require that applications provide a valid client certificate set the following notes.ini variable:

PROTON_AUTHENTICATION=client_cert

With this setting enabled there are some additional administrative and client requirements.

  1. The client application must supply a valid client certificate when making domino-db requests to the Proton server on Domino. The common name in the client certificate must have a name that can found in the Domino directory. Proton performs a lookup in the Domino directory to find the person document.
  2. The Domino administrator must create a Person document in the Domino directory and perform the Import Internet Certificates Action on the Person document. This is required because the client certificate is verified against the known certificate in the Domino directory.
Image:IAM dabbeling - Post 2: setting up proton and testing

Now - a lot of people get stuck here - import the certificates by importing the app1.crt file. No need to create a *.pem or whatever.

Example using app2, please use app1 for your demo:


Create a person record for app1. Then after saving it, select the Actions Menu...


Image:IAM dabbeling - Post 2: setting up proton and testing
and select "Import Internet Certificates" ! This brings up the following dialog:


Image:IAM dabbeling - Post 2: setting up proton and testing
Select "All Files" an pick the app1.crt file !

Image:IAM dabbeling - Post 2: setting up proton and testing
use the app1.crt here !

Image:IAM dabbeling - Post 2: setting up proton and testing
keep the format as is.

Image:IAM dabbeling - Post 2: setting up proton and testing
Click "accept all"

Image:IAM dabbeling - Post 2: setting up proton and testing
Save & Close and re-check:

Image:IAM dabbeling - Post 2: setting up proton and testing
Done !



Step 5.6 Add Client Authentication to PROTON


Stop the domino server


edit notes.ini


add the following line to your Notes.ini:


PROTON_AUTHENTICATION=client_cert


restart your server.


Now, this concludes the SSL/Authentication part !



Step 6: Test your configuration


Now, let's start coding a bit.


The appdev pack comes with samples that let you test the connectivity using SSL and Authentication:


Use the domino-db Quick start sample. Here's a configuration for your domino server access using SSL and Client Authentication:


Image:IAM dabbeling - Post 2: setting up proton and testing



I am using ca.cert, app1.crt and app1.key from above and copied them into the project. Here's the source of my server-config.js code.


That concludes my first steps for me to set up PROTON on Domino !
var fs = require('fs');







var path = require('path');

const readFile = fileName => {

try {

return fs.readFileSync(path.resolve(fileName));

} catch (error) {

console.log(error);

return undefined;

}

};

const rootCertificate = readFile('./certificates/ca.crt');

const clientCertificate = readFile('./certificates/app1.crt');

const clientKey = readFile('./certificates/app1.key');

const { useServer } = require('@domino/domino-db');

const serverConfig = {

hostName: 'proton1.fritz.box', // DNS (!) Host name of your server

// See scripts to create kyr-file and ca for adoption !

connection: {

port: '3002', // Proton port on your server

secure: true,

},

credentials: {

rootCertificate,

clientCertificate,

clientKey

}

};


module.exports = serverConfig;





Heiko Voigt   |   14 February 2019 09:19:00   |    Domino  OAUTH  proton  domino-db  nodejs    |   Comments [2]

Wow, finally !

With some great help from HCL (thanks to the HCL Client Advocacy Program and Gordon Hegfield in person ! ) I was able to master the setup of the OAUTH2 provider for Domino !

So, how is my environment set up ?

Image:IAM dabbeling ... first setup successfully done. Post 1 of many to come....

To set up IAM, I followed the documentation (I will go through these setup steps in later posts):
  • Install Domino
  • set up PROTON
  • set up design catalog
  • secure PROTON using SSL and Authentication (fixing scripts)
  • add person record for technical app user and add certificates
  • Testing with the sample code from the documentation
  • Set up ID-Vault
  • Create IAM Storage Database from template, sign, add to design catalog
  • Register technical user for IAM server
  • Create client certficate for IAM user using the PROTON CA
  • IAM Server Configuration and fiddeling with ports
  • set up credential store
  • configure LDAP
  • configure IDP
  • Setting up IAM Client app and examples
  • Banging head against walls on which certificate to use for OAUTH2_DSAPI_KEYRING= Notes.ini parameter
  • Asking HCL for Help
  • Getting Help within 1 hour !!!!
  • Hussa ! Made it !
    So, bare with me if it might take me a while to write down all my alien encounters on that venture - I will start ASAP.

