Linux Mint - Free and powerful

Monday, 13 January 2014

Creating a Linux Mint Power Server - Configuring Domino (part 2)

OMG - First the bad

As IBM has not sold any new Domino systems for years now (Mat may disagree) so I have not had to install a proper secure Domino system for a large customer for ages. That does not mean they do not milk the current cash cows, actually, they are being (have been) bled dry. I am not saying I-BM BP's have not sold Domino system but simply that most 20,000 plus companies have ditched or are in the process of ditching Domino and that is (was) IBM's core market. Websphere uber alles?

Disregarding the above rant what I would like to say is that I have existing knowledge base databases with documentation to create new Domino architectures. There has been so few changes between Ver 6 and Ver 9 that all I had to do is replace the odd snapshot. Everything else is still the same. Really.

All the previous inconsistencies and annoyances are still there in all its glory. Well, at least I did not have to redo the documentation.

How about this for a web interface on Domino 9.1. Simply spectacular!

Let me check out names.nsf.

Ok, lets try webadmin.nsf.

FAIL!!!!! No Chrome support, still! This needs a small change in webadmin.nsf to fix. Why I-B-M?

Anyhooooooo., time to move on.

Securing Domino steps.

Create the secure certifications database.

With the help of some clever Domino Developer(s) I manage to create a database to document all aspects of a new Domino domain. It is a repository for all the certifiers, passwords, id files, safe id files, public keys and much more. All secured with a database encryption key and restricted documents so that it can be shared with granular access. It also acts as the ID file repository for updated IDs while recovery is being setup and ID Vault is being created.

I will get the new developers to put an xPages framework around the database and share it: At some point, maybe.

Set mail in database for ID files.

This is very important as changes on ID files must be saved before the recovery systems are in place. This is to ensure the systems can be recovered if required.

Set multiple passwords for initial certifiers

The default for a certifier is a single password. What that means is the master password is shared to all IT staff. From experience this password is the same for every ID file as I have found in many large organisations. The better option is to create multiple passwords and only share the relevant passwords. You can also force more than one password so admins can not create users for special org certs. The best option is of course using the CA process.

Set admin groups

There are a number of default administration groups that must be created to ensure consistency. Groups can include other groups and this can make ACL's a challenge.  These groups will later be automatically assigned to any new Domino server document to ensure consistency.

Top Tip: Add [$AAdmins] to templates. This group will then be added to any database created with this template.

Create primary OUs

Domino is a hierarchical system with a root and tree structure. Creating an overly complex tree structure based on departments and locations is just plain dumb. Staff move departments all the time and second to forgotten passwords, OU changes are the next big pain for admins. Just follow IBM's method of creating users using name/geo/IBM. I prefer on extra level but no more.

*Hindsight moment. Domino administrator does not run in Linux. It is virtually impossible to get Notes 9 working in wine / cross over office reliably but you can install Lotus Notes 6.5 in Wine. Notes 6.5 can not open the 4096 bit ID wrapper so you need a virtual windows environment. Bummer.

Set recovery for OPS

One of the OU certifiers I create is OPS. It is really important to track what these IT boys are doing. They are always up to no good! If you have created an additional OU then recovery should be setup for the cert.

Create Master Admin

Now that OPS/A2ANY is setup it is time to create the new master administrator ID. This ID will now mange the domain and will be added to the $AAdmins group and other ACL's

Top tip: use Unique org unit to create a logical OU level without a cert.

Apply ACL's to databases

Now is the time to set anonymous to no access and default access to none on all databases and templates while adding $AAdmins and Master Administrator.

Migrate to CA's

This is a big one. This takes the OU's created and creates a CA database for each one so that users can be added without sharing the certifier password.

If you get this message: "Cannot locate user certificate. Make sure server contains your certificate for encryption" then fix your location doc.

Create an internet cert CA

You need to issue SSL certs to the servers internally and this step will ensure that SSL cert will be added easily when creating new servers. For user certs we will setup a different CA system. Actually the SSL CA is really confusing in Domino and frankly user certs leave a lot to be desired.

 Create an ID Vault

 An ID Vault is the new password recovery method.

This concludes - Creating a Linux Mint Power Server - 5 - Configuring Domino (part 2)

Uhmm, this is frustrating software.


Post a Comment

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers


Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed


Web sites come and go and information is lost and therefore some pages are archived. @rayd123. Powered by Blogger.