Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies

Domino/Notes 9.0 upgrade to
take advantage of NFL,WFL and
CORS technologies
Andrew Luder | Director/Developer | NotesTools Pty Ltd
notestools.com.au

June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
About Me
• Started my business NotesTools Pty Ltd 5 years ago initially providing formal
business support to OpenNTF project “DominoDefrag”. Have expanded
business to provide wider range of products and services.
• IBM R8.5 Certified Application Developer with over 15 years experience in
providing Lotus Domino/Notes/Sametime infrastructure and application
development services to Australian government primarily:
– Department of Defence (DOD)
– Department of Health, Therapeutic Goods Administration (TGA).
• Just completed a R901 Domino and Notes upgrade project @ TGA.
• Many years experience in providing open source solutions such as
"DominoDefrag“ (2009) and "R5 Database Manager“ (2004) to the Lotus Notes
community
• I was given public recognition in May 2010 with "DominoDefrag“, where it was
honored by OpenNTF as project of the month and then Bruce Elgort / Nicklas
Heidloff later presented it at Lotusphere 2011 in Orlando as a featured project.

Presentation Coverage
• My experience from a 6 month project @ TGA to upgrade all infrastructure to
Domino/Notes 9.0.1 to extend the life of its Domino web and Notes application
environment by providing Single Sign On (SSO) and data sharing capabilities.
Briefly cover:
– Background
– Business and Technology Goals
– Terminology and Infrastructure
• Fill in the knowledge gaps when implementing technologies such as:
– Microsoft's Active Directory Federation Services (ADFS)
– Notes Federated Login (NFL)
– Web Federated Login (WFL) – only Web SAML SSO
– Cross Origin Resource Sharing (CORS)
– Providing Domino web services to other consumers such as Microsoft Dynamics
Customer Relationship Management System (CRM)
– Securely consume Internet Information Services (IIS) web services with Domino
Java Agents

Background
• Over the past decade most Commonwealth departments and agencies have
moved their mail from Domino to Exchange not considering impact on existing
Domino business apps.
• A lot of money has been wasted in attempts to get business apps across to
SharePoint / ?.NET cause a migration tool or external auditor said so…
• Most Commonwealth work places still have their business apps running off
v6.5/7.0/8.0/8.5 Domino infrastructure and thankfully Domino just works when
that next Windows upgrade comes round!
• TGA was one of the last Domino mail places migrated to Exchange last year
and the quick “one-size fits all” Microsoft approach would NOT work because
our revenue is generated from public Domino web and internal Notes client
business apps…
• So given Government spending constraints and the need to ensure business
continuity to keep generating money there’s not much room to reinvent the
wheel. So how do you leverage your existing Domino apps???

Business Goals
• Provide a new customer TGA Business Services (TBS) Microsoft dashboard
portal to compliment existing eBusiness Services (eBS) Domino work portal
• Keep existing Domino business applications
• Provide employees with one set of authentication credentials (Internal users)
• Provide customers with one set of authentication credentials (DMZ users)
• Ensure Commonwealth password complexity rules
• Stream line customer account management and directories
• Share data seamlessly between Domino and Microsoft systems
• Share code between Domino and Microsoft systems

Technology Goals
• Upgrade Domino and Notes environments to R901 to support Single Sign On
(SSO) capabilities using Microsoft Active Directory Federation Services (ADFS)
on Windows 2012 R2.
• Implement Notes Federated Login (NFL) for the Notes 901 client using ADFS
and Integrated Windows Authentication (IAW) / SPNEGO.
• Implement Web Federated Login (WFL) for Domino 901 web site using ADFS
SAML Web SSO
• Implement Domino web Cross-Origin Resource Sharing (CORS) solution using
IBM HTTP stack and ADFS SAML Web SSO.
• Implement internal web services for data exchange between Domino and
Microsoft systems using IAW / SPNEGO.
• Implement external Domino java agents for secure data exchange with internal
Microsoft web services.
• Implement Team Foundation Server (TFS) solution to branch manage code in
Domino XML (DXL) and share code with all developers easily
• Move customer account management functionality from Domino into CRM

Terminology Acronyms
• ADFS - Active Directory Federation Services
• CORS – Cross Origin Resource Sharing
• IdP – Identity Provider
• IWA – Integrated Windows Authentication (uses SPNEGO)
• NFL – Notes Federated Login
• WFL – Web Federated Login (only use SAML Web SSO)
• SAML - Security Assertion Markup Language
• SP – Service Provider
• SPNEGO – Simple and Protected GSSAPI Negotiation Mechanism
• TLS – Transport Layer Security
Some terms explained through presentation, but I aim to fill in the gaps from what I
experienced wasn’t available from the standard materials.