    Here's what the final result looks like, you can't believe how lucky I feel seeing this finally working.

    Image:IAM dabbeling ... first setup successfully done. Post 1 of many to come....

    Cheers,

    Heiko.

  • Heiko Voigt   |   13 February 2019 13:25:17   |    Domino  Node.js  domino-db  IAM  OAUTH2    |   Comments [0]

    3 January 2019 Thursday

    2018 - my year in revue

    Image:2018 - my year in revue
    So, welcome 2019 ! This last year went by in a blast for me, I was more busy than ever running Harbour Light in Canada and Co-Running SIT in Germany. Both ventures have been very successful in 2018 - we grew our customer base, extended our product portfolio and most of all made the shift from a pure IBM shop to a full stack development and project management organization.
    We had a lot of new technologies coming into our stack this year - the first AI and VR/AR applications went live. We have our first implementations of Apples AR solutions as well as the first productive applications using Microsofts Hololens product. A very strong discipline we had to invest in 2017 was API Design and this payed off in 2018 - being able to develop middleware in an agile way using AI services and multi cloud environments became essential to our business. Our first large application in that area was presented at DNUG, ICON UK and DNUG Developer Days and we will see a C3UG Video shortly.
    My special thanks go out to my employees on both sides of the pond - my two little ones took a huge chunk of my professional time again this year as daycare is still more a concept in germany than a relieable infrastructure component. Without my employees covering my back whenever needed, I would have run aground several times this year. A big thank you goes to Gaby - our Nanny, without you, we would not have been able to run our professional life, so thank you !

    Besides my two companies, I had some off-time ventures that really gave me joy as it was so much fun to work with talented and gifted people from Canada throughout the year - C3UG and our video series became a very interesting way for me to talk to other yellow bleeders and to discuss news, products and features in a fun and intuitive way. So Scott, Colin, Graham - thanks for a great year and I am looking forward to new things coming up in 2019.

    Our beloved Domino Environment took new flight in 2018 - and after some twists and turns (I vented about this already) the future for a lot of the former ICS portfolio seems to have a bright future ahead at HCL. I personally would love to see these products thriving again and it would be great to be part of this journey in the future. This includes Connections and I product I really like for a long time already - WebSphere Portal.

    The world became no safer place in 2018 and wont be in 2019 - I generally do not like where isolationism is taking our western societies, we will see what happens this year in the EU regarding the elections and Brexit. The economy is looking stable still but its crumbling on the edges, lets hope for a stable year 2019 here as well. I won't be venting here about politics - reality is more absurd than comedy or satire. That's more than telling for me.

    Right before christmas, I received a nice email from IBM letting me know that I will be an IBM Champion for ICS in 2019 ! Thanks to everyone who voted for me, even though I might not have been politically correct all the time - I am really looking forward to work with this group of passionate, talented and gifted people in 2019. And I am grateful for this honor - I had some dreams in my professional life - speaking at lotusphere once (done that in 2016) and becoming an IBM champion was among them. So thank you all for making it possible to remove one item from my bucket list !

    May 2019 be a good year with health and prosperity for all my readers, friends, families and colleagues - let's stay in touch !

    Heiko.



    Heiko Voigt   |   3 January 2019 21:51:32   |    SIT  Harbor Light    |   Comments [0]

    12 December 2018 Wednesday

    That HCL thing ... my two cents

    My thoughts on the IBM <-> HCL deal

    The dust settles slowly in these days after the announcement that HCL will buy an assortment of on premises software from IBM for $ 1.8 billion.


    For me, there are two sides of the same medal to look at if we talk about this deal.

    Side 1: HCL and its new possessions.


    HCL made it very clear that they invest into these software assets to establish a new revenue stream to their company making the move to be a software reseller too after coming from a very effictive and well-running services area.
    What HCL came up with for IBM Notes/Domino V10 and the plans for V11 looks encouraging - the new features are well received by the ever-faithfull and the yet small but remarkable buzz around the platform as well. The question for me is - will this be enough for the customers to trust HCL and stay on the platform or will this be the final nail in the coffin for the remainders of the IBM collaboration portfolio ? Time will tell, everyone encourages customers to stay while I just wait for all of my fellow business partners with migration tools to creep out of the holes again to finally rip the cadaver apart... . I hope HCL is able to pull off some strong messages soon - for Connections, Commerce and Portal as well as a lot of customers are still using these tools and they have been left out in the cold at least for as long as the Domino folks by IBM. So HCL - give us a strategy update quick to let us (your potential partners and their customers) know what to expect !


