Community HCL SafeLinx Container with HCL Nomad Web support
Table of contents
- Community HCL SafeLinx Container with HCL Nomad Web support
- Build the container image
- Running the SafeLinx image
- Server Certificate support
- MySQL Server Support
HCL Nomad Web leverages the WebSockets protocol to connect to Domino servers. This requires a gateway component in the HCL SafeLinx server to bridge between WebSockets protocol and the Notes protocol “NRPC”.
Setting up a SafeLinx server in a classical way requires to use of a complicated to use Java admin client.
This project allows you to build a SafeLinx container including HCL Nomad Web components in one step. The container allows you to configure the container including NomadWeb components simply by specifying environment variables.
Build the container image
Download the SafeLinx WebKit and also the NomadWeb server components to your software directory.
The build command either builds the container or shows missing software files and the download target directory:
./build.sh safelinx -nomadweb
Once authenticated in Flexnet, you can use the links provided to search for the software components. Links only work with customer accounts with an enabled download search option.
Checking software via [/local/github/domino-container/software/software.txt] 188.8.131.52 [NA] HCL-SafeLinx-1300-x86_64.tar.gz https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/DownloadSearchPage.action?search=HCL-SafeLinx-1300-x86_64.tar.gz+&resultType=Files&sortBy=eff_date&listButton=Search 1.0.3 [NA] 20220325-2893-nomad_web_deploy.zip https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/DownloadSearchPage.action?search=20220325-2893-nomad_web_deploy.zip+&resultType=Files&sortBy=eff_date&listButton=Search Correct Software Download Error(s) before building image 
Once all software is available,run the build process again. The build will take around 2 minutes.
Running the SafeLinx image
The SafeLinx container project ships with a predefined Docker compose file located in
docker-compose.yml contains template variables, which are referenced in the configuration file
Review and edit the configuration file with your favourite editor
CONTAINER_HOSTNAME=nomad.acme.com DOMINO_ORG=acme LDAP_HOST=ldap.acme.com
Hostname of the container, which is also defining the hostname of the SafeLinx server
Domino organization name used for the LDAP search base path and also for certificate names created by default.
LDAP hostname or IP address to connect to. SafeLinx requires an LDAP connection to a Domino server in the domain to lookup users and servers
SafeLinx uses LDAP to find users, their home mail servers and Domino servers. There are two missing attributes by default for anonymous LDAP connections. You can either use authenticated LDAP or add the two missing fields to your configuration.
In case you want to use an anonymous LDAP connection to your Domino LDAL you have to add the following fields for anonymous queries in the default config doc
- dominoPerson / MailServer
- dominoServer / SMTPFullHostDomain
Additional LDAP Parameters
For authenticated LDAP connections you should use secure LDAP (LDAPS port: 636). If your LDAP server is not exposed outside your environment, adding the two missing fields with anonymous LDAP might be the easiest option.
LDAP_USER= LDAP_PASSWORD= LDAP_PORT=389 LDAP_SSL=auto LDAP_UNTRUSTED=FALSE
LDAP user name when using an authenticated connection
LDAP password when using an authenticated connection
LDAP port is used to connect to the Domino LDAP server. This is usually port 389 for not encrypted connections. And port 636 for LDAPS connections (recommended for authenticated connections).
Secure LDAP. It can be
autooption automatically selects SSL based on the port number.
If set to ‘TRUE’ allow untrusted certificates and not verify the connection. If set to ‘FALSE’ verify TLS certificate for the LDAPS connection.
Trusted Roots for LDAPS connections
Connecting to LDAPS servers require the servers’s certificat’s trusted root to verify the connection unless LDAP_UNTRUSTED=TRUE is specified.
To add trusted roots generate a PEM file
trusted_roots.pem and store it into the
Import files are automatically moved into the datastore.
Run the container
You have two different options to start. For a first test, it could make sense to run the container in front-end mode. In production use, it makes sense to run the container detached.
Run the container in front-end mode
Run the container detached
docker-compose up -d
Server Certificate support
Out of the box, the container generates its own MicroCA to issue a web server certificate for your SafeLinx server. This certificate is a good starting point and helps you with your final configuration.
Today most browsers don’t support self-signed certificates. So you will usually need to deploy trusted certificates for your SafeLinx server.
Import trusted key/certs into the container
cert-mount is designed for easy import of existing keys and certificates.
To import a new key and certificate just copy a
server.pem file into the
Either a new certificate or a new certificate and key can be imported. If only a certificate is imported, the certificate is checked against the existing private key. The import is only performed if the certificate marches the private key.
To import an encrypted PEM-based private key, the container generates an import password at the first startup. This password can be used to import a CertMgr exportable key, which is always exported encrypted.
Export private key to Domino CertMgr
In case you instead want to export your private key to your CertMgr server for certificate update flows, the container generates an export password printed once on startup. The password can be used to import
certstore_export.pem stored in
Automagical Certificate update
Once you either imported a key from CertMgr or exported your key to CertMgr, you can leverage automatic certificate update flows.
CertMgr hostname to contact over HTTPS (443) to check for certificate updates
Interval in seconds to check CertMgr for certificate updates (Default 300 seconds).
MySQL Server Support
Running the HCL Nomad Web Safelinx container with the internal flat-file configuration works well for up to 200 users. In case you require more scalability, the Safelinx container can be built and configured with MySQL server support.
Building the container with MySQL Support
Run the following build command, to include the MySQL client driver:
./build.sh safelinx -nomadweb -mysql
Configuration for MySQL
The only additional parameter required is a password for the MySQL server user account. All other parameters are predefined in the docker-compose file.
The password is shared beteen the SafeLinx and MySQL container.
Running the SafeLinx container with MySQL container
MySQL is available as a container image. The container project contains an alternate
docker-compose_mysql.yml file, which includes a setup including a MySQL container.
You can either rename the docker-compose.yml or specify the file explicitly:
docker-compose -f docker-compose_mysql.yml up -d