Professional Documents
Culture Documents
HCL Verse and Apache Reverse Proxy Integration
HCL Verse and Apache Reverse Proxy Integration
and Apache
Reverse
Proxy
Integration
Procedure ......................................................................................................................................... 4
Procedure ....................................................................................................................................... 14
Summary ................................................................................................................................... 37
Disclaimers ............................................................................................................................... 39
HCL Verse™ brings Verse to the user desktop in the on-premises HCL
Domino® environment. To set up HCL Verse, you complete simple steps on
a Domino server to prepare to begin using mail and calendar features. Offline
capability is available by default and does not require Domino Offline Services (DOLS)
configuration.
In this document, you will learn more about HCL Verse capabilities and how to integrate
HCL Verse with Apache Reverse Proxy Server. It will also cover what Apache Reverse
Proxy Server is and how to install and configure Apache Reverse Proxy Server with
HCL Verse. You will learn how to install self-signed and third-party SSL certificates to
make your Apache Reverse Proxy Server secure, and the configuration required to
integrate HCL Verse with Apache Reverse Proxy Server.
Note: As of release 1.0.8, VOPDesign.nsf has been removed from the kit. Ensure
your user's mail files are on the mail template from Domino 9.0.1 FP9 or later.
Procedure
1. Enable HCL iNotes on the Domino server. Make sure that you run the HTTP
server task and that you configure iNotes® settings. See the topic Configuring
iNotes in the Domino documentation.
2. Register users as iNotes users. See the topic Registering iNotes users in the
Domino documentation.
b. Click the Internet Protocols tab and then the Domino Web Engine tab.
c. In the Character Set section for Use UTF-8 for output, select Yes.
Or, if you use a Web Site document, see the topic Specifying the character set to use
when retrieving Web pages in the Domino documentation.
4. Create full-text indexes on mail files, if they don't already have them. For
information, see the topic Full-text indexes for single databases in the Domino
documentation.
6. HTTPJVMMaxHeapSize=2048M
HTTPJVMMaxHeapSizeSet=1
If the settings don't exist, add them. If they exist, make sure that they have these
values.
7. Enable SSL on the Domino server. HCL Verse requires HTTPS and a valid
certificate. Follow the instructions in the article Generating a keyring file with a
third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows™
workstation.
• If you are using a proxy server in front of the Domino server, it is the proxy
server that needs to support HTTPS and have a valid certificate.
• Ensure the SSL key file name field matches the file name that you created.
For more information see the description of the Key Ring File Name field in
the topic Creating a server key ring file in the Domino documentation.
8. Ensure the SSL port status is enabled. For more information, see the
topic Modifying Web server Internet port and protocol settings in the Domino
documentation.
9. Ensure that you configure the ID vault on the Domino server and that you
assign Verse users to the vault. An ID vault is required so users can read and
send signed or encrypted messages. For information, see the topic Notes ID
vault in the Domino documentation
Note: In the ID vault tab of the Security Settings document that you use to assign
users to the vault, select the option Allow Notes-based programs to use the Notes
ID vault.
10. Ensure that users have valid Internet addresses in their Domino directory
Person documents:
b. On the Basics tab, verify that the Internet Address field contains a valid
address for example, sdaryn@acme.com.
11. Extract the files from the HCL Verse package. The package contains the
following files:
HCL_Verse.zip
iwaredir.ntf
readme.zip
12. Stop the Domino Web server. From the server console, enter:
13. If a previous version of HCL Verse is installed, delete the existing HCL
Verse jar files from one of the following directories, depending on how product
was installed:
or
14. Extract the contents of the HCL_Verse.zip file to the following directory:
Note: Extract with the directory structure intact. After extraction, the Verse On-
Premises .jar files should be in the following directory:
Note: As of Verse On-Premises 1.0.6, there are just four .jar files, fewer than in
previous versions.