    Side 2: IBM - the BREXIT from eveything


    How can a company possibly screw up so many things in such a short amount of time ? I am not talking Notes/Domino here specifically but it is a posterchild of what happens here. IBM starts a partnership with HCL for N/D, starts Jams, Campaigns, aha-sites and what have you like never in the years before and now, after a couple of months of making partners and customers believe they got it - no, we sell it of and declare a brexit from all things collaboration / commerce / portal and other sort that's on premises. After telling customers that nothing will change for them. Again. From doing nothing for years to start building a momentum to shooting yourself in the foot in two months from the V10 launch - that really can only be topped by the british brexit circus. How much money got spent, how much momentum has been built for this now ? This for me shows IBMs misery these days - conflicting, not trustworthy messages and I am sure that the people in the respective brands were as surprised as us outsiders about these rapid changes. So everyone still using the cloud offerings of IBM should notice this behaviour. Can you really trust this company with your data going forward ? IBM believes in the Cloud so keeping Connections Cloud ond Verse in the Cloud makes sense... . Wait a minute. What ?! For how long ? And then what ? Who will be in charge for bug fixing, support, future development ? I guess the cloud stuff would have been sold as well if the data security issues would have been easier to resolve.

    To me, the state of IBM is shocking. Is this a company I can/want to partner/trust in the future ? Of course all of this is part of business as usual but while other companies buy and sell parts of their portfolio all the time, the clear lack of vision and somewhat coordinated communication within the last couple of months leaves me almost speechless. The company I started my professional career in is no longer a general IT business. It's becoming a highly profitable niche player, discontinuing stuff on the go they are no longer able to sustain and maintain. Good luck IBM. I don't think this will lead you and your (in a lot of cases very talented) employees into a sustainable future. But that's just my guess - who am I to tell IBM what to do ;-).


    Conclusions:


    On the upside of things I believe that for most customers using the tools now sold to HCL there will be a smooth transition regarding contracts, support and so forth so nobody will be left out in the cold. The real issues for me are more strategic ones.
    Thank god the holiday season is coming up, this leaves some off time to vent and think things through. While I am tempted to become an HCL partner with my companies, I will have to think twice of what to do with IBM. I have to see if there is enough value proposition in the watson area for us as a small ISV to continue or if we should switch to AWS, MS or Google for all things cloud based services. We do this to some extent today already, but damn it, I would have loved to have some compelling options in this game using IBM technology. Today, after some really bad experiences with the IBM Cloud, I'm not so sure there either. Lots to think about for 2019... . What's your take ?
    Heiko Voigt   |   12 December 2018 13:04:29   |    HCL  IBM  Domino  Notes  Connections    |   Comments [8]

    11 December 2018 Tuesday

    Die spinnen, die Römer....

    Es gibt selten Tage, an denen ich Schlagzeilen lese, bei denen die ganze Malaise unserer Zeit offenbar wird. Heute ist wieder so einer und ich wollte das mal posten, damit mir keiner sagen kann, es hätte niemand aufgeschrieben,

    Die erste Schlagzeile kommt aus Spiegel-Online und betrifft Michel-Deutschland:

