Hi there,

Having posted a course on how to set up the AppDevPack with the fantastic Mr. Graham Acres leads to more and more questions and help requests.

One aspect that keep re-occurring a lot is some confusion on SSL Certificates and which one is used by which part of system and has what requirements.

Therefore, I added the following charts:



 

         

                 
Certificate, Key-File and KYR-File

                 

Card 1: Certs for PROTON Server Tasks


         
         

         

                 
Self Signed CA

                               

SSL Encryption for gRPC communication between domino-db, IAM and PROTON Task on the domino server. KYR File needed.


                         

Use the make_xxxx scripts in the AppDevPack documentation to create the CA and the certificates needed as well as the KYR File for Proton Task on your Domino Server.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)  


         

 




 

         

                 
Certificate, Key-File

                 

Card 2: Certs for IAM Server


         
         

         

                 
Used in Browser

                               

These certs are the ones for the IAM Frontend, used to create apps and settings for IAM as well as for the OAuth Endpoints.


                         

Browser trusted CA (e.g. Let's Encrypt) or self signed &import


         

 




 

         

                 
Certificate, Key-File

                 

Card 3: IAMAccessor Proton app


         
         

         

                 
SELF SIGNED CA, SAME AS PROTON SERVER

                               

These certs are used by IAM to Access it's applications (dbs) on the domino server using domino-db and proton. Use the same CA you used for the Proton Server certificate. Create a new user on Domino (iamaccessor) and import the *.crt file as Internet Certificate.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)


         

 




 

         

                 
Certificate, Key-File

                 

Card 4: Proton Applications


         
         

         

                 
SELF SIGNED CA, SAME AS PROTON SERVER

                               

These certs are used by your Node.js app to access databases on the domino server using domino-db and proton. Use the same CA you used for the Proton Server certificate. Create new users on Domino (sample are app1 and app2) and import the corresponding *.crt file as Internet Certificate.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)


         

 



 

         

                 
Certificate, Key-File

                 

Card 5: Node.js Application, Web Server


         

         

                 
Public of Self Signed

                               

These certs are used by your Node.js app to be accessed securely by a client application and also in conjunction with IAM to be accessed by authoization calls and redirects from IAM.


                         

Root Cert must be available to IAM in /config/certs/ca


         

 



Here's what that looks like:

Image:Due to some confusion - SSL Certs and the Domino AppDevPack

Hope this helps to clarify what is used when and where.

In case you are german speaking and would like to know about how to set up a self signed CA using OpenSSL follow the article series on Assono's Blog:


https://www.assono.de/blog/neue-artikelserie-eigene-mehrstufige-zertifizierungsstelle-aufsetzen-mit-openssl

Cheers,

Heiko.  
Heiko Voigt   |   10 August 2020 14:29:26   |    Domino  domino-db    |   Comments [0]

Hello,


Another quarter has passed and once again HCL delivered on its promise to keep the update cadences for the HCL Domino AppDevPack to a release every quarter. Heiko and Graham sit down with Gordon Hegfield to go through the new features and updates !
Check out this new overview video here:


https://youtu.be/6e29WmpojHI

One new piece of the AppDevPack are the new Java Bindings. To help with a head start, we also created a video to share some quick sample code, as well as a github repo where you can grab that code. Have fun !


Video link for the Java Sample:


https://youtu.be/yobxPTY7ckI

And the Corresponding GitHub Repo:


https://github.com/heikovoigt/proton-java-samples

Oh yes, and check out our free online training for the AppDevPack as well:


http://www.c3ug.ca/education

Kind regards,


Heiko for C3UG
Heiko Voigt   |   5 August 2020 15:27:41   |    Domino    |   Comments [1]

Howdie,

for a test environment, I had to wade through the AppDevPack/IAM Installation once more, this time on Windows. While most of the stuff I found was working fairly straightforward, I came across to things that caught my eye, so I thought I should write it down somewhere in case someone else stumbles upon it.


Addendum: 09-02-2020

Some people asked me whether I had to install OpenSSL first or not - and yes, as OpenSSL is not part of a default Windows Environment, you have to install it as a separate install package. Thankfully enough, there's a well maintained web site that offers 64/32 bit Windows Installers for OpenSSL, check this out if needed:
https://slproweb.com/products/Win32OpenSSL.html.

First issue: Creating Self Signed SSL-Certificates for the IAM Server.


While this is not a problem per se, the documentation explains how to create an SSL key using openssl, write a cnf file, create a csr file from that and a certificate from all of the components above. While the command for the last step is running fine for me on Linux, OpenSSL on Windows was throwing an error: "System cannot find the file specified".