Terms - Active Directory Federation Services (ADFS)
• Active Directory Federation Services (ADFS) is a software component
developed by Microsoft that can be installed on Windows Server operating
systems to provide users with single sign-on access to systems and
applications located across organisational boundaries. It uses a claims-based
access control authorisation model to maintain application security and
implement federated identity.
• In ADFS, identity federation is established between two organisations by
establishing trust between two security realms. A federation server on one side
(the Accounts side) authenticates the user through the standard means
in Active Directory Domain Services and then issues a token containing a series
of claims about the user, including its identity.
Source: http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
• Domino v9.0.1 supports ADFS as an Identity Provider (IdP).
• The Windows 2012 R2 ADFS service (v3.0) provides support for the SAML 2.0
protocol. TGA has also customized its ADFS service login page to look like…..

Terms – ADFS - TBS Login Page for AD credentials

Terms - Security Assertion Markup Language (SAML)
• Security Assertion Markup Language (SAML) is an XML-based, open-standard
data format for exchanging authentication and authorisation data between
parties, in particular, between an identity provider and a service provider. SAML
is a product of the OASIS Security Services Technical Committee. SAML dates
from 2001; the most recent major update of SAML was published in 2005, but
protocol enhancements have steadily been added through additional, optional
standards. The single most important requirement that SAML addresses is web
browser single sign-on (SSO).
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
• Domino v9.0.1 supports the secure SAML 2.0 protocol version.

Terms – Cross Origin Resource Sharing (CORS)
• Cross-origin resource sharing (CORS) is a mechanism that allows many
resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from
another domain outside the domain from which the resource originated. In
particular, JavaScript’s AJAX calls can use the XMLHttpRequest mechanism.
• Such “cross-domain” requests would otherwise be forbidden by web browsers,
per the same-origin security policy. CORS defines a way in which the browser
and the server can interact to determine whether or not to allow the cross-origin
request. It is more useful than only allowing same-origin requests, but it is more
secure than simply allowing all such cross-origin requests.
Source: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• TGA has implemented a secure CORS solution where through a web browser
the TBS site makes “cross-domain” requests to the eBS site to obtain JSON
data. This is done seamlessly using the client’s ADFS Login credentials.

Infrastructure - SAML Federated Identity Architecture
• SAML Identity Provider (IdP) .
– ADFS 3.0 service creating the SAML 2.0 assertion
• Service Provider (SP).
– Domino 9.0.x service processing the SAML 2.0 assertion
• Clients used for accessing services.
– Web Browser / Notes 9.0.x standard client embedded browser

Infrastructure - TGA Internal and DMZ Domains
• Domino & Notes 9.0.x resources authenticate using ADFS services inside new
Windows 2012 R2 Internal and DMZ Active Directory domains. There is one
domain in each forest.
• Notes Federated Login (NFL) and Integrated Windows Authentication (IAW) -
SPNEGO authentication used for Notes client and Domino web service
technologies in the Internal AD Domain.
• Web Federated Login (WFL - ADFS SAML SSO) used for Cross Origin
Resource Sharing (CORS) between the Domino and ASP.NET web sites and
client browser access to them.
• DMZ Domino Java agents securely consume internal IIS restful web services

Infrastructure - TGA Internal ADFS & Domino
• Upgraded Domino & Notes 9.0.x Windows 2008 R2 domain resources
authenticate using new Windows 2012 R2 domain ADFS services by way of
two-way transitive trusts between these AD forests.

