Tuesday, April 2, 2013

Connections Mail over SSL? There´s no need to install SSL certificate on the Domino iNotes server.

If you have deployed IBM Connections, then you have already set up the IBM HTTP Server (IHS) with a SSL certificate, right?

Well, if you are also deploying IBM Connections Mail, then the need to install a SSL certificate on the Domino iNotes server arises.
Because, if you are inside of Connections in a browser on HTTP,S then the Connections Mail communication with the iNotes server will also be on HTTPS.
And vice versa when you are on the HTTP protocol.

So when you are on HTTPS the Connections Mail will not work if you did not apply a SSL certificate on the Domino iNotes server.

But for those of you that wants to deploy Connections mail without having to buy a new SSL certificate for the Domino iNotes server, then here´s the solution:


Ok, so you already have SSL set up on the IHS server. Did you also know that the IHS server can also act as a reverse proxy server? And by setting it up as a reverse proxy server, you can leverage this and just point some junctions to the iNotes servers folders and nsf files.

This makes the communication between the client and the IHS server secure, but backend communication between the IHS server and the domino iNotes will be on HTTP. This is ok for most of the customers out there. And remember, you don´t even have to expose the iNotes server to the public internet. Only the Connections server needs to be public. (If you have deployed Connections to the web, that is).

Here´s what you need to do:

Enable 2 modules in the HTTPD.CONF

LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_module modules/mod_proxy.so

And then, the config for the junctions:
    # Disable forward proxy requests
    ProxyRequests Off
    # Allow requests from ALL hosts and domains
    <Proxy *>
        Order Allow,Deny

        Allow from all
    </Proxy>

#Configure access to iNotes
    ProxyPass     /mail/         http://inotesserver.company.com/mail/
    ProxyPass     /iNotes/     http://inotesserver.company.com/iNotes/
    ProxyPass     /domjs/     http://inotesserver.company.com/domjs/
    ProxyPass     /iredir.nsf     http://inotesserver.company.com/iredir.nsf
    ProxyPass     /names.nsf     http://inotesserver.company.com/names.nsf
    ProxyPass     /Names.nsf     http://inotesserver.company.com/names.nsf
(For some reason, the Names.nsf is case sensitive, and sometimes, when I log in to the iNotes server, I noticed that the login referenced names.nsf with a capital N)

And then you´re done. Restart the IHS server and try to login to your mailboks directly using the Connections server´s url:

https://ConnectionsServer.company.com/mail/YourMailbox.nsf

After this, you have to edit the socialmail-discovery-config.xml file to point to the new reverse proxy iNotes url aswell:

<ServerConfig name="inotesmail" enabled="true">
            <ConfigType>DOMINO</ConfigType>
            <DirectoryServer>dominoldap.company.com</DirectoryServer>
            <DirectoryServerDomain>company.com</DirectoryServerDomain>
            <DirectoryUser>LdapUser/Company</DirectoryUser>
            <DirectoryPW>password</DirectoryPW>
            <FixedServer>http://ConnectionsServer.company.com</FixedServer>
            <MailPattern type="company.com"/>
 </ServerConfig>

As you can see, the "FixedServer" url is the key here. It´s now pointing at the IHS Reverse proxy url. And don´t worry that it says "http://...". Connections changes this automatically to https if you are surfing on the Connections server on https.

Restart Connections and give it a try.





10 comments:

Brian Wert said...

Robert,
Great article and this worked well in my environment except for one thing. I have multiple mail servers so I need to use the iNotes redirect. Your config works well for a single server but it did not work for the redirect. Do you have any idea how I could get the redirect to work going from an HTTPS session to an HTTP session?

Robert Farstad said...

Hi Brain.

Hmm, are you using the iwaredir.nsf?
My example above uses the "iredir.nsf". Perhaps this should be changed to the correct redir db name?

Check out this article right here:
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/How_to_Configure_a_Reverse_Proxy_server_for_iNotes_and_Sametime_Proxy_Integration

Brian Wert said...

Just wanted to leave another comment because you have been really helpful in putting this information together. The problem we are running into is we have many mail servers so it looks like Connections mail is figuring out what server the user is on and then trying to go directly to the server to get the mail via HTTPS when we don't have SSL enabled in Domino. Is there a way to configure the proxy rule to account for all the mail servers?
fixed server seems to work but the redirect does not with multiple mail servers.I added some trace and the log shows that the mail server cannot be reached and it shows the connection directly to the mail server and not the proxy server.

Brian Wert said...

Thank you for this information.
The problem we are having with the redirect is we have many mail servers. It seems like it is looking up the home mail server for the user and then trying to make the connection to the domino server instead of the proxy server. This works if I used fixed server and point to proxy but when I do that for the redirect database it still tries to connect directly to the domino server via HTTPS. I can see it in the logs.

Robert Farstad said...

Hi Brian. Sorry for the delay in replying to you.

Og, I understand your issue better now.
The Connections Mail config, where the fixed server is configured, connects to this server and only this server. But when using iwaredir, the redirection itself picks up the users mail server and redirects the user to this inotes server. So if you have multiple inotes/mail servers, then the iwaredir sorts this out for you.

But this is not "helping" the Connections Mail part, is it? If ssl is not enabled on the inotes servers, then it won´t work...

So I have 2 possible solutions for you:

1. Replicate every maildatabase to one dedicated iNotes server, remove the iwaredir on this server, and set this server as the "Fixed server".

2. Buy a wildcard ssl certificate and implement on every domino iNotes server. I know a wildcard SSL is a hassle to implement into the domino servers. Perhaps it has gotten better with Domino 9, but I know it should work. I´ve seen examples of it (Even though you might have to use an old version of ikeyman, which works only in windows xp....).

If you are able to implement the wildcard ssl sertificate, then you can buy only one certificate for every subdomain (inotesserver1.company.com, inotesserver2.company.com) in your company. And frankly, then you don´t need the IHS Reverse Proxy server config anymore....

Mats Ekman said...

Wildcard SSL certificate from P12/PFX file into Domino

I did some documentation and a checklist on how to do this at my company blog.

Maybe that could help you out, here is the link:

http://wp.me/p1CuQM-pG

Regards

Mats

Robert Farstad said...

Thank you Mats!! Will try this asap.

amacre said...

This is great, thanks a lot!!!

amacre said...

please help, i did everything but i cant make it work

it says:

FORBIDDEN you dont have permission to access /mail/file.nsf on this server.


or


You don't have permission to access /redir.nsf on this server.

what can i do?

thanks.

Robert Farstad said...

Hi Amacre.
Does iNotes work normally? I mean, can you access the mail .nsf file in a browser in a normal way?
If not, then there´s your problem. Security settings on the nsf files and the server needs to be checked.

If iNotes works normally, then it´s the LTPAToken that needs to be set up correctly. Websphere and domino needs to have the same LTPAToken in order for SSO to work between the servers :-)