This is the command in the documentation:

openssl x509 -passin pass:1234 -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile
<(printf "[SAN]\nsubjectAltName=DNS:iamserver.c3ug.ca") -extensions SAN




After some quick tests, it happened to be the
-extfile parameter that caused the problem. To work around this, I had to create a separate *.cnf file to add the Altnames parameter to the certificate. So I created a new text file called "ssl-extensions-509.cnf" (name is yours to choose) with this content:

# ssl-extensions-x509.cnf

[v3_ca]
subjectAltName = DNS:iamserver.c3ug.ca

Then, I altered the command above to:


openssl x509 -passin pass:1234 -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-x509.cnf

With that, the certificate got created as expected.

2nd Issue: Notes Client not starting up after OpenSSL install on windows.

Error:

HCL Notes
Failed to login
CLFRJ0010E: Notes initialization failed`

This happened to me as well as discussed here: https://atnotes.de/index.php/topic,62529.0.html

So basically, I had to uninstall OpenSSL from Windows again and to remove two dll's from C:\Windows\SysWOW64 directory (libcrypto-1_1.dll and libssl-1_1.dll) and then the Notes Client would eventually start again.

That's it - other than that my test environment now runs nicely on Windows as well. Hope this helps if needed.

Heiko.

Heiko Voigt   |   26 May 2020 16:57:21   |    Domino  domino-db  Node.js    |   Comments [1]

Our new XPages View Control. Categorized or flat views, Category Counter, Filtering, Drag&Drop for Columns, make-your-own-damned Categories and much much more. Built as web component, implemented as custom control for multiple views per page. Based on a REST-API. Also available as React Component.
Interested? Coming soon to a Domino Server near you... .


Image:Our new XPages View Control - coming soon
Heiko Voigt   |   9 April 2020 16:37:59   |    Domino  @HCLDigital  #dominoforever    |   Comments [3]

Heiko Voigt   |   3 April 2020 18:49:19   |    Domino  HCL  dominoforever    |   Comments [0]




New C3UG Video: the AppDevPack Story - what's new in Version 1.0.4 ?

In this video, Colin and Heiko from the C3UG Core Team sit down virtually with Gordon Hegfield from HCL to talk about the new features in the most recent release of the HCL Domino AppDevPack - Versioin 1.0.4. Gordon walks us through the new RichText Features, Agent Support and the rate limiting feature.

Link: https://youtu.be/f5vUJoWxhhc
Heiko Voigt   |   3 April 2020 09:39:08   |    C3UG  AppDevPack  domino-db  dominoforever    |   Comments [0]


New C3UG Video - "From Engage 2020: Using the NERD-Stack to move on from XPages"

https://youtu.be/-sjKMZntVeI

Slides:

https://cloud.sit.de/index.php/s/fvpXMYE7QmRSdXg#pdfviewer
Heiko Voigt   |   2 April 2020 17:07:01   |    C3UG  NERD    |   Comments [0]

Heute mal ein Post zu einem anderen Thema.

Seit einigen Tagen wird die KMU-/Solo-Selbständigen-/Freiberufler-Soforthilfe des Landes Baden-Württemberg diskutiert. Die Rahmenbedingungen für dieses Programm können hier (
https://wm.baden-wuerttemberg.de/de/service/foerderprogramme-und-aufrufe/liste-foerderprogramme/soforthilfe-corona/) nachgelesen werden. Seit zwei Tagen nun mehren sich die Hinweise, dass dieses Verfahren etwas anders abläuft als ursprünglich dargestellt. Grund ist der folgende Passus in den FAQs zum Antrag:

Muss ich erst sämtliches Privatvermögen einsetzen bevor ich den Zuschuss beantragen kann?

Vor Inanspruchnahme der Soforthilfe ist verfügbares liquides Privatvermögen einzusetzen.

Nicht anzurechnen sind beispielsweise langfristige Altersversorgung (Aktien, Immobilien, Lebensversicherungen etc.) oder Mittel in angemessener Höhe, die für einen durchschnittlichen Lebensunterhalt benötigt werden.


Was bedeutet das z.B. für eine GmbH in unserer Größe ?  Müssen wir unseren Dispo-Kredit voll ausreizen und ggf. auch privates Vermögen als Gesellschafter zuschiessen, bis auch dieses aufgebraucht ist? Um dann einmalig maximal 9000,- EURO oder 15.000,-EURO für drei Monate als "Hilfe" zu erhalten ? Aktuell ist es noch nicht klar, wie dieser Satz "gelebt" wird, insofern wird viel spekuliert. Sollte er im o.g. Sinne gelebt werden, dann stellt sich für mich folgende Frage: welcher Banken-Lobbyist hat an dieser Regelung mitgeschrieben ? Wenn sie so gelebt wird, wird dieses Geld keine Hilfe für die einzelnen Unternehmen/Solos/Freiberufler sein, sondern eine Insolvenzverschleppung zu Gunsten der "armen" Hausbanken, um wenigestens einen Teil ihrer Forderungsausfälle zu finanzieren.


