Configuration options for the Nomad server for Domino
Configure TLS using CertMgr on Domino
- Follow normal instructions for setting up a manual or Let's Encrypt certificate for the Domino server.
- Ensure that the document for the certificate configuration lists the current Domino server as usable.
- Ensure there is a replica of
certstore.nsfon the Domino server you are configuring, and that it is up-to-date with any previous changes. - Set the ini setting NOMAD_WEB_HOST on the Domino server
to the hostname in your certificate.
For example, if your Domino server's certificate hostname is
domino.acme.com, use console command:set config NOMAD_WEB_HOST=domino.acme.com. Wildcards certificates also work. If you have a wildcard certificate, use the wildcard hostname as the ini value. - Re-launch nomad task. For example:
restart task nomad
Configuration file
You may place a nomad-config.yml file in your Domino data directory.
This is a YAML file.
The values listed here, as indicated, are the default values. You do not need to set them unless you want to change them.
# these are the defaults host: '0.0.0.0' port: 9443
Setting the number of worker processes
Default: number of cores on your system
cluster: forks: 3
Configuring the session cookie
You can check here to see all available options.
If not set, the server generates a random secret on startup. This interferes with clustering. If you are (http) clustering the Nomad server for Domino, you need to set the same session cookie secret on all servers.
Pick a random string for the secret. You may change this as often as you like. Changing the value invalidates everyone's session.
# these are the defaults session: secret: # default: randomly generated 32 character value sameSite: lax secure: true
Configuring LTPA for use behind SafeLinx
If you have a custom cookie name, you can set this.
# these are the defaults ltpa: cookieName: LtpaToken2
Configuring specific TLS options for the web server
You can see all possible values here.
In order to set secureOptions, use a string value representing a bitwise OR of the
constant names that start with SSL_OP. For example:
"SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1"
# these are the defaults
tlsOptions:
ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
honorCipherOrder: true
secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1Configure how frequently the server will check CertMgr for updated certificate
# these are the defaults tlsPoll: 3600000 # one hour in milliseconds
Configure SAML
saml:
issuer:
claims:
# Any claim you place here and map to a SAML claim will be read for the user
# email: # default http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
idp: # see https://github.com/node-saml/passport-saml#config-parameter-details
entryPoint:
cert:- The config file in Step 4B is nomad-config.yml.
- nomad-config.yml goes in the Domino data directory.
- All of the config needs to be under a SAML property.
- secret and port should not be used within the context of the SAML object.
Nomad federated login
For federated login to work, you must place your deploy.nsf at
<nomad-files>/config/deploy.nsf.
<nomad-files> refers to the location where the Nomad for web
browsers client files were unzipped as part of the Nomad server file being unzipped
in Installation. By default, <nomad-files>
are placed in <Domino program directory>/nomad-files/.
For more information, see Configuring Nomad federated login.
Configure TLS certificate
If you did not configure TLS using CertMgr (recommended), you can also configure the TLS certificate via the config file.
ca value may be omitted if your
cert contains a full pem chain.ca: # file location or contents of the ca's certificate pem file
cert: # file location or contents of the certificate pem file
key: # file location or contents of the certificate key pem file