Infrastructure - TGA DMZ ADFS & Domino
• Upgraded Domino 9.0.x server and ADFS web service are in the DMZ Windows
2012 R2 AD domain and use the same security token service (STS) which in
this case is ADFS v3.0.
• Each web site has a separate relying party (RP) configured within ADFS, one
configured with the use of WS-Fed (Business Portal) https://business.tga.gov.au
and one configured to use SAML 2.0 (eBS Domino) https://www.ebs.tga.gov.au
Authenticated Public
Users
Active
Directory
External Users
Business Portal eBS Domino
SAML 2.0
HTTPS
AD FS 3.0
Business Relying
Party
eBS Relying Party
WS-Fed

Notes Federated Login (NFL)
• Notes Federated Login (NFL) is a federated-identity authentication process that
uses using the Security Assertion Markup Language (SAML) standard to relieve
Notes client users of the need to enter a Notes password.
• Users' IDs must be stored in an ID vault whose Domino server is configured
with host names for identity provider (IdP) partnership with Microsoft’s Active
Directory Federation Services (ADFS). Notes client users' ID file contents are
stored in memory on the client after being downloaded from the ID vault.
• Good reference materials are:
– Andy Pedisich/Rob Axelrod - “Connect 2014 SSO Materials” (‘show100.ppt’)
http://www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm
– Jane Marcus -“Intro to Notes Federated Login (SAML)” (26 Mar 14) http://www-
01.ibm.com/support/docview.wss?uid=swg27041524
– Gabriella Davis - “A Technical Guide To Deploying Single Sign On” (26 May 14)
http://www.slideshare.net/gabturtle/sso-tech
– Walter Tobin - "Security Assertion Markup Language (SAML) NFL“ (27Aug13) http://www-
10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes
_Federated_Login

NFL - Process Diagram
Source: Jane Marcus presentation

NFL - ADFS - Installation on member server
• Install the ADFS service on a member server. When I installed on a domain
controller I had lots of intermittent problems getting the ADFS service to
consistently start. Found the best places for services in a small environment
were:
– Domain controller -> Certificate Services, Domain Services and Domain Name
Services (DNS).
– Member server -> ADFS and IIS.

NFL- ADFS - Site name in DNS
• Create the ADFS web site name as a host name (A) record and not a CNAME
is DNS. I could not get NFL to work using a CNAME.

NFL - ADFS - Create Domino Friendly Certificate Template
• The ADFS service certificate needs to be created with a modified Windows
2012 R2 CA certificate template including the “Signature of proof of origin
(nonrepudiation)” Key Usage extension. Otherwise, certificate will not import
into the Domino Directory for cross certification with the ID Vault certificate.

NFL – ADFS - Certificate Permission
• Ensure the ADFS service account has full control to the ADFS service
certificate otherwise will not run properly.

NFL – ADFS - Extended Protection PowerShell
• Extended Protection needs to be turned off through PowerShell so Integrated
Windows Authentication (IWA) works. This is on by default to prevent “man-in-
the-middle” (MITM) attacks, but is low risk in internal networks and needs to be
off for IWA to work. Use PowerShell command:
– Set-ADFSProperties –ExtendedProtectionTokenCheck None
• Restart the ADFS service

NFL – ADFS - Supported User Agents PowerShell
• Add “Mozilla/5.0” to the list of Supported User Agents in PowerShell. This is
what the internal Notes 9.0.1 standard client browser engine identifies itself as
to ADFS. Use PowerShell commands:
– Set-AdfsProperties -WIASupportedUserAgents("Mozilla/5.0","MSIE 6.0", "MSIE
7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "MSIE 11.0","Trident/7.0", "MSIPC",
"Windows Rights Management Client")
– Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

NFL – Domino - ID Vault and IDP Cat Names
• ID Vault config name needs to match IDP catalogue name. An ID Vault name
such as “vault.home.net.local” does not need to be DNS resolvable and the
vault Domino server not need the HTTP task running.

NFL – Domino - Explicit Policy for Notes 9 Users
• Create Explicit ADFS policy rather than Organisational (found easier to manage
if was Citrix user)

NFL - Domino - Push cross-certificates using security policy
• Use security policy to push the ID vault user creation certificate and ADFS
cross-certificate to Notes 9.0.1 client.
• Do not use the ‘Deploy.nsf’ technique mentioned in some NFL presentations. I
have not managed to get it to work properly yet and raised a PMR.