Also: Sterbehilfe statt Wirtschaftshilfe.


*!POLEMIK!*

Ich schreibe es hier auf - Lehrer und Beamte von Grün und Schwarz im Landtag, für die das Geld automatisch aus der Steckdose kommt, entscheiden über den wichtigesten Wirtschaftsfaktor des Landes - den kleinen Mittelstand in dem sie Steuergelder verpulvern für die Insolvenzbegleitung der Kleinbetriebe. Bitte merken Sie sich das für die kommenden Wahlen - wer da als Teilhaber die Realwirtschaft (nicht der Banken) nochmal Schwarz oder Grün wählt, sollte seinen Geisteszustand prüfen lassen. Was man sonst wählen könnte ? Nichts. Alles andere ist sicher noch schlimmer.

*!/ENDE POLEMIK!*


Wie gesagt - es muss und sollte abgewartet werden, wie dies tatsächlich gelebt wird. Ich schaue mir jetzt mal die Förderkredite der KfW an - wenn die kolportierten bis zu 7% Zins über die Hausbanken auch stimmen, dann haben wir die nächste Bankensubventionierung gefunden.


Meine Alternative: Investitionen.


Das Land und der Bund sollten massiv als Nachfrager auftreten. Alle Projekte die geplant sind großzügig in die Wirtschaft geben. Investitionen in Digitalisierung, sozialen  Wohnungsbau, Schulen- und Krankenhaus-Ausbau und Modernisierung massiv hochfahren. Themen gibt es genug. Umschulungsmaßnahmen für Pflegeberufe anbieten und Besoldungsschlüssel hochsetzen. Das Geld SINNVOLL und mit Nutzen für die Gemeinschaft ausgeben. Arbeit statt Almosen und Sterbehilfen - das brauchen wir jetzt. So kämen wir besser aus der Krise heraus als wir hinein gegangen sind, die Gemeinschaft hätte einen realen Gegenwert für das ausgegebene Geld und etliche Unternehmen/Freiberufler/Solo-Selbständige noch eine Existenz. Alle werden wir nicht retten können - aber vielleicht  genug um einen totalen Absturz zu verhindern.


Meinungen ?


Nachdenklich,


Heiko.

Heiko Voigt   |   27 March 2020 08:57:20   |    Corona    |   Comments [2]

Quick tip today - if you are building public (REST-)APIs using JavaScript/Node.js/Express you sooner or later have to think about rate-limiting access to your APIs to avoid DoS Attacks.

Facing this challenge as well, i came across two nice express middleware components to help me out:


- Express Rate Limit:
https://www.npmjs.com/package/express-rate-limit
- Express Slow Down:
https://www.npmjs.com/package/express-slow-down

They both can be used together to first slow down repeating IP requests to your APIs and finally blocking them totally after a slowdown. You don't have to use both of them so you can pick and choose what works best for you. Usage is fairly simple, see here for slowdown:


const
slowDown = require("express-slow-down");
 
app
.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
 
const
speedLimiter = slowDown({
 windowMs
: 15 * 60 * 1000, // 15 minutes
 delayAfter
: 100, // allow 100 requests per 15 minutes, then...
 delayMs
: 500 // begin adding 500ms of delay per request above 100:
 
// request # 101 is delayed by  500ms
 
// request # 102 is delayed by 1000ms
 
// request # 103 is delayed by 1500ms
 
// etc.
});

 
//  apply to all requests

app
.use(speedLimiter);

Not much overhead, right? Me likes.
This is just the simplest way to use them of course, have a look at the documentation for more fine-graned use cases.

Happy coding, stay healthy.


Heiko.
Heiko Voigt   |   13 March 2020 11:02:25   |    domino-db  node.js  express  middleware    |   Comments [1]

Three exiting days are over - Engage 2020 is already history. And boy it was a fantastic event !

I started out on monday with a HCL Volt hands-on Workshop at the Best Western Plus Hotel in Arnhem, which helped quiet a bit to get a better understanding of the "how-works-what-and-where" of HCL Volt. A big thanks to Martin Lechleiter
and Tim Clark for this. The day ended with the HCL Masters Reception at the Hotel bar this evening,


The next morning we went to the Zoo - Transportation was excellent as always at Engage and the location of the event has been fantastic. Theo and Hilde Heselmans have outdone themselves one more time. A meeting center in the rain forest is one of a kind and the location had all that was needed for a successful event. A big thank-you to Theo and Hilde for the perfect organization of the whole event and the hospitality we always enjoy which makes every Engage such a special moment in time.


