18 Setting Up Lotus Domino Web Servers for WebGates

Before you can install the WebGate with a Domino Web server, you must have properly installed and set up the Domino Enterprise Server.

This chapter provides tips about installing and configuring Lotus Domino to operate with the WebGate. Topics include:

• Installing the Domino Web Server

• Setting Up the First Domino Web Server

• Starting the Domino Web Server

• Enabling SSL (Optional)

• Installing a Domino Security (DSAPI) Filter

• Tips

Note: The information here presumes that you are familiar with your operating system commands, Lotus Notes, and the Domino Web server.

18.1 Installing the Domino Web Server

The following information focuses on Solaris. However, with some modifications, these steps can be used as a guide for other Unix systems.

Note: You will need to register if this is the first time you download from lotus.com.

To download the Domino Web server on Unix

1. Download Lotus Domino from the following URL:

   http://www-10.lotus.com/ldd/down.nsf

2. Untar the downloaded file to your staging area. For example:

   gct@planetearth[/export/users2/gct/temp] 433 : ls C37UUNA.tar

   gct@planetearth[/export/users2/gct/temp] 434 : tar xf C37UUNA.tar

   gct@planetearth[/export/users2/gct/temp] 435 : ls C37UUNA.tar sol/

You need to install Domino as user "root". The installation script creates soft link, /opt/lotus, to link to your Lotus Domino installation directory.

To install the Domino Web server on Unix

1. Run the install script for the Domino Web server. For example:

   gct@planetearth[/export/users2/gct/temp/sol] 441 : su root 
   Password: 
   root@planetearth[/export/users2/gct/temp/sol] 1 : ls 
   install* license.txt script.dat sets/ tools/ 
   root@planetearth[/export/users2/gct/temp/sol] 2 : 
   root@planetearth[/export/users2/gct/temp/sol] 2 : ./install
   ======================================================== 
   Domino Server Installation 
   ========================================================
   Welcome to the Domino Server Install Program.
   Type h for help on how to use this program. 
   Press TAB to begin the installation.
   -------------------------------------------------------- 
   Type h for help 
   Type e to exit installation 
   Press TAB to continue to the next screen. 
   --------------------------------------------------------
   
   

   You are asked to select the setup type.

2. Select Setup type. For example:

   Select Setup type: [Domino Enterprise Server]

3. Complete the installation with the following considerations in mind. For example:

   • The default program directory is set to /opt/lotus. You may over write it to another directory. For example, /export/home/WWW/lotus.

   • The default data directory is set to /local/notesdata1. You may also over write this to something else. For example, /export/home/WWW/lotus/data1.

   • Over write Domino UNIX user to own data directory. The default user is set to notes. You may change it to a valid Unix user. For example, gct or root.

   • Over write "The UNIX user for this directory must be a member of this group". The default group is set to notes. You may change it to a valid Unix group name. For example: oblix.

   
   

   Note: Be sure to put Domino data directory in your $PATH before you proceed from here.

   
   

18.2 Setting Up the First Domino Web Server

After successfully installing, you must set up the first Domino server.

To set up first Domino server

1. Run /opt/lotus/bin/http httpsetup.

   By default, Domino will use port 8081.

2. Ensure that port 8081 is not already in use.

3. Launch your browser and enter the URL that follows. For example:

   http://hostname:8081

4. Follow instructions on the screen and keep the following in mind.

   • Check HTTP to get the Web server.

   • Ensure the designated administrator has a first and last name.

   • Keep passwords simple, and record them in a safe location. For example, oblixoblix.

5. Run all commands as the Unix user that you've configured for this Domino Web server.

   
   

   WARNING: Do not run as root.

   
   

18.3 Starting the Domino Web Server

After successfully setting up the first Domino Web server, you must start it.

To start Domino server

1. Run /opt/lotus/bin/server.

2. Launch your browser and enter the following URL.

   For example:

   http://hostname:80/names.nsf

   You will be prompted for login name and password.

3. Select Server-Server.

4. Select your intended server.

5. Select Edit Server.

6. Select Ports, select Internet Ports, then click Web.

7. Change the value for TCP/IP port number to your desired port number.

8. Click Save and Close to save all your changes.

9. Restart server /opt/lotus/bin/server.

18.4 Enabling SSL (Optional)

Enabling SSL is not mandatory for the WebGate. However, if you need to generate a keyring file (.kyr) and its corresponding stash file (.sth) from the Lotus Notes client on a Windows system to the Unix system, use the steps that follow.

