Domino AppDevPack 1.0.12, Failed to startup IAM Services, wrong proton key format

Question

The certificates are created according to the tutorial. https://classroom.google.com/c/MTEzNTE1MDAxNDc4/a/MTE1NDA5MjkzOTM3/details

openssl genrsa -aes256 -out iamserver.key 2048
openssl req -new -out iamserver.csr -key iamserver.key -nodes -config iamserver.cnf
result file of iamserver.cnf
Country Name (2 letter code) []:TW
State or Province Name (full name) []:New Taipei City
Locality Name (eg, city) []:Linkou
Organization Name (eg, company) []:Org
Common Name (e.g. fully qualified host name) []:iamserver.org.com

openssl x509 -passin pass:rootPassword -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf

create a file called clientauth.txt and put the following statment into file, save and exit: extendedKeyUsage=clientAuth

openssl x509 -passin pass:rootPassword -req -days 3650 -in iamapp.csr -CA ca.crt -CAkey ca.key -out iamapp.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile clientauth.txt openssl x509 -in iamapp.crt -text -noout -certopt no_pubkey,no_sigdump

openssl x509 -passin pass:rootPassword -req -days 3650 -in iamapp.csr -CA ca.crt -CAkey ca.key -out iamapp.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile clientauth.txt
Certificate request self-signature ok
subject=O = Org, CN = IAMAccessor

C:\domino-iam-service>npm start setup

> domino-iam-service@2.2.0 start
> cross-env NODE_ENV=production node iam-server.js "setup"

WARNING: NODE_ENV value of 'production' did not match any deployment config file names.
WARNING: See https://github.com/lorenwest/node-config/wiki/Strict-Mode
[13:04:44][info][configStore][master]: No configurations found in configuration directory
Welcome to IAM Setup
? Choose setup mode Production.
-------------------------
? IAM Admin username: admin
? Enter IAM Admin password: ********
? Enter IAM Admin password again: ********
Admin password is set successfully

? Enter IAM server password: ********
? Enter IAM server password again: *******Password Not Match!
? Enter IAM server password again: ********
Server password is set successfully

------------------------
About to config The URL of the issuer.
? IAM Service ISSUER: https://iamserver.org.com:9443/

Following configuration have been input for The URL of the issuer --

issuer - https://iamserver.org.com:9443/

? Confirm? Yes


------------------------
About to config Address Settings.
? IAM service's host(leave as '[default]' to accept the request from all network interfaces):
? IAM service's port: 9443
? ADMIN service's host(leave as '[default]' to accept the request from all network interfaces):
? ADMIN service's port: 8443

Following configuration have been input for Address Settings --

IAM service's host - [default]
IAM service's port - 9443
ADMIN service's host - [default]
ADMIN service's port - 8443

? Confirm? Yes


------------------------
About to config SSL Settings.
? IAM server's SSL key file path (relative to 'config/certs' folder): config/certs/iamserver.key
? Server's SSL key password: **********
? Server's SSL cert file path (relative to 'config/certs' folder): config/certs/iamserver.crt

Following configuration have been input for SSL Settings --

IAM server's SSL key file path - config/certs/iamserver.key
Server's SSL key password - ***
Server's SSL cert file path - config/certs/iamserver.crt

? Confirm? Yes


------------------------
About to config Storage Settings.
? Hostname of the Domino server: serv.org.com
? Domino's Proton service port: 3002
? IAM's storage nsf file path, a relative path to Domino data path: iam-store.nsf
? IAM's Proton client cert key file path (relative to 'config/certs' folder): config/certs/iamapp.key
>> Only RSA key is support for proton!

