In this webinar OpenNTF members will discuss the Domino/Notes 12 features they like and suggest for everyone to check out!
The topics and speakers will be:
Time-based One-time Authentication (TOTP) - Roberto Boccadoro
TOTP allows multi-factor authentication. When users login to a Domino web server they have to provide a time-based one-time use password in addition to their usual name/password. This is done using a third party application like Google Authenticator, Authy or Duo Mobile on their mobile devices/computers.
Domino OSGI Tasklet Service (DOTS) - Serdar Basegmez
Create Domino server tasks using Java OSGI plugins. These can be scheduled and can interface with the server console using TELL commands.
One Touch Setup for Domino - Roberto Boccadoro
In previous versions of HCL Domino, setting up a Domino server involved multiple steps. Starting with Domino 12, you can use one-touch Domino setup to set up a server in just a single step.
2. AGENDA
• Welcome – Howard Greenberg and Graham Acres
• Time-based One-time Authentication (TOTP)
• Roberto Boccadoro
• One Touch Setup for Domino
• Roberto Boccadoro
• Domino OSGI Tasklet Service (DOTS)
• Serdar Basegmez
• Questions – Everyone
3. ASKING QUESTIONS
• First Question – Will this be recorded?
• Yes, view on YouTube!!!
• https://www.youtube.com/user/OpenNTF
• Use the Questions Pane in GoToWebinar
• We will get to your questions at the end of
the webinar
• The speakers will respond to your questions
verbally
• (not in the Questions pane)
• Please keep all questions related to the
topics that our speakers are discussing!!!
• Unrelated Question => post at:
• http://openntf.slack.com/
4. THANKS TO THE OPENNTF SPONSORS
• HCL made a contribution to help our organization
• Funds these webinars!
• Contests like Hackathons
• Running the organization
• Prominic donates all IT related services
• Cloud Hosting for OpenNTF
• Infrastructure management for HCL Domino and Atlassian
Servers
• System Administration for day-to-day operation
5. THIS IS OUR COMMUNITY
• Join us and get involved!
• We are all volunteers
• No effort is too small
• If your idea is bigger than you can do on your own, we
can connect you to a team to work on it
• Test or help or modify an existing project
• Write guides or documentation
• Add reviews on projects / stars on Snippets
8. SETTING UP TOTP
ON A DOMINO SERVER
Roberto Boccadoro – OpenNTF Contributing Director
ELD Engineering
9. WHAT IS MFA ?
Multi-factor authentication (MFA; encompassing two-factor
authentication, or 2FA, along with similar terms) is an electronic
authentication method in which a user is granted access to a website or
application only after successfully presenting two or more pieces of
evidence (or factors) to an authentication mechanism: knowledge
(something only the user knows), possession (something only the user
has), and inherence (something only the user is).
• Something the user knows: Certain knowledge only known to the user,
such as a password, PIN, TAN, etc.
• Something the user has: Any physical object in the possession of the
user, such as a security token (USB stick), a bank card, a key, etc.
• Something the user is: Some physical characteristic of the user
(biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern
in key press intervals, etc.
10. MFA IN DOMINO V12
V12 supports MFA authentication out-of-the-box, without the
need of 3° party solutions.
When users log on to a Domino Web server, you can require
that they provide time-based one-time passwords in addition to
their user names and passwords.
Time-based one-time password (TOTP) authentication provides
an extra layer of security when users authenticate to a Domino
Web server
11. REQUIREMENTS
• A V12 Domino server
• A Vault database upgraded to the V12 idvault.ntf design
• Users must have a TOTP application installed locally on a device
or computer. TOTP applications that comply with RFC 6238 are
supported, including Google Authenticator, Authy, and Duo
Mobile.