16. If there isn't a redirector database, create one using the iwaredir.ntf template
that you copied to the data directory. For more information, see Using iNotes
Redirect to access mail in iNotes in the Domino documentation. Otherwise,
replace the design of the existing redirector database using the
new iwaredir.ntf template that you copied to the data directory:
Note: This version of the redirector template includes translations for English,
Chinese (China), Chinese (Taiwan), French, German, Italian, Japanese, Korean,
Portuguese (Brazil), and Spanish.
a. From HCL Notes®, open the redirector database on the server. The
default file name is iwaredir.nsf.
c. Select the new iwaredir.ntf template that you copied to the data
directory.
17. If you are upgrading from the previous release, simply start the Domino Web
server. From the server console, enter:
load http
If you are setting up Domino for the first time, you may need to stop and
restart the server:
restart server
18. If there is not a credential store application on the server, run the following
commands at the Domino console to create one. The first command creates a
document encryption key to be used for authentication that is called credstore.
The second command creates the application credstore.nsf to store the
encryption key.
If the mail servers are in a cluster, complete the following steps to configure the
credential store on each additional server:
From the server console of the server on which you created credstore.nsf, enter the
following command to export the encryption key to a file in the Domino data directory:
For example:
a. Copy the key file to the data directory of each Domino cluster member.
©2020 HCL Technologies Ltd. 8
Figure 4. Screenshot of /local/notesdata where the KEY file is located
b. From the server console of each Domino cluster member, enter the
following command to import the encryption key:
For example:
20. To see both iNotes and Verse on login page, you can create domino web
configuration database and map your redirection database:
b. In new window, Select the server name and give the database title for
example Domino Web Configuration database and choose the template
as Domino Web Server Configuration as shown in Figure 7 below.
Click OK button to proceed with database creation.
e. In Target Form field, remove the word “Custom” and replace it with
“DWA” to map the redirect database with DWALoginForm.
g. Open the server document and go to tab Internet Protocol > HTTP >
Home URL and type the redirect database name as shown in Figure
11.
21. To confirm that Verse On-Premises works, have a user with a mail file on the
server complete these steps:
b. Log in.
Make sure you have created a Web Site document and enabled the use of Internet Site
documents in the Server document.
Also make sure that your client location document has the home/mail server set to a server in
the same domain as the servers participating in SSO. This ensures that all public keys for
participating server can be found when the SSO document is encrypted.
Procedure
1. In the Domino Administrator, click Files, and open the server's Domino
Directory (usually NAMES.NSF).
5. Initialize the Web SSO Configuration with the shared secret key in one of two
ways:
6. Save the Web SSO Configuration document. A message on the status bar
indicates the number of servers/people for whom the document was
encrypted. The document(s) will appear in the Internet Sites view.
For more details on how to create SSO document please refer below link:
https://help.hcltechsw.com/domino/11.0.1/admin/conf_creatingawebssoconfiguration
document_t.html
A reverse proxy is a gateway for servers and enables one web server to provide
content from another transparently. As with a standard proxy, a reverse proxy may
serve to improve performance of the web by caching; this is a simple way to mirror a
website
Proxy servers provide security benefits on top of the privacy benefits. You can
configure your proxy server to encrypt your web requests to keep prying eyes from
reading your transactions. You can also prevent known malware sites from any access
through the proxy server
The reverse proxy becomes a single point of entry for the different web applications in
the organization. The web servers stay hidden and thus protected from the Internet.
Security monitoring such as log review can be performed from a single point. The
reverse proxy can act as a single SSL server.
A reverse proxy accepts a request from a client, forwards it to a server that can fulfil it,
and returns the server's response to the client. A load balancer distributes incoming
client requests among a group of servers, in each case returning the response from
the selected server to the appropriate client.
You can install Apache Web Server in different linux operating systems like Linux,
CentOS, or in Ubuntu.
2. You can start Apache service using the command systemctl start httpd. To
enable the Apache as service use command systemctl enable httpd.
4. Restart the firewall after making these changes using the command:
©2020 HCL Technologies Ltd. 19
firewall -cmd –reload
5. To verify the installation, open a web browser and type the IP address of your
host machine or type localhost. If you see below screen, it means the
installation completed successfully.
