Daniel Nashed's Blog

Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Daniel Nashed Tags 64Bit ACME ACME HTTP-01 ADFS AdminCentral AIX AIX64 Alpine Linux Ansible anti-virus AppDev AppDevPack Apple Apple Silicon ARM AS16 Asta Linux Astra Linux Attachments Automation autoupdate AWS-CLI AWS CLI Backujp Backup bash Blog Blog Template Borg BorgBackup Bug C C-API CA CentOS CentOS Stream Certificates CertMgr certstore certstore.nsf Champion ChatGPT Ciphers Citrix ClamAV clamd client Cluster Clustering Container Crash Critical Problem Curl CVE C&S DACHNUG DAOS DAOS T2 DAS DBMT Debian Digital Ocean DKIM DNACHNUG DNS DNS-01 DNUG DNUG Lab Docker Domino Domino Domino 12.0.2 Domino 14 Domino 9 Domino 9.0.1 Domino Backup Domino Blog Template Domino Container Domino Container script Domino V10 Domino V12 Domino10 Domino8.5 DominoAutoUpdate DominoBackup Domino.Perfomance EAP ECDSA Engage events Exchange fail2ban Feature Pack Feature Pack 8 Fixpack Flexnet FlexNet Licensing FP FP10 FP9 Fritzbox FT Fun gdb Grafana HashiCorp HCL HCL Ambassador HCL Download Hetzner HTTP HTTP-01 IBM Champion IBM ConnectED ICAP iDMA IDVault IMAP iNotes Install iOS iPhone Issue Java JVM K11 K3s K3s Traefik K8s keyring KVM kyr kyrtool Lab LE4D Leap Let’s Encrypt letsencrypt Linux Linux&Domino LiveText Lotus Lotus Script LotusScript LXC Mac macOS Mailto Mastodon Meeting Server Meetings MHS MicroCA Microsoft MIME Minio nashcertool Network New Technologies News NGINX NIFNSF Nomab Web Nomad Nomad Server Nomad Web Notes Notes 10 Notes 12.0.1 Notes 9 Notes Client Notes9 notes.ini NSD nshback nshcertool nshdellog nshrun NSL Odd Things OIDC One-Touch configuation OneTouchSetup OpenNTF OpenShift OpenSSH OpenSSL openssl&DNS OSX OTS Passthru Performance Photon OS PhotonOS Podman POODLE privacy private Proxmox Rancher Rancher Desktop Restic RHEL RNUG S3 SafeLinx SAI Sametime SAML Scalability Security server Server Availability Index SIGPIPE SLES SMTP SNMP Solaris SPAM SpamGeek SPF Splunk SPR ssh ST Start Script statistics SUSE SUSE Harvester Symphony systemd S/MIME T-Mobile tar Tika TIMEDATE Tip Tips TLS Tool TOTP Toubleshooting Traveler Trivy TrueNAS Scale Ubuntu V10 V12 Veeam Veeam Backup & Replication Verse VirusTotal VMware VSS VSS Writer Widget Win64 Windows Windows 11 Windows Sandbox WindowsServer Workshop Workshop 14 January WSL WSL2 X509 x.509 ZFS #Domino2025 @Forumlas	Daniel Nashed's Blog Nomab Web SafeLinx Nomad Web server connection options Daniel Nashed 25 January 2023 08:57:35 Nomad Web is a modern HCL client offering in form of a Progressive Web Application (PWA) running in your web browser. In addition to Windows or Mac, it also works on Ubuntu and other Linux distributions! So there is finally a client offering for Linux clients again! The Nomad Web application is installed on a server providing the required files for download. Those files can be stored on a SafeLinx or Domino/Nomad Web server. Your browser downloads the application and runs it locally in your browser. It is basically a cross compile using the Notes basic client code. Special connectivity requirements: WebSockets Nomad Web clients cannot directly connect to your Domino servers using NRPC with a standard TCP/IP connection. Because the client is in a browser it uses modern web technologies to connect to the server. This brings new advantages but also new challenges. Standard HTTPS connections are not a stateful network connection. You can send multiple HTTPS request over the same connection and have a TLS session. But it isn't a TCP/IP network session in the way NRPC would require it. Modern web technology supports so called web-sockets to allow stateful network connections for web applications. Nomad Web tunnels the NRPC session with all it's transactions via WebSockets to Domino. But because Domino itself does not understand WebSocket NRPC connections, you need a server component to translate the network packages. SafeLinx Server Until the Nomad Server was released recently a HCL SafeLinx server was the only network component allowing to bridge the protocols. You don't need to separate license a SafeLinx server. But it is a separate server component, which is not always intuitive to deploy. Therefore the HCL Domino Container Community project provides an easy to configure SafeLinx container --> https://opensource.hcltechsw.com/domino-container/safelinx/ The container is easy to configure specifying just a couple of environment variables instead of using the old fashioned Java admin client application. SafeLinx offers a connection module specially designed for Nomad Web bridging the WebSocket protocol to NRPC. It also allows you to define target Domino servers and the corresponding internet host name. Safelinx handles the TLS connection and tunnels the NRPC connection to the right target host. In addition to a static configuration mapping Domino server names to host names to connect to, SafeLinx can leverage a LDAP connection to a Domino server to map server names dynamically. The SafeLinx container image uses this type of configuration to avoid complex configurations. "Server Name Indication" SafeLinx receives all the traffic over the same HTTPS connection using a single TLS/SSL certificate on a single IP address to dispatch all the traffic acting as a secure reverse proxy. The first NRPC package connecting the client to the server contains the target Domino server name in the first network package. SafeLinx uses this Domino name to map the session to the right Domino server using it's FQDN (lookup in it's own configuration or via LDAP from a Domino server). The resulting stateful WebSocket connection is handled by the SafeLinx server. This means you can use a single SafeLinx server to connect to multiple Domino servers in parallel. SafeLinx ensures the dispatching and handles the stateful WebSocket connection tunneling the NRPC socket connection for you. Nomad Web Server Because not every customer wants to install a separate SafeLinx server, HCL came up with a new server component called "Nomad Web Server". A Nomad Web Server consists mainly on two parts. Let's have a look at the two binary files shipped with the Windows version: nwsp-win.exe Is a Node.js application compiled into a single executable. Node.js provides native WebSocket protocol already and a Node.js application is a low overhead way to implement a way to bride protocols. All connections are going thru this component and will be routed to the target Domino server directly. You can run this component separately from your Domino server and configure all settings in a YAML file. In this case the YAML configuration contains settings for the TLS certificate/key and also mapping configuration for your Domino servers. Very similar to what SafeLinx provides with a static configuration. nnomad.exe The more convenient way is to use this component directly on a Domino server in combination with a Nomad servertask. This server task is started on a Domino server running on the same host. Both components talk to each other using a private TLS connection. The Nomad servertask provides configuration information to connect to the own Domino server it is running on. And also provides connectivity information to other Domino servers in the Domain. This is comparable to what SafeLinx provides using the LDAP lookup. Both components work hand in hand and glue together. You can even leverage existing TLS Credentials in your Domino Certificate store (certstore.nsf). The only configuration needed in this case is the hostname for the certificate specified in a notes.ini setting:`NOMAD_WEB_HOST=domino.acme.com` This would also work for wild-card certificates like this: `NOMAD_WEB_HOST=.acme.com` The TLS Credentials document just must be assigned to the Domino server to have Domino decrypt the private key. And it needs to be a unique match in your certstore.nsf. Using a Load Balancer or Secure Reverse Proxy in front of Nomad Web with SNI* Nomad Web Server and SafeLinx work very similar in handling the connection and establishing the session. Both also handle the mapping to the right Domino server in the same way analyzing the first NRPC package. But what if you want to put NGINX or another load balancer in front of your server? Note: I would even advice you to add a robust load balancer like NGINX as a first line of defense in front of any Node.js application like Nomad Server. Because the websocket protocol is HTTPS based, most modern load-balancers and reverse proxies can handle the HTTPS session and even dispatch traffic over server name indication (SNI). This means you can run those HTTPS sessions on the same IP and TLS port 443 you are using for other connections. The only special requirement for WebSockets is a configuration which supports the WebSocket upgrade header. You find a sample configuration for NGINX in the Nomad Web Server documentation referenced below. Conclusion and additional tips This blog post is mainly intended to give you and overview and not an instruction how to setup Nomad Web. Specially for intranet environments the Nomad Server is an easy to install component, which helps you to deploy Nomad Server quite quickly. We added the Nomad Server package to the Domino community image as an add-on, which can be automatically build into the Domino server image --> https://opensource.hcltechsw.com/domino-container/. Still even for intranet deployments I would always add a secure load balancer in front of the Nomad server. SafeLinx in contrast is already a secure load-balancer written in C on a more robust stack. But both options provide you with the required WebSocket connectivity for Nomad Web. References for more details: Nomad Web Documentation https://help.hcltechsw.com/nomad/1.0_web/nomad_web.html Nomad Server Documentation https://help.hcltechsw.com/nomad/1.0_admin/nomadserver_domino.html WebSocket Wikipedia https://en.wikipedia.org/wiki/WebSocket RFC6455 The WebSocket Protocol https://datatracker.ietf.org/doc/html/rfc6455 The WebSocket API (WebSockets) https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API Comments [9] Comments 1Christian Henseler 26.01.2023 17:45:47 Nomad Web server connection options Thank you very much for this enlighting post. Would you mind to dive deeper into your recommendation to put a load balancer in front of an intranet Nomad Web Server running directly in front of (a single) Domino server hosting the Nomad Web component? I miss the point in your argumentation (or your use case does not match the use case I have in mind, when one has to provide Nomad Web entry point in dislocated isolated sites) Are there recommendstions how many clients a single Nomad Web server can deal with or is the limitation on the backend side as a result of numbers of Domino Server NRPC connections the Nomad Web server has to deal with? Thank you very much in advance 2Daniel Nashed 27.01.2023 20:13:51 Nomad Web server connection options @Christian, would you trust a Note.js server as your fist line of defence? External environments are more exposed. But you also have to protect from internal risks inside your network. From what I know the performance of Nomad web is similar to a SafeLinx server and I don't have exact numbers for both. But you can assume that a Nomad server infront of a single server should not bring you into any scalability issues. You need more CPU and more RAM. Specially for RAM I saw quite some increase in my small server and I have no idea how much that increases based on the number of users. I hope the initial memory is more than what is added per user. But I have no practical experience. If you are planning a larger deployment with Nomad servers, lets take this to HCL .. -- Daniel 3Christian Henseler 28.01.2023 13:19:40 Nomad Web server connection options Thank you very much for your answer, but I don‘t see a security benefit from using a load balancer. I am not talking about a Reverse Proxy. What are your specific security concerns in regard to node.js applications in general and Nomad Server especially? Shouldn’t HCL provide a secure Architecture instead of forcing Domino customers to build an additional line of defense, is Nomad Server so insecure that you recommend an additional security wall around Nomad Server, even within intranets? In our use case we have to ensure Nomad Web functionality in isolated sites and putting a Reverse Proxy in front of all Nomad Web Servers is quite an overkill. As sites might be isolated from time to time, we are not able to use a central SafeLinx Infrastructure or a central Nomad Web Server. And from a security perspective using a central Nomad Web Server to access dislocated Domino servers with clients in the same dislocated site isn‘t perfect from my point of view and is generating additional traffic that could be avoided. If your a cloud minded/central infrastructure minded customer, all your dislocated sites depend on connectivity. There are still use cases, where „cloud“ is not the best solution 4Daniel Nashed 28.01.2023 18:12:30 Nomad Web server connection options @Christian, this is my personal opinion as a partner: I would not let anyone directly access any Node.js based server. It's not the HCL implementation I don't trust. It's the platform I would personally not trust! The SafeLinx server is written in C instead. I would have wished HCL would have taken their experience from SafeLinx and nartively implement the same functionality right into Domino. Instead Node.js is used for the connection with all it's potential vulnerabilites coming up from time to time. A NGINX proxy is a specially hardened piece of software designed for very high loads in secure environments. Adding a NGINX proxy on a machine isn't much extra effort. The configuration is very simple. The only challenge would be the certificate deployment, which is integrated into Nomad Server. But I have shown how to automatically deploy certificates for NGINX in an earlier post. 5Christian Henseler 29.01.2023 9:57:33 Nomad Web server connection options Once again thank you very much for your point of view :-) In large organizations, the pure technical aspects are only one part of a solution. SafeLinx as well as NGINX are products new to Domino administrators, resulting in a know how and support problem. Furthermore, if other Reverse Proxy and Load Balancing products are already part of your IT services portfolio, you might even won‘t be able to introduce these new products. If you have to use other products, you‘ll have to deal with additional licences costs and in most cases such infrastructure components are managed by other IT groups. If you need a multi site deployment with isolated sites, you can‘t rely on a central HA Safelinx infrastructure, and you get a know problem on the side of local administrators. As I hope to shed some light on, a technical simple solutions might result in an enormous complexity on the organizational layer of IT departments. For all these reasons I was quite happy that HCL published Nomad Server as Domino server component and you will propably agree, that Nomad Server is pretty simple to be installed. Reading your blog post I was wondering about your recommendation in regards to put an additional security layer in front of Nomad servers, especially when no one else focussed on this matter in Nomad server presentations or Node.js on Domino presentations. That you need LB components in front of Traveler, Verse, Nomad servers in HA environments, is common sense. Thank you very much :-) 6Friedhelm Klein 22.02.2023 10:58:35 Nomad Web server connection options According to my tests, wildcard certificates do not work with nnomad.exe. At least it was refused in version 1.0.5, which was the last I tested with. After switching to a dedicated certificated, it worked fine. 7Daniel Nashed 22.02.2023 19:07:37 Nomad Web server connection options @Friedhelm, wildcard certs should work if you specify the excact wildcard name and if the name is just there once. the lookup in certstore.nsf by Nomad server is a simple lookup, not like the TLS Cache lookup, which is fully wildcard match aware. 8Hitesh 28.09.2023 9:03:40 Nomad Web server connection options Thanks Daniel for the Information. I want to configure Nomad web with safelinx and access via reverse proxy. In this case, We don't need SSL on Safelinx server as we already SSL enable on reverse proxy. Am i right? If yes then SafeLinx requires https in order to use WebSockets, and it is also necessary to pass WebSockets on the reverse proxy side. Is that okay? Thanks, 9Hitesh 28.09.2023 9:07:40 Nomad Web server connection options @Daniel, Thanks for your support. I have one more query. When using HCL Nomad Web on Domino, can it be used as a proxy from Nomad Mobile as well? If available, is it possible to apply Domino's standard feature Time-Based One-Time Password (TOTP) when setting up Nomad Mobile? Thanks .. Subject: Name: Email: Website: Add Comment:	About Contact Recent Entries Updateing autoupdate.nsf Domino AutoUpdate AUT Cat Notes/Domino 14.0FP1 rele Adding TOTP to your own a DominoBackupRunFaster=1 w Linux - Using Cron to sch Howto convert cert format OpenSSL past and present Domino meets Grafana & Quick look into SUSE Harv Feeds Content Feed Comment Feed Links Archives April 2024 (9) March 2024 (28) February 2024 (17) January 2024 (9) December 2023 (7) November 2023 (2) October 2023 (6) September 2023 (4) June 2023 (3) May 2023 (12) April 2023 (12) March 2023 (5) February 2023 (3) January 2023 (8) December 2022 (1) November 2022 (4) October 2022 (5) September 2022 (6) August 2022 (2) July 2022 (10) June 2022 (9) May 2022 (12) April 2022 (5) March 2022 (12) February 2022 (3) January 2022 (8) December 2021 (22) November 2021 (8) October 2021 (12) September 2021 (7) August 2021 (11) July 2021 (7) June 2021 (9) May 2021 (18) April 2021 (13) March 2021 (6) January 2021 (7) December 2020 (10) November 2020 (7) October 2020 (5) September 2020 (6) August 2020 (10) July 2020 (1) June 2020 (6) May 2020 (7) April 2020 (4) March 2020 (2) February 2020 (8) January 2020 (10) December 2019 (6) November 2019 (1) October 2019 (7) September 2019 (3) August 2019 (3) July 2019 (8) June 2019 (6) May 2019 (12) April 2019 (8) March 2019 (4) February 2019 (8) January 2019 (3) December 2018 (5) November 2018 (4) October 2018 (13) September 2018 (3) August 2018 (3) July 2018 (4) June 2018 (1) May 2018 (6) April 2018 (1) March 2018 (1) February 2018 (3) January 2018 (3) December 2017 (2) November 2017 (4) October 2017 (7) September 2017 (6) August 2017 (4) July 2017 (1) June 2017 (4) April 2017 (6) March 2017 (6) February 2017 (1) January 2017 (1) December 2016 (1) November 2016 (1) October 2016 (6) September 2016 (7) August 2016 (1) July 2016 (3) June 2016 (3) May 2016 (2) April 2016 (1) March 2016 (2) February 2016 (3) January 2016 (4) December 2015 (3) November 2015 (3) October 2015 (3) September 2015 (6) July 2015 (4) April 2015 (9) March 2015 (6) February 2015 (3) January 2015 (3) December 2014 (4) November 2014 (3) October 2014 (1) September 2014 (4) August 2014 (1) July 2014 (2) May 2014 (1) April 2014 (3) March 2014 (2) February 2014 (1) January 2014 (2) December 2013 (2) November 2013 (5) October 2013 (5) September 2013 (2) August 2013 (3) July 2013 (5) June 2013 (1) May 2013 (1) April 2013 (2) March 2013 (2) February 2013 (3) January 2013 (1) December 2012 (2) October 2012 (2) September 2012 (1) July 2012 (1) June 2012 (1) April 2012 (7) March 2012 (4) February 2012 (4) January 2012 (3) November 2011 (3) October 2011 (3) September 2011 (1) August 2011 (3) July 2011 (2) May 2011 (3) April 2011 (1) March 2011 (3) December 2010 (3) November 2010 (4) October 2010 (9) September 2010 (5) August 2010 (6) July 2010 (6) June 2010 (3) May 2010 (3) April 2010 (5) March 2010 (1) February 2010 (2) January 2010 (2) December 2009 (2) November 2009 (5) October 2009 (5) September 2009 (4) August 2009 (2) July 2009 (2) June 2009 (4) May 2009 (1) April 2009 (6) March 2009 (5) February 2009 (3) January 2009 (9) December 2008 (8)