To generate the keyring and stash files

1. Launch the Lotus Notes Client on your Windows system.

   For example:

   File, select Databases, then click Open

2. Select Server Certificate Admin.

3. Create the key ring file.

4. Create the certificate request.

5. Install the trusted root certificate into the key ring file.

6. Install the certificate into the key ring file.

7. Copy or ftp the newly created keyring file and stash file from the Windows system to your Unix machine.

8. Store both files in your Domino data directory.

To enable SSL

1. Launch your browser and enter the following URL.

   For example:

   http://hostname:port/names.nsf

   You will be prompted for login name and password

2. Select Server-Server.

3. Select your intended server.

4. Select Edit Server.

5. Select Ports, select Internet Ports, then click Web.

6. In the SSL Key file name field, enter the absolute path to the keyring file.

7. Change the SSL Port number value to your desired port number.

8. Enable SSL port status.

9. Select Client Certificate "Yes" for Client Certificate authentication.

10. Click Save and Close to save all your changes.

11. Restart the Web server.

    For example:

    /opt/lotus/bin/server

18.5 Installing a Domino Security (DSAPI) Filter

The Domino security API filter, DSAPI, is an authentication method that enables you to register a DLL with the Domino Web server. In this case, the Web server calls the WebGate DLL to authenticate the user when a request for authentication occurs rather than using SSL or basic authentication.

Authentication within Domino is optional with the Oracle Access Manager DSAPI filter. You can implement certain aspects of authentication that the default Web server does not support.

Task overview: Completing WebGate and filter installation

1. Before you install the WebGate on a Domino Web server, complete all steps described earlier.

2. Complete the WebGate installation and Web server update as described in "Installing the WebGate".

3. See "Completing the WebGate Installation" and choose one of the two options discussed there.

18.5.1 Completing the WebGate Installation

To ensure the Domino Web Server can use the WebGate DLL, you need to edit the enter the name or names of the DLL/DLLs (DSAPI libraries) to be called for authentication in the DSAPI filter file names field of the HTTP tab under the Internet Protocols tab in the Server document.

Note: Relative paths will be based on the Domino executable directory. DSAPI filter libraries will be called to handle events in the order they appear in this list.

There are two ways to install the filter:

• Through a Web browser and names.nsf (option 1)

• Through a Lotus Notes workstation and the Address Book (option 2)

Option 1: To setup the DSAPI filter to access names.nsf

1. Go to the names.nsf URL and log in. For example:

   http://hostname:port/names.nsf
   
   

2. Click the Server-Servers link.

   A Java applet will be loaded.

3. Select a server from those listed.

4. Click the Edit Server link to go to Edit mode.

5. Click the Internet Protocols link.

   By default, the HTTP tab is selected and information is displayed in Edit mode.

6. Look for DSAPI where it says "DSAPI filter file names:", then type in the absolute path to the libwebgate.so file.

7. Save your changes.

8. Restart the Domino http server task.

Option 2: To access the Address Book through Lotus Notes

1. Open Domino Name and Address book. For example, select:

   File, Database, Open, then click Address Book

2. Switch to server view and open the server document.

3. Edit the server document.

4. Click the Internet Protocols tab.

   By default, the HTTP tab is selected and information is displayed in Edit mode.

5. Look for DSAPI where it says "DSAPI filter file names:", then type in the absolute path to the libwebgate.so file.

6. Save your changes.

7. Restart the Domino http server task.

18.6 Tips

The following tips may be helpful in your installation:

Failure Authentication Event: For Domino Web servers, the redirection of a URL through Oracle Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following:

Either a relative path present on the same Web server

Or the Full path URL on the same Web server containing a machine name defined in the host identifier string combinations.

To overcome a failure authentication event, you must set the redirected URL with a machine name that is not defined under the host identifier group. For example, the IP address of the machine.

This problem does not occur with a form-based authentication type.

Header Variables: It may not be possible to pass header variables other than REMOTE_USER to WebGates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme.

For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set.