At the backend, with the folwoing error:
> load certmgr -d
[1B3C:0002-006C] CertMgrDebug: Starting CertMgrClientModeAndSetup
[1B3C:0002-006C] CertMgrDebug: CertMgr Server in Global Config: [CN=Serv/O=Org]
[1B3C:0002-006C] CertMgrDebug: Ensure CertMgr [CN=Serv/O=Org] is set in Domino Directory
[1B3C:0002-006C] CertMgrDebug: Domino Directory Admin-Server: [CN=Serv/O=Org]
[1B3C:0002-006C] CertMgrDebug: Yes we are the admin server and Domino Directory was requested
[1B3C:0002-006C] CertMgrDebug: Access-Level Domino Directory: 6
[1B3C:0002-006C] CertMgrDebug: CertMgr server already set in Domino Directory [CN=Serv/O=Org]
[1B3C:0002-006C] 2022/07/13 下午 12:58:10  CertMgr: Certificate Manager started
[0518:0005-0A4C] 2022/07/13 下午 12:58:15.07 PROTON> SessionCache::prune: enter
[0518:0005-0A4C] 2022/07/13 下午 12:58:15.07 PROTON> SessionCache::prune: exit
[06A8:0002-07E0] 2022/07/13 下午 12:58:30  AMgr: Error executing agent 'DeleteExpiredDocs' in 'iam-store.nsf'. Agent signer 'Domino Template Development/Domino': You are not authorized to perform that operation
[0518:0005-0A4C] 2022/07/13 下午 12:58:30.27 PROTON> SessionCache::prune: enter
[0518:0005-0A4C] 2022/07/13 下午 12:58:30.27 PROTON> SessionCache::prune: exit
[1B3C:0004-057C] Clearing DBIID F9618430 for DB C:\HCL\Domino\Data\certstore.ORIG
[1B3C:0004-057C] CertMgrDebug: Formula: [(FORM = {DnsProvider}) & (STATUS != {0})]
[1B3C:0004-057C] CertMgrDebug: Formula entries found: 0
[1B3C:0004-057C] CertMgrDebug: DNS provider entries found: 0
[1B3C:0004-057C] CertMgrDebug: DNS provider entries updated: 0
[1B3C:0004-057C] 2022/07/13 下午 12:58:42  Recovery Manager: Assigning new DBIID for C:\HCL\Domino\Data\certstore.nsf (need new backup for media recovery).
[1B3C:0004-057C] CertMgrDebug: Item[Status] []: 0
[1B3C:0004-057C] 2022/07/13 下午 12:58:42  CertStore: Database compacted [certstore.nsf] - 0 percent recovered
[1B3C:0004-057C] CertMgrDebug: Formula: [( (FORM = {KeyFile}) & ((STATUS = {O}:{S}) | ((STATUS = {I}) & (@Now > CertNextRenewTimedate))) )| ( (FORM = {Certifier}) & (STATUS = {O}) )]
[1B3C:0004-057C] CertMgrDebug: Formula entries found: 0
[1B3C:0004-057C] CertMgrDebug: Formula: [(FORM = {KeyFile}) & (STATUS != {})]
[1B3C:0004-057C] CertMgrDebug: Formula entries found: 0
[1B3C:0004-057C] CertMgrDebug: Health-Check did not find any document
[1B3C:0004-057C] CertMgrDebug: Formula: [(FORM = {ArchiveKeyFile}) & (@Adjust(@Now;0;0;-30;0;0;0) > CertExpires)]
[1B3C:0004-057C] CertMgrDebug: Formula entries found: 0
[1B3C:0004-057C] CertMgrDebug: Formula: [(FORM = {ArchiveKeyFile}) & (StatusKeyfile != 4) &(@Now > CertExpires)]
[1B3C:0004-057C] CertMgrDebug: Formula entries found: 0
[1B3C:0004-057C] 2022/07/13 下午 12:58:42  CertMgr: Active DNS providers: 0
[1B3C:0004-057C] 2022/07/13 下午 12:58:42  CertMgr: Root CA Certificate File: [C:\HCL\Domino\Data\cacert.pem]
[0518:0005-0A4C] 2022/07/13 下午 12:58:45.49 PROTON> SessionCache::prune: enter
[0FA4:0002-02E4] 2022/07/13 下午 01:11:02  Directory Cataloger error processing  in database entitlements.nsf: 02:1B
[0B74:005C-1944] 2022/07/13 下午 01:11:05  Integrity check failed for ID Vault O=serv-org-vault: No Policy Settings found that use vault /serv-org-vault: Invalid or nonexistent document
[0B74:005D-1A44] 2022/07/13 下午 01:11:05  Integrity check failed for ID Vault O=serv_org_vault: No Policy Settings found that use vault /serv_org_vault: Invalid or nonexistent document
[0B74:005B-1168] 2022/07/13 下午 01:11:05  Integrity check failed for ID Vault O=serg_vault: No certifiers found that trust vault /serg_vault: Invalid or nonexistent document
[0B74:005B-1168] 2022/07/13 下午 01:11:05  Integrity check failed for ID Vault O=serg_vault: No certifiers that trust vault /serg_vault trust any password resetters: Invalid or nonexistent document
[0B74:005B-1168] 2022/07/13 下午 01:11:05  Integrity check failed for ID Vault O=serg_vault: No Policy Settings found that use vault /serg_vault: Invalid or nonexistent document

At the Domino Server, I got 3 error messages. 1)

CertStore: LDAP: Cannot find TLS Credential for [server1.kyr] (RSA: 1, ECDSA: 1) : Entry not found in index

 Invalid cipher(s) seen for server CN=Serv/O=Org

AMgr: Error executing agent 'DeleteExpiredDocs' in 'iam-store.nsf'. Agent signer 'Domino Template Development/Domino': You are not authorized to perform that operation

score 0 · Answer 1 · answered Jul 13 '22 at 13:51

0

3 - Ok so going from the bottom up: AMgr: Error executing agent 'DeleteExpiredDocs' You either need to allow the HCL Software Signer to run in your environment or sign the database with a signer that's allowed to run code in your environment.

2 - I need more context for what this error is... is it related to the error in 1?

1 - This is telling me that the CertMgr is trying to serve a certificate for your LDAP connection, but you have no certificate in CertMgr. I will have to check internally, but I'm not sure this is a blocking error.

Can you try maybe using LDAP without TLS?

answered Jul 13 '22 at 13:51

ddumont

583
3
14

It also looks like your vault is not configured correctly – ddumont Jul 13 '22 at 13:52
I am not sure, if my vault is not configured correctly. – Cora Kwok Jul 13 '22 at 17:05
However, I changed to use all the cert and key in .pem format, and change to use the proton key created by protonMicroCA, the setup without error. – Cora Kwok Jul 13 '22 at 17:08
However, when try to run, it result error. – Cora Kwok Jul 13 '22 at 17:08

Domino AppDevPack 1.0.12, Failed to startup IAM Services, wrong proton key format

1 Answers1