Tuesday, April 2, 2013

Connections Mail over SSL? There´s no need to install SSL certificate on the Domino iNotes server.

If you have deployed IBM Connections, then you have already set up the IBM HTTP Server (IHS) with a SSL certificate, right?

Well, if you are also deploying IBM Connections Mail, then the need to install a SSL certificate on the Domino iNotes server arises.
Because, if you are inside of Connections in a browser on HTTP,S then the Connections Mail communication with the iNotes server will also be on HTTPS.
And vice versa when you are on the HTTP protocol.

So when you are on HTTPS the Connections Mail will not work if you did not apply a SSL certificate on the Domino iNotes server.

But for those of you that wants to deploy Connections mail without having to buy a new SSL certificate for the Domino iNotes server, then here´s the solution:


Ok, so you already have SSL set up on the IHS server. Did you also know that the IHS server can also act as a reverse proxy server? And by setting it up as a reverse proxy server, you can leverage this and just point some junctions to the iNotes servers folders and nsf files.

This makes the communication between the client and the IHS server secure, but backend communication between the IHS server and the domino iNotes will be on HTTP. This is ok for most of the customers out there. And remember, you don´t even have to expose the iNotes server to the public internet. Only the Connections server needs to be public. (If you have deployed Connections to the web, that is).

Here´s what you need to do:

Enable 2 modules in the HTTPD.CONF

LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_module modules/mod_proxy.so

And then, the config for the junctions:
    # Disable forward proxy requests
    ProxyRequests Off
    # Allow requests from ALL hosts and domains
    <Proxy *>
        Order Allow,Deny

        Allow from all
    </Proxy>

#Configure access to iNotes
    ProxyPass     /mail/         http://inotesserver.company.com/mail/
    ProxyPass     /iNotes/     http://inotesserver.company.com/iNotes/
    ProxyPass     /domjs/     http://inotesserver.company.com/domjs/
    ProxyPass     /iredir.nsf     http://inotesserver.company.com/iredir.nsf
    ProxyPass     /names.nsf     http://inotesserver.company.com/names.nsf
    ProxyPass     /Names.nsf     http://inotesserver.company.com/names.nsf
(For some reason, the Names.nsf is case sensitive, and sometimes, when I log in to the iNotes server, I noticed that the login referenced names.nsf with a capital N)

And then you´re done. Restart the IHS server and try to login to your mailboks directly using the Connections server´s url:

https://ConnectionsServer.company.com/mail/YourMailbox.nsf

After this, you have to edit the socialmail-discovery-config.xml file to point to the new reverse proxy iNotes url aswell:

<ServerConfig name="inotesmail" enabled="true">
            <ConfigType>DOMINO</ConfigType>
            <DirectoryServer>dominoldap.company.com</DirectoryServer>
            <DirectoryServerDomain>company.com</DirectoryServerDomain>
            <DirectoryUser>LdapUser/Company</DirectoryUser>
            <DirectoryPW>password</DirectoryPW>
            <FixedServer>http://ConnectionsServer.company.com</FixedServer>
            <MailPattern type="company.com"/>
 </ServerConfig>

As you can see, the "FixedServer" url is the key here. It´s now pointing at the IHS Reverse proxy url. And don´t worry that it says "http://...". Connections changes this automatically to https if you are surfing on the Connections server on https.

Restart Connections and give it a try.