Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino V12.0.1 One-Touch supports Micro CA and PEM/P12/KYR import

Daniel Nashed – 11 October 2021 10:48:33

"Automation" and "secure by default" are two key aspects in many features in Domino V12.
Beta 2 introduces a new Micro CA and also the new import functionality is exposed via One-Touch setup.
Domino One-touch setup supports the same operations which are added in the cerstore.nsf UI. This also includes importing TLS Credentials exportable!

I will add some sample JSON configurations to our Domino Community image.
But let me share one very simple and useful example first.
Here is the reference for all new parameters:
https://help.hcltechsw.com/domino/beta/12.0.1/inst_onetouch_preparing_json.html
To enable the Micro CA you just need to add one new section. The back-end code will use reasonable defaults.
The Micro CA is intended for testing and in case you cannot use Let's Encrypt or have an existing certificate.
The instructions also show how you can import an existing X.509 certificate for your server.

-- Daniel


Examples:


  "security": {

    "ACL": {

      "prohibitAnonymousAccess": true,

      "addLocalDomainAdmins": true

    },


    "TLSSetup": {

      "method": "dominoMicroCA"

    }

  }


But you can also define in more detail which type of key and curve/size you want etc.


  "security": {

    "ACL": {

      "prohibitAnonymousAccess": true,

      "addLocalDomainAdmins": true

    },


    "TLSSetup": {

      "method": "dominoMicroCA",

      "CAKeyType": "ES384",

      "orgName": "MicroCA Certificate Demo",

      "CAExpirationDays": 987,

      "TLSKeyType": "ES384",

      "certExpirationDays": 365

    }

  }




Tip: Validate JSON files


What also has been added is a way to verify JSON files. This verification comes in two levels.

1. Check if the JSON is valid

2. Validate the JSON file against the schema

This is very very useful when writing your own JSON configurations and can safe a lot of time!


validjson.exe d:\one-touch.json -default


Currently you have to be in the binary directory on Windows to run it.
For Linux you have to copy the schema file from the binary directory "dominoOneTouchSetup.schema.json" to your data directory to find it.
There is no startup link yet. You might need to create it to get it working. That's what I did. This is a beta 2 limitation.
On Windows it should work out of the box if you are switching to the binary directory.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]