    "... Cum-Ex-Recherche
    Staatsanwaltschaft ermittelt gegen "Correctiv"-Chefredakteur
    Mit den Cum-Ex-Enthüllungen hat die Recherchegruppe Correctiv einen Milliardensteuerbetrug aufgedeckt. Nun ermittelt die Staatsanwaltschaft gegen Chefredakteur Oliver Schröm. Er habe Banker angestiftet, Geheimnisse zu verraten.
    ..."
    Link: http://www.spiegel.de/kultur/gesellschaft/correctiv-staatsanwaltschaft-ermittelt-nach-cum-ex-recherche-gegen-chef-oliver-schroem-a-1243113.html
    Es ist wirklich nich zu glauben - da werden mit Tricks und politischer Duldung durch Rollotov-Schäuble dem Staat Milliarden an Steuereinnahmen hinterzogen und die Journalisten, die den Skandal aufdecken lässt man von der Stattsanwaltschaft verfolgen. Ach ja und die Auto-Bosse dürfen in Deutschland auch einfach so weiter machen wie immer. Aber kleiner Michel - wehe Du zahlst Deinen Strafzettel nicht oder Deine Steuer zu spät ! Pfändung und dann Knast, ganz automatisch. Dieses Land wird mir immer unsympatischer. Hmmm? Forentroll ? Ja, ich gehe bald, wenn's mir hier nimmer passt.

    Die zweite Schlagzeile ist eher zum Schmunzeln von Heise:
    "...10.12.2018 15:10 Uhr
    China sieht Menschenrechte von Huawei-Finanzchefin verletzt

    Seit gut einer Woche sitzt Huawei-Finanzchefin Meng Wanzhou in Haft. China wirft Kanada nun vor, sie "unmenschlich behandelt" zu haben.

    ">..."

    ">Link: https://www.heise.de/newsticker/meldung/China-sieht-Menschenrechte-von-Huawei-Finanzchefin-verletzt-4246880.html

    Die Ober-Menschenrechtler wieder. Ganz großes Kino.

    ">

    ">Wenn das Leben die Satire überholt, oder wie war das noch - manchmal glaube ich wirklich, dass ich im falschen Film bin.

    Aufwachen !

    ">

    ">Heiko.

    ">

    ">


    Heiko Voigt   |   11 December 2018 14:17:13   |     |   Comments [0]

    14 November 2018 Wednesday

    DominoDB and a big NO-NO !

    So folks,

    the beta of DominoDB is out and people are starting to use it.
    One of my early-adopting customers started to play around with it and started to create a React.-based application using DominoDb to modify database content. They secured their Proton task using the SSL encryption. So far so good. What I did not expect was the flaw in the architecture of the app that I came across when I looked at the source.-
    The guys where using DominoDb right from the React App IN THE CLIENT APP ITSELF. The next pictures illustrates what I mean by that:

    Image:DominoDB and a big NO-NO !
    For testing, they opened their firewall at the proton port and are now communicating via SSL from the browser directly to the proton task on the server. While this is working, for me as a solution architect, this is a big NO-NO as you expose your client access keys and encryption keys in an end-user application as well as the server address for your proton task, name of the database etc. DO NOT DO THIS !!!!

    From my perspective, DominoDB is always sitting on a server. Period. It is ment to be sitting behind a REST-Facade that hides the application and server access part from the end user. So my quick redraw of the architecture would look like this:

    Image:DominoDB and a big NO-NO !

    So the Client Browser only talks to the reverse proxy which then accesses resources on Domino (Xpages or whatever) or a Node/Express based REST-API that takes care of the Domino related tasks using DominoDB.

    I wasn't prepared to having to write this up as it seemed logical to me but maybe it's better to write it down, eh ?!

    Have your say....

    Heiko.
    Heiko Voigt   |   14 November 2018 16:38:29   |    Domino 10  #dominoforever  react  node.js    |   Comments [12]

    IBM Domino domino-db for Node.js First Look: Will it leave you angry and disappointed?

    The new Node.js module for IBM Domino, domino-db, is available from IBM in Beta. This video presents our first impressions of the module. Both Colin and Heiko used the quick start guide included in the download to test it. Our goal is to answer the question: will using this module leave you angry and disappointed?


    The demos in the video show the basic use of the module. IBM has included a Notes database in the download that you can interact with. Colin does a query, using the new Domino Query Language, written in Node and Express. Heiko does a demo of a CRUD operation against the database. Heiko also illustrates how to take the first steps in setting up a secure connection between the Express app and the Domino server.


    You can sign up for the Beta program and start playing with this yourself. Register here:
    https://ibm.biz/Domino10Beta

    Here's the link to the video:


    https://youtu.be/FjcmuWTohXI

    Cheers,


    Heiko.
    Heiko Voigt   |   12 November 2018 09:22:36   |    IBM  Domino  #dominoforever  node.js  dominodb    |   Comments [0]

    10 September 2018 Monday

    My speakers sessions in September

    Good day,

    Developing more and more using Watson APIs, React and Node.JS, I will be speaking at several occasions about an epic venture we took on this year.

