Over here on the blog is Tim’s next entry talking about Node development and Domino, this time he explains how to use the early release of the app dev package to access (read and write) Domino data via Node. However I don’t let developers do Domino admin so this is the bit where I explain how to configure Domino. It’s all very easy and also all still early release so things may well change for GA.
First you will need to request the early release package which you can do here. What you’ll then get is a series of .tgz files including one entitled ‘domino-appdev-docs-site.tgz’ which, once extracted, gives you the index.html with instructions for installing.
You need to bear in mind that at least initially this only runs on Linux and Domino 10 and that Domino 10 on Linux 64bit officially means RHEL 7.4 or higher, or SLES 12. I went with RHEL 7.5.
Next we need to install “Proton” so it can be run as a Domino server task which just means extracting the file ‘proton-addin.tgz’ into the /opt/ibm/domino/notes/latest/linux directory. There is also some checking to make sure files are present and setting permissions but I don’t want to repeat the install instructions here as I would rather you refer to the latest official version of those. Suffice it to say this is a 5 minute job at most.
Once the files are in place you can start and stop Proton as you would any other Domino task by doing “load Proton”, “tell Proton quit”, etc.
Then there are a few notes.ini settings you can choose to set including:
PROTON_SSL= if you want the traffic between the Proton task and Node server to be encrypted (0/1).
PROTON_LISTEN_PORT= what port you want Proton to listen and be accessed by Node on (default 3002 ).
PROTON_LISTEN_ADDRESS= if you want Proton to listen on a specific address on your Domino server such as 127.0.0.1 which would require Node to be installed locally or 0.0.0.0 which will listen on any available address.
PROTON_AUTHENTICATION= how Proton handles authentication. There are currently two options, client_cert or anonymous. With authentication set to anonymous all requests that come from the Node application are done as an “anonymous” Domino user and your Domino application must allow Anonymous rights in the ACL.
The “client_cert” option requires the Node application to present a client certificate to the Proton task and for the Domino administrator to have already mapped that certificate to a specific person document by importing it. Note that “client_cert” still means that all activity from that Node application will be done as a single identified user that must be in the ACL but does mean you need not allow anonymous access. You can also use different identities in different Node applications.
Of course, what we all want is OAuth or an authentication model that allows individual user identities and this is hopefully why the product is still considered “early release”. Both the “anonymous” and “client_cert” models are of limited use in production.
PROTON_KEYFILE= the keyfile to use if you want PROTON to be communicating using SSL. This isn’t releated to the Domino keyfile (although it could be) and since this is only for communication between your Node server and your Domino Proton task and never for client-facing traffic you could use entirely internally-generated keys since they only need to be shared with the Node server itself.
HCL have kindly provided scripts to generate all the certificates you need for your testing.
Finally we need to create a design catalog for Proton to use. You can add individual databases to the design catalog and the first one you add actually creates the catalog. There must be a catalog with at least one database in it for Proton to work at all.
The catalog contains an index of all the design elements in a Domino database so to add a new database to the catalog you would type:
load updall <database> -e
This isn’t dynamically maintained though, so if you change the design of a database you must update its entry in the catalog if you want to have new design elements added or updated, like this:
load updall <database path> -d
The purpose of the catalog is to speed up DQL’s access to the Domino data. It’s not required that every database be catalogued but obviously doing so speeds up access and opens up things like view scanning using the <‘View or folder name’>.<Columnname> syntax.
So that’s my very quick admin guide to what I did that enabled Tim to do what he does. It’s very possible (even probable) that this entire blog will be obsolete when the GA release ships but hopefully this and Tim’s blog help you get started with the early release.
The Turtle Partnership Blog 
Hello Gabriella, my understanding is that the client_cert authentication is for authenticating the Node.js application connecting to Proton, not the actual user using the application. The certificate must be imported to a Person document where the username item matches the CN from the certificate (this is not mentioned in the documentation). According to HCL the Node.js application will still need to provide a certificate to authenticate with the server before it can perform an operation on behalf of a user’s oauth token in the future.
This way the Node.js application will not be able to do anything it wants to on behalf of the user but only to access databases and documents the administrator allows it to.
Regards,
Jan
Yes I believe that’s what I said - the client_cert has to be imported into a person document that then is the access granted to the db. All access is done as that user. I haven’t speculated here on OAuth implementation as I don’t know how much of that is public and under NDA so until anything is public I try not to talk about it. I did get permission to discuss what I have here in this blog
@Gabriella : The AppDev Pack is now a public beta, so feel free to talk about it. If you have any ideas for improvement, please post them here https://domino.ideas.aha.io/?project=DOMINO
Thank you - I will