NFL-Domino - Compliment with Notes Shared Login (NSL)
• Define NFL in combination with Notes Shared Login (NSL) in security policy to
allow ID Vault off-line Notes client use. NSL does not work with Citrix users.
• Go to the “Notes Shared Login” tab and then make sure following values set:
– Enable Notes shared login with operating system: "Yes"
– How to apply this setting: "Set value whenever modified"

NFL – Domino - Federated Logon security policy settings
• Go to the “Federated Login” tab and then make sure following values set:
– Enable Notes Federated login with SAML IdP: "Yes"
– How to notify users when enabled : "System dialog"

NFL – Domino - ID Vault security policy settings
• Go to the “ID Vault” tab, make sure following values set:
– Allow Notes-based programs to use the Notes ID Vault: "Yes"
– Allow automatic ID downloads: "Yes"

NFL – Domino - ID Vault Password Reset Authority
• Make sure Password Reset Authority Notes administrators / helpdesk users
defined so can reset user passwords in ID Vault

NFL – Notes – Do NOT install AD Sync service
• Do not install the Notes Single Login Feature (old Notes AD synchronization
service) as not compatible with either NFL or NSL

NFL – Notes - C:ProgramDataIBMNotesDatanotes.ini
• The Notes 9 standard client multi-user Notes INI should at least contain the
following settings:
[Notes]
KitType=1
SharedDataDirectory=C:ProgramDataIBMNotesDataShared
InstallType=6
InstallMode=1
NotesProgram=c:Program Files (x86)IBMNotes
ConfigFile=C:ProgramDataIBMNotesconfig.txt

NFL – Notes - C:ProgramDataIBMNotesconfig.txt
• The Notes 9.0.x standard client multi-user config file should at least contain the
following settings:
UserName=%USERNAME%
Domino.Name=THUNDERSTRUCK/ACDC
Domino.Server=1
Domino.Port=TCP/IP
AdditionalServices=-1
• Notes Federated Login user can't use common name to set up Notes client
when ‘deploy.nsf’ is used. Believe this extends to my use of %Username% too
and have raised PMR.
Related technote: http://www-01.ibm.com/support/docview.wss?uid=swg21628894

NFL – Notes - User Creation
• Create Notes users as roaming, with ID in vault and assign an Explicit Notes 9
ADFS policy.
• For Notes initial setup to work using NFL ensure the Domino Directory person
document created with:
– The “ShortName” field value matching AD common name value from
%USERNAME% in the config file
– The “InternetAddress” field value matches the AD user object mail attribute value

NFL – Notes - Multi-user setup process
• The initial client setup process requires for each computer:
1. Initial ID vault default password interaction with user
2. NFL downloads user.ID from vault once with messages
3. NSL is applied to user.ID in the
C:Users%username%AppDataLocalIBMNotesData folder with status bar
message notifying applied and on restart no password required

NFL – Notes - Client quick fix process for helpdesk
• The Notes standard 9.0.x client quick fix process for helpdesk:
– To set default password in ID vault for user (if not password)
– Simply remove “C:Users%username%AppDataLocalIBMNotesData” folder and
let rebuild

Web Federated Login (WFL) - SAML Web SSO
• Web Federated Login (WFL) - SAML Web SSO is a federated-identity
authentication process that uses the SAML standard to relieve Domino web
client users of the need to enter a HTTP password.
• The Domino service provider (SP) is configured in partnership with the ADFS
identity provider (IdP) to ensure clients only require an Active Directory (AD)
user name and password to access Domino web resources.
• Good material references are:
– Andy Pedisich/Rob Axelrod “Connect 2014 SSO Materials” (‘show100.ppt’)
http://www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm
– Yvonne Devlin – “Web Federated Login (SAML) with iNotes & IAW” (21 May 14)
http://www-01.ibm.com/support/docview.wss?uid=swg27041552

WFL- SAML Web SSO Process Diagram
Source: Yvonne Devline presentation

WFL – SHA-256 Certificate Purchase
• Purchase SHA-256 (typically RSA) issued certificates from vendor such as Verisign for
public facing ADFS, IIS and Domino web service sites. SHA-1 has limited life till end of
2016.

