• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 421
  • Last Modified:

hosting domino website on Apache

I am using a domino for mail and webmail is enabled on it.

I have installed an apache with server & client certificates and want to use it to authinticate webmail users before they reach domino.

so my network should be like this:

(web client with certificate)-----HTTPS---------->(Apache verifying clients certificates and running ssl and domino website)------>(Actual domino server)

Or if possible like this:

(web client with certificate)-----HTTPS---------->(Apache verifying clients certificates and running ssl without domino website)----HTTP---------->(actual domino server running Domino webserver and pages)

Any Clue?????????????????/
0
last
Asked:
last
  • 4
  • 4
1 Solution
 
Sjef BosmanGroupware ConsultantCommented:
I'd say it's impossible to bypass Domino security: Domino will check certificates on its own. And a Domino-website has its pages built from dynamic data contained in a database, there are usually very few fixed html-files.
0
 
Bozzie4Commented:
So you want to use Apache as a reverse proxy ?

The separate parts of this setup should work just fine.  But you are mixing 2 things here:
- SSL tunneling for the reverse proxy.  This is no problem, you can simply leave the authentication mechanism in Domino (but this won't work for the client certificate)
- Single sign on : if the user is authenticated on Apache (using the certificates), you want single sign on with the Domino server.  This is possible if you use the Domino Directory to authenticate users in Apache.  Look on the internet.   Caution: I'm not sure this will work for client certificates , but there only 1 way to find out.  Also, there is a bug in the LDAP module on Apache, so this setup is not 100% reliable.

We have this same setup, and single sign on works fine (users authenticate on the Apache Proxy - then open the Domino portal site (using ssl tunneling) - and are signed in automatically (well this actually doesn't work  100% of the time, but it works mostly).  I can't help you with the SSL client certificates ,though !  

cheers,

Tom
0
 
lastAuthor Commented:
Tom

it seems that you had setup the same thing.

My users will have to provide the domino passwords after authenticating to the apache. it is a portal for them.

But do you have SSL running on Domino or just on apache??

Is your setup of the form:

Client---------HTTPS-------->Apache-----------HTTP----->Domino   ??

if yes, what I need to do on apache to forward the request to Domino in clear text and bring it back to the clients SSLed?????

thanx
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Bozzie4Commented:
Just run ssl on apache.  We have the same setup (exept for client certificates, we just run ssl without the client certs).

You need to install the reverse proxy modules on apache, (don't know exaclty what they're called, but you'll find it quite easily).

cheers,

Tom
0
 
lastAuthor Commented:
Tom,

Aprreciated, I will try runnning the apache as a reverese proxy.
So you are running Domino on HTTP without (SSL) HTTPS?
and ssl is running only on apache.



0
 
Bozzie4Commented:
Yes, that's the idea.

It works fine - but there are other products on the market that do the same.  They could be better in your case, especially if you need single sign on and ldap integration with domino (Websphere Edge server, for instance is built  on a simple Apache reverse proxy, but IBM changed some modules, so it works better with Domino LDAP)

cheers,

Tom
0
 
lastAuthor Commented:
Tom

proxying works fine now.

but the mail users are not getting the Jave applets buttons (new memo....etc) on thier browsers when they log on to domino!

Any idea?

0
 
Bozzie4Commented:
Have you considered using iNotes ?  That works fine, as long as you use the necessary rules in the reverse proxy.

To make the java applets work, they must be able to use the applets directory on the server too !  If that still doesn't work, use Mozilla to connect, and use the Sun java 2 SE console to see what it says there....

cheers,

tom
0
 
lastAuthor Commented:
Tom,

the users have no problems if they connect to the domino webmail directly.the only thing is when they connect through the proxy they dont see the applets.

What is meant by "they must be able to use the applets directory"? do you mean the applets directory in the domino?  then the proxy should access it......

Pls provide more details...

Thanks,
last
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now