12. SETUP
1. Issue a vault trust certificate for TOTP
2. Enable TOTP authentication in the Configuration Settings
document
3. Enable TOTP authentication on servers
4. Enabling secure mail operations for TOTP (optional)
5. Configure the TOTP login form
6. Restart the vault server to enable TOTP
13. ISSUE A VAULT TRUST CERTIFICATE FOR TOTP
At the console of a vault server, issue the following command:
mfamgmt create trustcert <Notes DN to allow> <certifier
ID file> <certifier password>
For example:
mfamgmt create trustcert "*/O=mfatest1" cert.id
sr$1ulv7bYT
14. ISSUE A VAULT TRUST CERTIFICATE FOR TOTP
To verify: open the Domino directory on any server in the domain,
select the Certificates view, and verify that you see a Multi-Factor
Authentication Certificate similar to the following one:
Issue the show idvault command and verify that output lists the
MFA trust for the correct organization, as shown in bold in the
following example:
show idvault
[0FE0:0006-0860] Administration Server: server1/renovations
[0FE0:0006-0860] /renovations trusts this vault
[0FE0:0006-0860] /renovations trusts /renovations for MFA
[0FE0:0006-0860] /renovations trusts renovations admin/renovations to reset
passwords
[0FE0:0006-0860] /renovations trusts server1/renovations to reset passwords
[0FE0:0006-0860] Setting renovationsvaultVaultSetting uses this vault
15. ENABLE TOTP AUTHENTICATION IN THE
CONFIGURATION SETTINGS DOCUMENT
Edit (or create) a configuration settings document
Click the Security tab.
Complete the following fields in the Multi Factor Authentication section.
16. ENABLE TOTP AUTHENTICATION IN THE
CONFIGURATION SETTINGS DOCUMENT
The algorithm used to generate the token: Use the default, HMAC-
SHA256, unless you find that there are older TOTP applications in your
environment that don't support it.
Note: The ID vault server supports downgrading the HMAC algorithm
by one level, for example, from HMAC-SHA256 to HMAC-SHA1.
Therefore, HCL has kept the default algorithm as HMAC-SHA256 to
support TOTP clients like Google Authenticator. Authy and Microsoft
Authenticator support HMAC-SHA1 currently and they work against
the server enabled for either HMAC-SHA1 or HMAC-SHA256.
17. 3. ENABLE TOTP AUTHENTICATION ON SERVERS
There are 3 different possibilities:
• Enable TOTP authentication for a server through a Server
document
• Enable TOTP authentication for a server through a Web Site
document
• Enable TOTP authentication for a server through a Virtual Server
document
18. 3. ENABLE TOTP AUTHENTICATION ON SERVERS
This is an example of using a Server Document
Open the Server document in the Domino directory.
Select the Internet Protocols > Domino Web Engine tab.
In the Session authentication field, select Single Server or Multiple
Server (SSO).
In the Domino Access Services section, select TOTP in the
Enabled services field.
TOTP is not supported with Basic authentication or with SAML
19. 3. ENABLE TOTP AUTHENTICATION ON SERVERS
Select the Ports > Internet Ports tab.
In the Web section, in both Name & password fields,
select Yes with TOTP.
20. 4. ENABLING SECURE MAIL OPERATIONS FOR
TOTP (OPTIONAL)
You can optionally configure support for secure mail operations (decryption,
encryption, signing) for web users with Notes IDs, such as iNotes users.
Note: When you enable this feature, the ability for iNotes users to upload and
download their IDs to and from the vault is disabled.
• Open the Security Settings document and click the ID Vault tab.
• In the section TOTP-based ID Downloads, select Yes in the Allow TOTP
authentication with the ID vault field.
• To allow web users who do not use TOTP to continue to download their
Notes IDs for secure mail operations, select Yes in the Allow password
authentication with the ID vault. To require that all web users use TOTP in
order to download their Notes IDs, select No.
• Open the vault database.
• Open the Configuration document.
• In the TOTP authenticated vault login section, specify all of the Domino
web mail server names in the Trusted servers field.
21. 5. CONFIGURE THE TOTP LOGIN FORM
Open (or create) the Domino Web Server Configuration database
Important: The name of the database must be DOMCFG.NSF
• Open the Sign In Form Mappings view.
• Click Add Mapping.
• Under Site Information, choose one:
All Web Sites/Entire Server -- to use the custom log-in form for all
Web Sites on the server, or for the entire Web server.
Specific Web Sites/Virtual Servers -- to map the custom log-in form
to specific Web Site documents or Virtual Servers. If you choose this
option, a new field appears, in which you specify the IP addresses
of the Web Site documents or Virtual Servers
• Under Form Mapping, for Target Database specify DOMCFG.NSF and
for Target Form, specify $$LoginUserFormMFA.