1. To install SSL on linux machine first we need to install SSL module. To install
SSL module, we need to use the command yum install mod_ssl* -y as
shown in below screen shot.
Once installation is complete, you should see the output as shown below.
Figure 23. Sample output from running yum command shown in Figure 22
For example, acme.crt. It will ask you to enter password three times.
4. The next step is to move the key file one folder back from, for example,
©2020 HCL Technologies Ltd. 22
“private” folder. We will use mv command to move acme.key. Adding .. will
move the KEY file one directory above the “private” folder.
5. Open SSL configuration file using vim editor from below path.
vim/etc/httpd/conf.d/ssl.conf
6. Press : (colon) and the cursor will move at the bottom left corner of the screen.
Type set number or se nu and hit Enter.
Similarly, change the path for acme.key file as well in Line Number 107.
12. To allow HTTPS port in firewall, issue the command below and reload the
firewall.
When you start the HTTPD service, it will ask you to enter password of the
certificate file.
b. At this point, if we restart HTTPD service it will no longer ask for a password.
Note from the Author: While I have used Windows computer to create a certificate
and take these screenshots using OpenSSL, the steps and commands used are
same for Linux operating system.
Note: Give actual server name instead of server.key. For example, see the screen
shot.
The resulting keypair should not be password protected. This isn't a good security
practice, so only perform these steps for production systems on a restricted access
system believed to be secure.
2. type apache.key
type apache.csr
Provide both the certificates to your vendor and get them stamped from your SSL
provider.
You will receive a certificate just like the one created in the self-signed steps. This
can be displayed by using the "type" command from a command prompt or by
opening the file in Notepad.
type apache.pem
Once you receive the certificates from vendors, you need to copy these certificates
onto the Apache server, for example, on path /etc/httpd/conf/ and define the path in
your apache configuration file.
Next, you will need to define SSL certificate file path in virtual host configuration as
shown below:
Most the steps are similar for all SSL certificate providers. For example, you may
refer to the below link to see the steps for digicert.
https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm
We can define HCl Verse configuration in apche HTTPD.conf file. It is important to create re-
write rule for each cluster mate so that Apache can redirect request to user’s home mail server
on the basic of cookie value. Below is the sample configuration where we have 4 servers in
domino environment (2 servers in each cluster).
Make sure that below code is defined in AutoLogin form in redirection database. You
need to create a field, for example, Apache and need to define this code in AutoLogin
form. This is necessary as Apache redirect requests on the basis of cookies value.
nodecookievalue:= @Name([CN];@NameLookup([NoUpdate];@UserName;"MailServer"));
clustercookievalue:=@DbLookup("":"";@Subset(@DbName;1):"names.nsf";"($ServersLook
up)";nodecookievalue;"clustername");
nodecookie:=@SetHTTPHeader("Set-
Cookie";"inotesses="+@LowerCase(nodecookievalue));
@Success
Figure 46. Adding the code to the AutoLogin form of the redirection database using Domino Designer.
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080495
https://help.hcltechsw.com/verse_onprem/2.0.0/admin/vop_configuring_server.html
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080495
When you send information to HCL Technologies Ltd., you grant HCL Technologies
Ltd. a nonexclusive right to use or distribute the information in any way it believes
appropriate without incurring any obligation to you.
©2020 Copyright HCL Technologies Ltd and others. All rights reserved.
References in this whitepaper to HCL products, programs, or services do not imply that
they will be available in all countries in which HCL operates. Product release dates
and/or capabilities referenced in this presentation may change at any time at HCL’s
sole discretion based on market opportunities or other factors, and are not intended to
be a commitment to future product or feature availability in any way. The underlying
database used to support these whitepapers is refreshed on a weekly basis.
Discrepancies found between whitepapers generated using this web tool and other
HCL documentation sources may or may not be attributed to different publish and
refresh cycles for this tool and other sources. Nothing contained in this whitepaper is
intended to, nor shall have the effect of, stating or implying that any activities
undertaken by you will result in any specific sales, revenue growth, savings or other
results. You assume sole responsibility for any results you obtain or decisions you
make as a result of this whitepaper.