Daniel Nashed's Blog

Domino One Touch Setup (OTS) domain join token

Many applications support a "join token". For example Kubernetes creates a joint token which contains the connection to the existing cluster and also the authentication needed to join the cluster.
With Domino OTS we can actually implement something very similar.

If you have an existing server, you can create a OTS JSON file pointing to the existing domain and server.
The only part that is missing is some kind of authentication.
We actually have this type of authentication: the server.id. But it would be a separate file.

So here is the idea:

• We can encode the server.id in base64 and include it into the JSON.
• The container entrypoint.sh script decodes it, stores it on disk and patches the JSON file.

The format looks like this and matches other OTS functionality like the password prompts.

Example:

"IDFilePath":"@Base64:AQABAC4BAAAAAAAA4..."

With this type of joint token we have a single file to pass to your additional server.

How to create a OTS JSON from a server.id

If you have a server.id you can generate all other information from the server.id and your NAB:

• There is C-API code to read the server name from the server.id
• With the server.id you can lookup all other information from your current mail-server or let the script prompt for the right server to lookup the information.
• This allows to generate a full OTS JSON file

I wrote a Lotus Script class to do exactly that. I have added it to the JSON generation database, which is available on the OpenNTF Net server via NRPC:

home.openntf.net/openntf-net!!nashcom/domino-ots.nsf

Maybe it would be a good idea to create a separate server registration database which would work with a cert.id or a Domino CA to have a full end to end experience.

But the most important step is to have the container image able to consume the join token style with the @Base64: syntax.
I have just submitted the additional logic to the develop branch of the container project.

• Comments [0]