• Make sure that the -Default- entry in the ACL of DOMCFG.NSF has Reader access with Read
public documents enabled
24. ONE TOUCH SETUP
FOR DOMINO V12
Roberto Boccadoro – OpenNTF Contributing Director
ELD Engineering
25. WHAT IS ONE-TOUCH SETUP ?
In previous versions of HCL Domino, setting up a Domino server
involved multiple steps. Starting with Domino 12, you can use one-
touch Domino setup to set up a server in a single step.
You invoke one-touch Domino setup by referring to a JSON file or a
set of environment variables that contain the setup configuration
information.
Using one-touch Domino setup you can:
• Set up servers
• Set up an ID vault
• Create and update applications and documents and enable
and run agents. This feature is available only through JSON file
input.
One-touch Domino setup is supported on Domino on Docker,
Windows, and UNIX platforms.
26. ENVIRONMENT VARIABLES
This is the easiest way to set up the server, tough it is limited compared
to the use of a JSON file
Windows/Linux: run a batch file or a shell script to export the system
environment variables needed.
Docker: define the system environment variables for Docker to export in
a text file specified by the --env-file parameter
set SERVERSETUP_SERVER_TYPE=first
set SERVERSETUP_SERVER_NAME=adminserver
set SERVERSETUP_SERVER_DOMAINNAME=ACME
set SERVERSETUP_SERVER_TITLE=ACME Administration Server
set SERVERSETUP_NETWORK_HOSTNAME=adminserver.acme.com
set SERVERSETUP_ORG_ORGNAME=sherlock
set SERVERSETUP_ORG_CERTIFIERPASSWORD=passw0rd
set SERVERSETUP_ADMIN_LASTNAME=Sherlock Holmes
set SERVERSETUP_ADMIN_PASSWORD=passw0rd
set
SERVERSETUP_ADMIN_IDFILEPATH=C:dominoadminserverdataa
dmin.id
export SERVERSETUP_SERVER_TYPE=first
export SERVERSETUP_SERVER_NAME=adminserver
export SERVERSETUP_SERVER_DOMAINNAME=ACME
export SERVERSETUP_SERVER_TITLE="ACME Administration
Server"
export
SERVERSETUP_NETWORK_HOSTNAME=adminserver.acme.c
om
export SERVERSETUP_ORG_ORGNAME=sherlock
export SERVERSETUP_ORG_CERTIFIERPASSWORD=passw0rd
export SERVERSETUP_ADMIN_LASTNAME="Sherlock Holmes"
export SERVERSETUP_ADMIN_PASSWORD=passw0rd
export SERVERSETUP_ADMIN_IDFILEPATH=admin.id
SERVERSETUP_SERVER_TYPE=additional
SERVERSETUP_SERVER_NAME=mailserver1
SERVERSETUP_SERVER_DOMAINNAME=Ren
ovations
SERVERSETUP_SERVER_TITLE=Renovations
Mail Server
27. ENVIRONMENT VARIABLES
The list of the environment variables for server setup is available here:
https://help.hcltechsw.com/domino/12.0.0/admin/inst_onetouch_preparing_sysenv.html
If you use system environment variables as input on Unix platforms, make sure that the
variable names are in upper case.
If you export system environment variables as input, if string values have spaces, enclose
the values in quotes in the export command. For example, specify export
SERVERSETUP_SERVER_TITLE="ACME Application Server" and not
SERVERSETUP_SERVER_TITLE=ACME Application Server.
28. JSON FILE
Allows to do more than environment variables:
Creation of ID Vault
Create and update applications and documents and enable and run agents.
Is a JSON file, so be careful with editing
The list of JSON objects and parameters is available here:
https://help.hcltechsw.com/domino/12.0.0/admin/inst_onetouch_preparing_json.html
In the official documentation there are examples of:
Minimal JSON file for first server setup
Minimal JSON file for additional server setup
Full JSON file for first server setup
Full JSON file for additional server setup
JSON file for server setup with an ID vault and application configuration
A great example of a full server setup with all the options, created by Daniel Nashed is
available here:
https://github.com/IBM/domino-
docker/blob/master/lab/kubernetes/domino/auto_config_domino12.json
29. INVOKING SETUP ON WINDOWS/LINUX
Environment variables
• Install Domino
• Run the shell script/batch file defined before (see slide 3)
• Run
• C:HCLDominonserver -autoconf
• /opt/hcl/domino/bin/tools/startup /opt/hcl/domino/notes/latest/linux/server -
autoconf
JSON FILE
• Install Domino.