WFL – SHA-256 Certificate Domino Configuration
• Configure SHA-256 certificates with either Domino 9.01 FP3 IF2 or IBM HTTP Server to
use TLS 1.2 with FIPS140-2 support (turns off RC4 ciphers) to mitigate vulnerabilities
such as POODLE (which stands for "Padding Oracle On Downgraded Legacy
Encryption")
• In the Domino service IBM HTTP Apache ‘domino.config’ file add the following:
Listen 0.0.0.0:443
## IPv6 support:
#Listen [::]:443
<VirtualHost x.x.x.x:443>
ServerName ASP.NET website FQDN
SSLEnable
## Simply turn off RC4 ciphers by enabling FIPS140-2 support ... http://www-01.ibm.com/support/docview.wss?uid=swg21701072
SSLFIPSEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
# Enable strict CBC padding
SSLAttributeSet 471 1

WFL – SHA-256 Certificate Test
• Go to https://www.ssllabs.com/ssltest to test website SHA-256 certificates and
configuration. Better chance of getting A+/-

WFL – Another Useful Claim Rule Attribute
• Commonly the AD user object Mail attribute (E-Mail-Addresses) is used as the
LDAP attribute to map to the Domino Directory person document
InternetAddress (Name ID) when creating a Claim Rule for a Relying Trust
Party with Domino in ADFS.
• Another useful LDAP attribute to use in Claim Rules is the User-Principal-Name
(UPN) for uniquely identifying users. E.g. AD UPN = andrew.luder@addomain

WFL – Single Log Out ADFS SSOLifeTime PowerShell
• With the introduction of the ADFS SAML SSO session the concept of the old
Domino 30 minutes idle session time is now defunct. Also to “logout” properly
prior requires the browser closed as Domino 9.0.x currently does not support
single logout for ADFS SAML 2.0.
• The life time of the SAML session token ADFS issues to Domino has a hard
set limit of 480 minutes specified by the SSOLifeTime property. The PowerShell
command: Set-AdfsProperties –SSOLifeTime x sets this

WFL – Single Log Out Domino SAML Session
• Given the ADFS SSOLifeTime 480 minute limit, it was pointless to have Domino
set to 30 mins as this was upsetting functionality of XPage web applications
particularly freezing sometimes after 30 mins of activity or idleness.
• Ensure Domino SAML single server session expiration matches ADFS
SSOLifeTime default of 480 mins

WFL – Single Log Out ADFS & Domino Time Differences
• In practice both the ADFS 3.x and Domino 9.x services should be using the
same time servers. As a rule to ensure Domino can deal with a session time
difference use the following SAML Notes INI parameters:
– SAML_NotOnOrAfterSkewInMinutes=10
– SAML_NotBeforeSkewInMinutes=10
• This will ensure Domino can handle ADFS time variations of 10 minutes either
way to the 8 hours given to Domino session cookies

Cross Origin Resource Sharing (CORS)
• CORS aims to have two websites (sites, pages, APIs etc.) agree on what kind
of resources and types of requests one website will provide to another. Both
must agree exactly on what is being shared and how.
• There’s a few parties who need to participate to enable CORS – the two parties
involved, of course, and the user’s browser. Both sites need to request and
respond to each other in an expected manner, and browsers need to be aware
of, and in some cases make special requests to ensure CORS works correctly.
• In essence, what happens is that both websites agree on how resources will be
shared. The requesting site must be known as an “allowed origin” by the site
providing the resources. The response also must contain headers which
contain scope for acceptable resource sharing, e.g. naming allowable methods
(e.g. GET, PUT) and whether credentials are supported. Browsers themselves
are the last key – they must respect the restrictions established by the
requesting site and the resource site.
Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-
sharing-cors

CORS – TGA Background Part 1
• In the early stages of the development and deployment of the ASP.NET
Business Portal, as most of the data associated with external users resided
within the existing Domino 9.0.x web application (eBusinessServices – eBS),
there was an early need to be able to consume Domino as a data provider.
• Under the claims-based design approach, both the new Business Portal and the
eBS Domino web sites had the ability to authenticate external users to produce
SAML or WS-Fed claims. In theory, one site could make HTTPS requests
across the domain, as the sites would exist within the same domain.