HCL kicked off the conference with (canned) demos and roadmaps as well as the theme "Evolve" and asked customers and partners to start evolving with them. Interesting times and lots of goodies coming out of HCL:
HCL Connections

  • Integration of MS Sharepoint in 6.5 CR1/CR2
  • Containerization for ICEC
  • Integration with MS O365 to do round-trip editing
  • Sneak Previews and screenshots from V7
  • Connections Mail Plugin is back
    Notes V11.0.1  
  • SwiftFile will be integrated into the client.
  • From 11.0.1 on an attachments will be rendered by the systems default browser, no longer inside the client
  • Sronger AES keys for Database encryption
  • Setting the background of the workspace via NOTES.INI setting and by policy
    Domino V11.0.1
  • Modifications in the DAOS Tier 2 storage option
  • Domino Web Server supports SNI ( Server Name Indication )
  • Stronger encryption for Notes IDs using stronger RSA keys automatically
  • Lots of DQL Enhancements, most around performance - see C3UG Video Series featuring John Curtis
  •  Deeper integration of AD DirSync: Users created from AD can now be registered in Domino
  • Updated JVMs using OpenJDK
    Notes/Domino V12
  • N/D V12 is planned for  1H/21
  • Two-Factor Authentication for Web Apps and NRPC Clients on Domino
  • Auto-Deployment of IDVault - currently deeply missed in the docker environment
  • Hussa! - Let’s Encrypt integration enabled by default
  • TouchID support for MacOS
    AppDevPack 1.0.4
  • Support for RichText - 1st incarnation, Read/Write of RT-CD-Records
  • New feature: Running Agents from domino-db including handing over Unique IDs and promise-based agent control (domino.db promise will resolve, when agent is done)
  • Bug fixes
    Sametime V11 FP1
  • Persistant Chat on mobile Clients
  • Drag&Drop support for File Transfer
  • Timeframe for FP1: End of March 2020
    Sametime Meeting and A/V V11
  • The meeting component for the new Sametime release will come in Q2/2020 with some great enhancements and a much more easier way to install

Verse on Premises 2.0

  • VoP will become a PWA (Progressive Web App) - works on all Operating Systems
  • New Calendar implementation
  • More search options using date ranges
  • "Send and File" is back for folder operations
  • Integration with HCL Connections 6.5
    HCL Nomad Web
  • Smallest Footprint "Notes" Client using Web Assembly Technology
  • Delivered also as PWA on all operating systems including Linux
  • based on Nomad for Android
  • Public Beta starts soon
    HCL Volt
  •  public beta of HCL Volt is starting beginning of march 2020
  • License terms to be announced soon
    Project Keep
  • Codename for a variety of R&D Projects coming from a team in HCL around Jason Gary, Stefan Wissel and Paul Withers
  • Generic, high performance REST API for Domino data that can be run as a domino independant java component, security based on JWT Tokens and internally based on the Domino JNA API from Karsten Lehmann. Cool stuff !
  • Traversal of LotusScript to TypeScript
  • Several other initiatives around containerizing other domino components that are evolving
  • Currently unclear however if, when and how these components will be available and at what licensing and support terms


">So lot's of new stuff that came out of HCL and a lot to digest in the next months ahead. Also, I noted the term that Domino/ST V12 are so-called "Wow"-Releases to blow people away. Well, I'm excited to see that !

">

Besides the HCL stuff, I visited several interesting sessions for more details hand I also gave my own one - which was really successful - we had 58 participants and not enough chairs to host them all. Attached, you will find my slide deck.


Image:My Summary from Engage 2020 - plus some advertisment and session slides.
(Me waiting to get started)


Speaking of the term "Evolve" - at Engage, we also announced our latest products - call/mail/message me for interest:


New SIT/Harbour-Light products announced at Engage 2020:

  • IMPRISIS HDR - a generic REST API for HCL Domino based on Node.JS and domino-db
  • IMPRISIS RTA - a RichText REST-API for HCL Domino, including integration in Node.js and XPages using the Froala RichText Editor
  • IMPRISIS SC - a REST-based Search API for HCL Domino Content, external Web Content featuring web coponents front ends as well as React- and XPages components.
  • ÎMPRISIS APG - a code generator for NERD (Node/Express/React/Domino) based Applications to be auto-created including IAM Authentication and Domino based front end components in REACT.

Links and Details to follow. That stuff is brand new.


All of these products are building blocks for our application modernization framework for Domino. Let's re-build applications with all the goodies of the FullStack JavaScript world plus the security of domino. And access all of your code to get back control of your assets !

Last but not least, here's the link to my slides from Engage:

">
https://www.slideshare.net/HeikoVoigt/engage-2020nerdformoveonfromx-pages

Heiko Voigt   |   6 March 2020 14:36:34   |    SIT  NERD  Domino  domino-db  Zoo    |   Comments [0]