• Run the Domino server program with the -autoconf option specifying the source JSON
file.
C:dominonserver -autoconf C:<path>setup.json
/opt/hcl/domino/bin/server -autoconf <path>setup.json
30. INVOKING SETUP ON WINDOWS/LINUX
Use Daniel Nashed script
./install_domino.sh to install Domino
domino setup to invoke One-Touch Setup
domino start to start the server
There are 4 files in the repository:
ENV First server setup
ENV Additional server setup
JSON First server setup
JSON Additional server setup
Run
• domino setup env 1
• domino setup env 2
• domino setup json 1
• domino setup json 2
31. INVOKING SETUP ON DOCKER
Environment variables
• Create a volume to store the Domino data directory. For example, to create a volume called
notesdata, run the following Docker command: docker volume create notesdata
• Run the following Docker command to create your container and invoke one-touch Domino Setup
to set up and run the server:
docker run -it -v notesdata:/local/notesdata --name adminserver --env-file
localnotesdataenv.txt -p 8585:8585 -p 1352:1352 -p 443:443 domino-
docker:V1200 --autoconf
JSON FILE
• Create a volume to store the Domino data directory. See above
• Run the following Docker command. This command creates a Docker container without yet
configuring Domino by making the container entry point a bash shell. The command also exports
system environment variables that enable one-touch Domino setup to be invoked in the final step.
docker run -it -v notesdata:/local/notesdata --name adminserver --entrypoint
/bin/bash --env SetupAutoConfigure=1 --env SetupAutoConfigureParams=setup.json -
p 8585:8585 -p 1352:1352 -p 443:443 domino-docker:V1200
• Copy your source JSON file, for example, setup.json, to/local/notesdata in your container using a
docker cp command or other method.
• Run /local/start.sh
35. WHAT IS DOTS?
• DOTS: Domino OSGi Tasklet Services
• Develop and run OSGi level server Tasklets for Domino
• Run background tasks in a lightweight scalable container
• Tasklet: A lightweight server task
• Manual (console commands / socket trigger)
• Scheduled or on server start
• Triggered (Hooks through data events)
• Tooling: Eclipse IDE + OpenNTF XPagesSDK
• Leverage existing OSGi assets
36. HISTORY OF DOTS
• OpenNTF project contributed by IBM
• Named as JAVADDIN project in 2010
• Renamed as OSGi Tasklet Service in 2011
• Added to IBM Domino 9 Social Edition in 2013
• Installed with the OpenSocial add-on
• For internal use (Out of Support)
• Removed in version 10 in 2018
37. DOTS RETURNED TO DOMINO V12!
• Installed with the Core product
• Support: Windows 64 and Linux 64
• Upgraded to Eclipse OSGi 4.6.2 (Neon 2)
38. OVERVIEW OF DOTS
• DOTS task coordinate its tasklets/threads
• Separate JVM and OSGi Container
• Supports multiple profiles
• Virtual containers
• Separate service threads
• Great for scalability
Source: Domino OSGi Tasklet Service (DOTS) Documentation
39. WHEN SHOULD YOU USE DOTS?
• Need Background processing in your application?
• Accessing Domino resources
• Long-running
• Unattended
• Scalable
• High performance
• Great alternative to Java agents
• More compatible
• Much faster / scalable
• Less buggy
40. WHEN SHOULDN’T YOU USE DOTS?
• Expensive for simple tasks
• More time consuming to develop/maintain/deploy
• Steep learning curve
• Java, OSGi, Eclipse, Deployment, etc.
• Attended background tasks
• If not scheduled or not triggered by internal event
• Some form of user interaction
41. DOTS OR JAVA AGENTS?
• Agents are easier to develop
• Easy development/maintenance/deployment
• Well-integrated into Domino Designer
• Wide range of triggers
• Scheduling
• Web/XPages/Notes actions
• High level database events
• Good Security
• Code signing, ACL, etc.
• Runs on Notes client too…
• However, they are not perfect!
42. DOTS OR JAVA AGENTS?
• Java Agents are inherently slow…
43. DOTS OR JAVA AGENTS?
• Java Agents are inherently slow…
Run!