CORS – TGA Background Part 2
• This introduced a need to support CORS (modern web browsers support) to get
menu, news and application JSON data from the eBS Domino 9.0.x web site
across to the new ASP.NET Business portal.

CORS – TGA Problem Domain
• The initial problem was getting an ASP.NET based web site, using Windows
Identity Framework (WIF) and WS-Federation to be able to make a valid
HTTPS GET request of the existing Domino 9.x web site, which uses SAML 2.0
claims.
• Domino provides JSON responses to requests to views which it defines and
hosts. In theory, a valid request should produce a response containing the
requested data in JSON format.
• The “single sign on” approach, whereby a user could authenticate to both
existing and new web sites with a single set of credentials, and only be
prompted once per session was working.
• Require to use SAML Web SSO authenticated CORS. Only evidence of
successful Domino/IBM HTTP stack CORS usage is anonymous data
exchange. NO Pre-flight request required when anonymous.
– E.g. Header always set Access-Control-Allow-Origin “*”

CORS – TGA Errors and Pre-flight Issues
• The first time a cross-site request was made (and subsequent attempts) the
browser JavaScript console logged the following error:
XMLHttpRequest cannot load
https://<DOMINO_SERVER>/.....nsf/?ReadViewEntries&outputformat=json... The
request was redirected to
'https://<ADFS_SERVER>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://
://<ASP.NET_SERVER>', which is disallowed for cross-origin requests that require
preflight.
• With the following failed pre-flight information recorded against the network
traffic…

CORS – So what’s a Pre-flight Request?
• In some cases, a browser might make a special type of request known as an
OPTIONS request, which is sort of like an initial handshake before performing
the actual request specified (e.g. a GET request).
• In essence, an OPTIONS request attempts to determine what supported
methods and other information is available from a resource sharing server. In
browser terms, this is known as a “pre-flight” request and is often attempted
automatically by the browser.
• The first time a cross-site request might fail (and in subsequent attempts) the
browser’s JavaScript console might log something similar to the following error:
XMLHttpRequest cannot load
https://<DOMINO_SERVER>/.nsf?ReadViewEntries&outputformat=json. The request
was redirected to ‘https://<ASP.NET_SERVER>’, which is disallowed for cross-origin
requests that require preflight.
Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-
sharing-cors

CORS – Domino Pre-flight solution parameters
• The solution was to solve the CORS pre-flight issue which was preventing
successful cross-site OPTIONS request prior to the GET request.
• Domino needed the ability to respond to an anonymous HTTP OPTIONS
request with a HTTP status code of 200 in order for pre-flight to succeed, in
accordance with the W3C preflight-request standard
https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request

CORS – Domino Pre-flight IBM HTTP Apache solution
• The solution was to get the Domino 9.0.x IBM HTTP Apache stack to respond
with a 200 SUCCESS on every OPTIONS request from the ASP.NET site.
• This meant loading the rewrite module in the ‘Domino.config” file by
uncommenting:
LoadModule rewrite_module modules/mod_rewrite.so
• Adding following lines to the 443 virtual host section in the ‘Domino.config’ file:
#CORS Support Start – Response Headers
Header always set Access-Control-Allow-Origin "https://<ASP.NET_SERVER>"
Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type,
Accept,Access-Control-Request-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-
Control-Allow-Credentials"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT, HEAD"
Header always Set Access-Control-Allow-Credentials "true"
# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
#CORS Support End

CORS – Client / Query Request Chrome Results
• Once Domino 9.0.x was configured to respond with a Status of 200 for
OPTIONS requests, CORS began to work as expected. The validation of
claims, however, seemed to only work with Chrome when using a simple AJAX
JavaScript query like below:
var DominoQuery = function()
{
var url = 'https://<Domino_Server>/.nsf?ReadViewEntries&outputformat=json….';
$.ajax(url, {
type: "GET",
contentType: "application/json; charset=utf-8",
success: function(data, status, xhr) {
alert(data);
},
xhrFields: {
withCredentials: true
},
crossDomain: true
});
}

CORS – Client / Query Request Other Browser Results
• In Internet Explorer 11 and Firefox 30 another solution was to explicitly
authenticate to Domino by programmatically creating an iFrame and having the
user authenticate first before making a query. This approach worked when
using a little more complicated JavaScript XMLHttpRequest.
• See http://caniuse.com/#feat=cors below for CORS browser support

