Skip to content

Hardened production setup

The Domino REST API can be configured to run without configuration and admin access on the server that hosts production databases. Let us outline how.

Production layout

  • The admin server is only accessible by administrators and not reachable from the general network.
  • The Domino REST API is installed on both servers.
  • The KeepConfig.nsf replicates between admin and production server.
  • We have a TLS certificate thecertificate.pem.
  • The password for the TLS certificate is provided as environment parameter TLSPassword.
  • The production server has a hardened config using hardening.json.
  • Domino's nhttp isn't running or isn't using Port 443.


The name, as long as it ends in .json, can be chosen freely. It needs to be placed into the keepconfig.d directory.

hardened JSON

  "CORS": {
    "localhost": false,
    ".local": false
  "DEBUG": false,
  "DisableEventBusSocket": true,
  "enabledProtocols": {
    "TLSv1.3": true,
    "TLSv1.2": false
  "PORT": 443,
  "showDeprecatedEndpoints": false,
  "showPreviewFeatures": false,
  "TLSFile": "thecertificate.pem",
  "TLSType": "pem",
  "versions": {
    "setup": {
      "active": false
    "admin": {
      "active": false
  "verticles": {
    "Design": {
      "active": false
    "KeepAdmin": {
      "active": false
    "AdminAccess": {
      "active": false
    "Firehose": {
      "active": false

Things to consider

  • Are all API consumers capable of TLS 1.3?
  • Do you need CORS support for static application on other servers?
  • Shall the Domino REST API serve as Identity Provider (IdP) or is there a corporate IdP to be used?


Let's connect

We really like to hear from you!

Your opinion matters. Let us know all your:

  • questions
  • discussions
  • ideas
  • feedback

Join the OpenNTF Discord channel.