DOTS tasklet: Everything is ready to run
> tell amgr run "testXPagescrash.nsf" 'LongJobAgent'
09.11.2012 19:38:39 JVM: Java Virtual Machine initialized.
09.11.2012 19:38:39 AMgr: Start executing agent 'LongJobAgent' in 'testXPagescrash.nsf'
09.11.2012 19:38:39 Agent Manager: Agent printing: 181349
09.11.2012 19:41:02 Agent Manager: Agent printing: 2227
09.11.2012 19:41:02 Agent Manager: Agent printing: Finished in 143 secs... -
09.11.2012 19:41:02 AMgr: Agent 'LongJobAgent' in 'testXPagescrash.nsf' completed execution
> load dots
> Listening for transport dt_socket at address: 8001
09.11.2012 19:42:40 Domino OSGi Tasklet Container started ( profile DOTS )
> 181349
> 2227
09.11.2012 19:43:22 [DOTS] (annotated) Finished in 41 secs...
AMGR
launches a
Thread
JVM
Initializes
Prepare
Java and JNI
interfaces
Load Agent
Bytecode Run!
Java Agent:
44. DOTS OR JAVA AGENTS?
• Java Agents are inherently slow…
• Old and Buggy
• Incompatible with many modern libraries
• Design limitations (SSL, reflection, etc)
• Buggy behaviours (Memory leak in JAR files)
• Java Agents are not scalable
• A resource-intensive agent can block other agents
45. DOTS OR XOTS?
• XOTS might be a feasible alternative…
• “DOTS tasklets within XPages” (credits to Paul Withers)
• Part of the OpenNTF Domino API
• Differences:
• XOTS: Shares context and code base with XPages apps
• Developed as Java classes right in the DDE
• Utilises all functionalities of ODA (logging, auto-recycling, etc.)
• Disadvantages
• Shares the same resources with XPages apps.
• XOTS is a community-driven effort
47. FEEDMONSTER
• DOTS module in OpenNTF Collaboration Today
• Problem:
• Curators adding news stories manually
• Find the news story
• Adjust title, summary, etc.
• Publish
• Manual import is a time consuming process
• Curator might save huge time if some blog posts were
imported automatically!
48. FEEDMONSTER
• DOTS module designed to pre-fetch new blog posts
Blog Feeds
Queue Documents
Feed URL #1
Feed URL #2
…
Feed URL #N
Feed Monster
Manual Fetch
Scheduled Queue Refresh
Manual Queue Refresh
Scheduled Fetch
Domino Console
Commands
Blogs
50. E-MAIL MARKETING INTEGRATION
• A customer case
• CRM, Sales and Marketing Automation apps
• Notes Client apps
• Multiple facilities, multiple Domino servers
• Campaign and Newsletter e-mails
• A third party E-mail Marketing service
• Upload CSV file to a secure FTP (SCP) server
• All uploads are transient.
51. E-MAIL MARKETING INTEGRATION
• Tasklet can handle long-running upload process
• Watching queue every minute
• Very small footprint for queue monitoring
• Reuse Java code already developed before
User builds a target
query for the campaign
Predefined target lists
for newsletters
UploadJob Queue DOTS Tasklet
(Scheduled / Manual)
• Fetch next UploadJob
• Run query
• Convert to CSV file
• Compress
• Upload to SCP Server
Upload Job #1
Upload Job #2
…
Upload Job #N
53. HOW TO START? - UPGRADERS
• Update Eclipse 4.6.2 or later
• Recompile your plugins
• Upgrade to Domino v12
• Removes existing DOTS plugins
• Resets everything
54. HOW TO START? - NEWBIES
• Eclipse IDE is needed for development
• Minimum Eclipse 4.6.2 (Neon 2)
• Designer might be used with a few unsupported settings.
• “Unsupported” means “exciting” (like bungee jumping)
• Install the latest OpenNTF XPagesSDK for testing/debugging
• Local Domino Server for development is recommended
• File-level access between Eclipse and Domino is needed
• For Mac users, Linux/Windows VM works well
• Development setup is easy.
• DOTS documentation by HCL
• BP207 slides from IBM Connect 2013
• Notesin9 - Episode 93: Introduction to DOTS
56. QUESTIONS?
Use the GoToWebinar Questions Pane
Please keep all questions related to the
topics that our speakers are discussing!!!
Unrelated Question => post at:
http://openntf.slack.com/