    First, I will start off at ICON UK later this week:

    https://www.iconuk.org

    My talk will be around one of our first large AI based projects for a customer in Canada - digging out important emails from various channels based on personal profiling and machine learning. I will talk about the pitfalls and the overall approach we took to reach our goal.

    If you can't make it to ICONUK, you can meet me at the "DNUG Entwicklertag" on September 25th in Koblenz, where I will be speaking about the same topic:

    https://dnug.de/event/development-day-2018/

    And if you can't make it to this event, well, then you will have to wait for the recorded presentation from C3UG, the Cross Canada Collaboration User Group later this month. If you haven't seen our videos from Connect and Engage (the Maple Lounge Sessions), I encourage you to take a look here:

    https://www.youtube.com/channel/UCLYFe1zEeeGYRPI_rMZj2Pg
    http://www.c3ug.ca/


    Hope to see you guys soon at any of these locations !

    Have fun & take care

    Heiko.

    P.S. - yes, "speakers" sessions. I'm travelling with an Amazon Echo Dot and a set of bluetooth speakers. The are the stars of the rodeo. So there's that.
    Heiko Voigt   |   10 September 2018 15:18:24   |    AI  Watson  XPages  Domino10    |   Comments [0]

    Thanks for having me, DNUG !

    I will be speaking at DNUG in June this year about a communications topic - how to use Watson AI to better prioritize your messaging and e-mail channels.
    We will be showing a prototype that we have built for one of our canadian customers that will digest several input channels from GMail, Verse and Watson Workspace to assess the importance and relevance of the specific message in context of the users priorities and communication habits. It will then tell you the potentially most important messages in a web interface and via voice input/output using Amazon Alexa.

    Please find the link to my session and everything around DNUG here:

    https://dnug45.sched.com/event/Dj2L?iframe=no

    See at Engage and at DNUG later on. Watch out for the Maple Lounge at Engage this year !

    CU

    Heiko.
    Heiko Voigt   |   15 May 2018 10:37:07   |    DNUG  Watson  IBM  Verse    |   Comments [0]

    Hi,

    as I stumbled accross this issue a couple of weeks ago and found a workaround today. Some good'ole Notes Client stuff... .

    What did I do ?


    I created a Notes Document in LotusScript via an action button in a view. In the document, I changed some fields and used an action button to save the changes, close the uidocument, append some richtext via LotusScript to a richtext field an re-open the document using ws.editDocument(True,doc,,,False) in Edit mode again. We use this often if we have to append richtext programatically.

    So far, so good. I continued editing in the UI and saved at some point - Notes wanted to create a save conflict due to multiple edits. The code I used for the above has not changed in years. The database has been using document locking for three years.

    After some serious testing at the customer site, we learned that this behaviour started with Notes 9.0.1 FP8. Everyting earlier is fine, the problem also exists in FP9 and the 1st Beta of FP10, so something has changed since FP8 and after some more digging we came across document locking. It seems as if the sequence when the document gets unlocked by ui.close() and reopened (and re-locked) by ws.editDocument() must have changed - from FP8 onwards, the lockholders of the document re-openend for editing are empty for the UI Document but not for the backend document in the database ! So, indeed, there was an edit event happening in the backend after the re-open of the document in the UI.

    The Workaround:


    After fiddeling around with some events, I found a workaround by writing the current user as lockholder into the document in the querysave event of the underlying form:

    Sub Querysave(Source As Notesuidocument, Continue As Variant)

           Dim doc As NotesDocument

           Dim s As New NotesSession

           Set doc = source.Document

           
           If(doc.IsNewNote=False) Then

                   If doc.LockHolders(0)="" Then

                           Call doc.Lock(s.EffectiveUserName)

                   End If

           End If

           
    End Sub



    So with that, if I am the current lockholder in the backend, I can successfully save my changes without generating a save conflict.

    Hope this helps if someone runs into a similar issue.

    Heiko.
    Heiko Voigt   |   29 January 2018 15:45:27   |    Domino  Notes  FP8  FP9  FP6    |   Comments [0]