Skip to content

Hardened production setup

The Domino REST API can be configured to run without configuration and admin access on the server that hosts production databases. Let us outline how.

Production layout

  • The admin server is only accessible by administrators and not reachable from the general network.
  • The Domino REST API is installed on both servers.
  • The KeepConfig.nsf replicates between admin and production server.
  • We have a TLS certificate thecertificate.pem.
  • The password for the TLS certificate is provided as environment parameter TLSPassword.
  • The production server has a hardened config using hardening.json.
  • Domino's nhttp isn't running or isn't using Port 443.

hardening.json

The name, as long as it ends in .json, can be chosen freely. It needs to be placed into the keepconfig.d directory.

hardened JSON

{
  "CORS": {
    "localhost": false,
    ".local": false
  },
  "DEBUG": false,
  "DisableEventBusSocket": true,
  "enabledProtocols": {
    "TLSv1.3": true,
    "TLSv1.2": false
  },
  "PORT": 443,
  "showDeprecatedEndpoints": false,
  "showPreviewFeatures": false,
  "TLSFile": "thecertificate.pem",
  "TLSType": "pem",
  "versions": {
    "setup": {
      "active": false
    },
    "admin": {
      "active": false
    }
  },
  "verticles": {
    "Design": {
      "active": false
    },
    "KeepAdmin": {
      "active": false
    },
    "AdminAccess": {
      "active": false
    },
    "Firehose": {
      "active": false
    }
  }
}

Things to consider

  • Are all API consumers capable of TLS 1.3?
  • Do you need CORS support for static application on other servers?
  • Shall the Domino REST API serve as Identity Provider (IdP) or is there a corporate IdP to be used?

YMMV

Let's connect

Let's connect!

Your opinion matters. Let us know all your questions, discussions, ideas, and feedback.

Join the Domino REST API discussion in the HCL Domino forum at the HCLSoftware Digital Solutions Community Forum or join the OpenNTF Discord channel.

If you need customer support, learn and understand what information you need to provide to ensure that your support needs are met effectively. For more information, see Contact support.