Configuration options for the Nomad server for Domino

Configure TLS using CertMgr on Domino

  1. Follow normal instructions for setting up a manual or Let's Encrypt certificate for the Domino server.
  2. Ensure that the document for the certificate configuration lists the current Domino server as usable.
  3. Ensure there is a replica of certstore.nsf on the Domino server you are configuring, and that it is up-to-date with any previous changes.
  4. Set the ini setting NOMAD_WEB_HOST on the Domino server to the hostname in your certificate.

    For example, if your Domino server's certificate hostname is domino.acme.com, use console command: set config NOMAD_WEB_HOST=domino.acme.com. Wildcards certificates also work. If you have a wildcard certificate, use the wildcard hostname as the ini value.

  5. Re-launch nomad task. For example: restart task nomad

Configuration file

You may place a nomad-config.yml file in your Domino data directory. This is a YAML file.

The values listed here, as indicated, are the default values. You do not need to set them unless you want to change them.

Setting the ip address and port to listen on
# these are the defaults
host: '0.0.0.0'
port: 9443

Setting the number of worker processes

Default: number of cores on your system

cluster:
  forks: 3

Configuring the session cookie

You can check here to see all available options.

If not set, the server generates a random secret on startup. This interferes with clustering. If you are (http) clustering the Nomad server for Domino, you need to set the same session cookie secret on all servers.

Pick a random string for the secret. You may change this as often as you like. Changing the value invalidates everyone's session.

# these are the defaults
session:
  secret: # default: randomly generated 32 character value
  sameSite: lax
  secure: true

Configuring LTPA for use behind SafeLinx

If you have a custom cookie name, you can set this.

# these are the defaults
ltpa:
  cookieName: LtpaToken2

Configuring specific TLS options for the web server

You can see all possible values here.

In order to set secureOptions, use a string value representing a bitwise OR of the constant names that start with SSL_OP. For example: "SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1"

# these are the defaults
tlsOptions:
  ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
  honorCipherOrder: true
  secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1

Configure how frequently the server will check CertMgr for updated certificate

Note: The server will not poll if the server has not been set up to use the CertMgr.
# these are the defaults
tlsPoll: 3600000 # one hour in milliseconds

Configure SAML

Configuring SAML is very similar to configuring SAML for SafeLinx. You need to supply your values here.
saml:
  issuer:
  claims:
    # Any claim you place here and map to a SAML claim will be read for the user
    # email: # default http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  idp: # see https://github.com/node-saml/passport-saml#config-parameter-details
    entryPoint:
    cert:
For more information, see Nomad federated login in the Domino documentation.
Note: Administrators do not need to complete steps relating to "deploy.nsf" in Nomad federated login. Administrators can follow the instructions in Configure SAML authentication (in the SafeLinx documentation) with a few exceptions:
  • The config file in Step 4B is nomad-config.yml.
  • nomad-config.yml goes in the Domino data directory.
  • All of the config needs to be under a SAML property.
  • secret and port should not be used within the context of the SAML object.

Nomad federated login

For federated login to work, you must place your deploy.nsf at <nomad-files>/config/deploy.nsf.

<nomad-files> refers to the location where the Nomad for web browsers client files were unzipped as part of the Nomad server file being unzipped in Installation. By default, <nomad-files> are placed in <Domino program directory>/nomad-files/.

For more information, see Configuring Nomad federated login.

Configure TLS certificate

If you did not configure TLS using CertMgr (recommended), you can also configure the TLS certificate via the config file.

Note: The ca value may be omitted if your cert contains a full pem chain.
ca: # file location or contents of the ca's certificate pem file
cert: # file location or contents of the certificate pem file
key: # file location or contents of the certificate key pem file