CORS – Completed Business Portal
• Successfully used CORS and WFL (Domino Web SSO) to get menu, news and
application JSON data from Domino 9.0.x for the new ASP.NET Business portal

CORS – Domino IBM HTTP Apache Future
• IBM plans to remove support for IBM HTTP Server (IHS) in a future Domino
maintenance release now that native Domino TLS 1.2 functionality has been
added to the product. IBM HTTP Server proved a good solution for Domino
customers who needed better security functionality over the native Domino
HTTP protocol on a Windows server platform. However, that solution is limited
in scope since it covers only HTTPS and Windows.
Source http://www-01.ibm.com/support/docview.wss?uid=swg21697303
• TGA will use keep using the Domino 9.0.1 IBM HTTP stack for CORS capability
for foreseeable future. Alternative proxy server solution may be considered.

Web Services – Consumer Domino 9.0.x Java Setup
• During the TGA upgrade project some DMZ Domino client agents were
developed in Java to securely (use HTTPS) consume internal IIS web services
for AD account creation.
• Domino needed IIS root CA X509 public key of the IIS site certificate installed in
its Java key store CACERTS file using iKeyMan utility.

Web Services – Consumer Domino 9.0.x Java Experience
• Domino 9.0.x uses a slightly older edition of Java (v1.6) which does not support
a HTTPS TLS feature called ‘Server Name Indicator’ (SNI). As IIS server hosts
multiple websites (all with own HTTPS bindings and services), Domino is not
able to complete a TLS handshake successfully and receives an incorrect
certificate resulting in a Domino console “host name does not match” error
when the Java service consumer agent runs.
• The solution is to use a wildcard certificate as the default site HTTPS binding on
the internal IIS web server, “Require Server Name Indication” unticked and the
“Host name” field left blank resulting in Domino consumer Java agent client flow
below.

Web Services – Consumer Domino 9.0.x Java Patching
• Use a “DominoJVMLibSecurityjava.pol” file to cover different security
requirements for running Java agents to the standard “java.policy”. See
technote https://www-304.ibm.com/support/docview.wss?uid=swg21679242 .
• Back up “DominoJVMLibSecuritycacerts” key store and “java.policy” files
prior to patching as can get lost. Copy back in after patching activity such as
below. See blog http://linqed.eu/2014/06/25/considering-a-domino-upgrade-
beware-of-custom-java-security-policies/

Web Services – Provider Domino 9.0.x Setup
• During the TGA upgrade project some internal web services providers were
developed in Domino to be consumed by Microsoft Dynamics Customer
Relationship Management System (CRM) so it could update corresponding
documents in Domino Directory after its own account updates.
• Internal Domino 9.0.x servers were set up to use SPNEGO SSO for HTTP
authentication such that CRM would use its AD service account to seamlessly
communicate with Domino. The CRM service account needs to by identified in
the Domino Directory and only requires Reader access to the database where
the Service Providers reside.

Web Services – Provider Domino 9.0.x Experience
• Found the Domino Notes INI Setting
WIDE_SEARCH_FOR_KERBEROS_NAMES=1 caused lots of problems for
CRM when it and the service account "svc_crm@ADDOMAIN" was specified in
person document Kerberos field under the Administration tab. Just used
ShortName with this setting off and works fine.
• Ensure “HTTP persistent connections” set to Disabled in server document.
When enabled CRM would hang consuming Domino services.

Code Management - Team Foundation Server (TFS)
• Quick mention! To share code in the TGA project team and branch manage
code properly it was required for the developers to:
– Export each Domino database into a corresponding On-Disk Project (ODP) in
Domino XML (DXL) format using the Domino Designer 9.0.x Source Control
functionality. Also used AGECOM DXL Import / Export utilities to assist. See
https://www.agecom.com.au/
– Branch manage ODP in TFS 2013 using Microsoft Team Explorer Everywhere
Eclipse Plugin @ http://www.microsoft.com/en-au/download/details.aspx?id=40785

Questions?
• ?????

Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies

More Related Content

What's hot

Similar to Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies

Recently uploaded

Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies