Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

SafeLinx Nomad Server Community project?

Daniel Nashed  12 June 2022 10:53:46

Wouldn't it be cool to have a SafeLinx Docker image with Nomad Web included with auto configuration?
Maybe having a docker-compose.yml with just some basic parameters to get SafeLinx and Nomad up and running?


Docker container configuration:

A configuration could look like this:

CONTAINER_HOSTNAME=nomad.acme.com
DOMINO_ORG=acme
LDAP_HOST=ldap.acme.com

And just running "docker-compose up" could get SafeLinx and Nomad Web up and running ..


Certificate for the SafeLinux server

But what about getting a certificate for your server?

If your server is behind a load balancer, you can get away with automatic created certificates just for the container.
So it could include a small CA creating EDCDA keys for you.


CertMgr auto certificate updates

If SafeLinx isn't behind a reverse proxy updating official certificates and keys could be just be dropping PEM files into a mount and let the container do all the work for you..

Maybe it would be a good idea to teach SafeLinx to auto update certificates from a CertMgr server directly if the existing private key matches the new certificate retrieved via HTTPS SNI?
So wishful thinking would be just to just specify like CERTMGR_HOST=certmgr.acme.com to let the container update certificates automagically?


Hmmmmm ....

I really wanted a Nomad Web configuration for our new DNUG Lab environment, we want to showcase at DNUG.
And configuring it via the old fashioned remote admin GUI wasn't an option for me...

OK as you know once I have an idea and start building, I am like in a coding tunnel until it is all done ..
So at #DACHNUG 49 I will demo the new HCL SafeLinx Community image in combination with Domino CertMgr functionality in my Domino 12.0.x security session.

There isn't any documentation yet and I am working on some fit & finish. But it does already exactly what I described above and available in the develop branch of the Domino community image.

Building the image works very similar to the Domino, Traveler and Volt image builds.
And it builds in less then 2 minutes. The software download information is included in the software.txt like for any other image.


./build.sh safelinx +nomadweb


A docker-compose.yml with .env setup file example file is also included.

docker-compose up


Creating network "safelinx_safelinx_net" with driver "bridge"
Creating volume "safelinx_data" with default driver
Creating safelinx ... done
Attaching to safelinx
safelinx    |
safelinx    | HCL SafeLinx Community Server
safelinx    |
safelinx    | Configuration
safelinx    | ------------------------------------------------------------
safelinx    | DOMINO_ORG       : [acme]
safelinx    | NOMAD_HOST       : [nomad.acme.com]
safelinx    | CONFIG_BASE      : [o=local]
safelinx    | CERTMGR_HOST     : []
safelinx    | (CHECK_INTERVAL) : [30]
safelinx    | TRUSTED_ROOTS    : [/opt/hcl/SafeLinx/datastore/trusted_roots.pem]
safelinx    | LDAP_HOST        : [ldap.acme.com]
safelinx    | LDAP_PORT        : [389]
safelinx    | LDAP_SSL         : [0]
safelinx    | LDAP_USER        : []
safelinx    | LDAP_BASEDN      : [acme]
safelinx    | ------------------------------------------------------------
safelinx    |
safelinx    |
safelinx    | Configuring SafeLinx
safelinx    |
safelinx    | NomadServer Available
safelinx    | LDAP-Server Available
safelinx    | LDAP-Authentication Available
safelinx    | nomad-web-proxy0 Available
safelinx    |
safelinx    | Generated PEM import password: x3+SfroADK48vI2SHAzinLLHxAohqh/cMuoyJOX0WS4=
safelinx    |
safelinx    | Write down the password, if you plan to import password protected PEM files (e.g. from HCL Domino CertMgr)
safelinx    |
safelinx    |
safelinx    | Waiting for mounted cert ...
safelinx    |
safelinx    | Startup: Timeout waiting for initial certificate
safelinx    |
safelinx    | Creating new certificate for nomad.acme.com
safelinx    |
safelinx    | Signature ok
safelinx    | subject=O = acme, CN = nomad.acme.com
safelinx    | Getting CA Private Key
safelinx    |
safelinx    | Export Password: pZtC9IJh1h8RyMrSCFp23igSZtyo6msOLqwtkMC6phw=
safelinx    |
safelinx    |
safelinx    |
safelinx    | HCL SafeLinx Version 1.3.0.0 (5724-R20)
safelinx    |
safelinx    |
safelinx    |
safelinx    | Certificate
safelinx    | -----------
safelinx    |
safelinx    | SAN         : DNS:nomad.acme.com
safelinx    | Subject     : O = acme, CN = nomad.acme.com
safelinx    | Issuer      : O = acme, CN = SafeLinxCA
safelinx    | Expiration  : Jun  9 08:14:06 2032 GMT
safelinx    | Fingerprint : C0:AB:7F:F5:3C:56:00:9E:EA:0C:6B:54:CA:68:44:13:3D:7B:3E:24
safelinx    | Serial      : 1FBAA17407B2CEFB2DA48C413797934983A2D044
safelinx    |
safelinx    |


Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]