Setting Up SSL on Domino -- The No Nonsense Guide
Talking, as I was earlier this week, about mimicking the customer's environment at my own end, something I often need to do is enable SSL on a given Domino server. This is surprisingly easy to do. Unless you try and do it using the help files that is!
For some projects I only ever need to work on a single database and - for this - I'll just develop it on one of my existing servers, as the target environment is fairly standard. Oftentimes though I'll need to mimic exactly the whole environment in which the database(s) I'm working on will end up being hosted.
To mimic the target setup I usually create a new Virtual Machine running Windows 2003 and whatever version of the Domino server they intend to use. As mentioned the other day I then set the host name as servername.companyname2.com and configure my own DNS accordingly.
Increasingly (paranoia?) I'm developing for systems that will use SSL for all traffic. It's not essential that I do the same in the development environment, but it's always best to mimic every little detail and so it's better to if you can. Especially if the developed database has the "Requires SSL" property turned on, as you'd have to remember to toggle this each time a new template version was delivered or risk turning off the customers SSL.
In the past I've sometimes avoided this step on my side simply because it's as confusing as hell to try and setup SSL on a Domino server. That's if you try and follow the "step by step" guide offered in the Domino Administrator help files. Don't even go there! You'll end up screaming expletives at the monitor, as I did earlier in the week as I tried to enable SSL once more.
When I gave up getting anywhere with the help files I did a Google for something like "setting ssl on a domino server" and quickly found the help page that should have been. Funnily enough I found this page on IBM's site. Funnier still is the question posed:
What steps can you follow to set up SSL on a Lotus Domino server using Domino as the Certificate Authority? Is there a quick guide other than the detailed steps in the Lotus Domino Administrator help?
This was exactly what I was thinking. Although I wouldn't have posed the question as politely as that.
What follows is a simple, no nonsense guide to enabling SSL on a Domino server. It takes about two minutes to do and there's no need to pull out any hair.
Somewhere in the drafts folder of this site is a part-written article that I starting writing the last time I managed to achieve it the hard way. The idea was the same as the IBM page above, in that I wanted to offer the quick route that worked. Looks like I don't need to finish the article off now.
So, what I'm getting at in a long-winded way is that the linked page is definitely worth bookmarking. Not that a quick Google wouldn't have found you that anyway, but I wanted you to know there's help out there before you try and use the help database.
While Notes wouldn't be the same without the help files, it also wouldn't be the same without CodeStore.net.
I've often scoured the help files for a specific detail or the correct syntax, but I've always ended up here when it was all said and done.
Nice site Jake!
On topic: After attempting to set up SSL on my Domino server, I opted for a hosted plan with SSL. I figured if it was that difficult to set up, it would be a mother to fix when it broke. This article should help.
Regards,
Matt
Jake,
I have used this redbook in past and was able to setup SSL.
{Link}
However, I agree with you that it's not something you want to setup again and again in your development environment, but it is much cheaper than buying SSL certificate from verisign or others..:)
Cheers!
Gurmeet
The timing is uncanny .. I've got a post in draft about setting up SSL using the CA process. I did wade through the help files and eventually got there ... but for what is a 20 mins job it took me hours to sort it out with a couple of false starts.
There seems to be no consistent help pages especially with R5 set-up options mixed in with newer CA process options.
Thanks for the post .. if only it was 2 weeks earlier the timing would have been perfect :-)
Thanks Jake,
Two days back I was in the same situation and was trying to follow the steps in Administrator Help documents but didn't manage to make it work.
I can now easily setup with these steps.
Thanks again.
Hi
Setting SSL up for developing purposes is really a no brainer in Domino.
- Create a self-certified certificate (5 min)
- copy the certificates to the server (1 min)
- point to the correct .kyr file in the Internet site document under in the SSL options (1 min)
- Check "Require SSL connection" in the db properties. (5 sec)
I may be forgetting some steps...but that is about it!
brgds Jesper Kiaer
{Link}
{Link}
"is really a no brainer in Domino".
I agree. Unless you try and do it by following instruction in the admin help file, which is the reason I posted the link. It's only a no-brainer if you know the easy way.
Ups..sorry , did not see the link in your post to the IBM Support page.
Actually buying the SSL from verisign only costs about 2k a year. It is more professional in that your customer won't get a funny dialog screen with a red X in the certificate box. I mean, any dumb auditor would point it out and make a mountain out of a mole hill.
Save yourself the shame of explaining what a CA authority is. Pay Verisign and forget... You will get peace of mind from not needing that dialog box pop out with that yellow letter there.
I agree Robert, but you're missing the point. I'm talking about development environment, which, in my case, only I ever see. More often than not the customer takes care of their own SSL purchasing and setup. That's not normally for me to worry about. I just need to make sure the environment on my side is an exact copy.
Nice post. This was exactly what I needed. Help files are very complex on this subject. Now SSL works OK on my dev server. Thank you very much.