Domino, Proton, IAM, OAuth - Part 2: Domino Administration

Monday, February 18, 2019 at 10:25 AM UTC

This part of the series is all about Domino admin. The Proton docs refer to it here and there but you can prepare everything before you even start with the fancy stuff. I assume you have knowledge in general Domino administration and the use of the Admin client.

In general: please refer to the official documentation for Domino administration. Please make sure you use at least an Admin client 9.0.1FP10 or newer to create the ID Vault - it won’t work with FP7. I am not sure about FP8 or FP9 but if you experience troubles when finalizing the ID Vault setup your client may be too old.


  • general: do not use spaces in your policy names or for the ID Vault name!
  • Setup an organizational policy
    • if you plan to have other policies, this one should just be used for the technical users
    • of course you can also use an explicit policy, but I am a lazy guy who saves some clicks in the registration dialog ;-)
  • Add a registration policy
    • choose your new server as registration server
    • no mail
    • password strength to whatever, I prefer a weak one for technical users - passwords don’t matter here anyway
    • enable „set internet password“
  • Add a security policy
    • no special settings needed
  • add the two new policies to your organizational policy and save it
  • issue a „tell adminp proc new“ and „tell adminp proc policies“ on the server console
  • Setup ID Vault
    • select your org, admin user and the policy you created before (choose „edit an existing policy“)
    • have the that was created or used during the server configuration process ready and the password
  • Grab an SSL certificate (I recommend LE4D to do it)
    • this is a whole chapter, please refer to other instructions or use LE4D (
    • or use a self signed SSL cert - for testing it is ok to do so, but not in production!
  • Setup an Internet Site for your server and use the SSL cert
    • this is needed as you also will add LDAP
  • Setup LDAP for your server and use the same SSL cert as you used with HTTP
    • it’s up to you to offer LDAPS (LDAP with SSL) or not, it’s not important for IAM

Proton and IAM need at least 3 technical users:

  • an LDAP admin account (CN=ldapadmin) for IAM LDAP configuration
  • a so called IAM Accessor (CN=IAMAccessor) account (for registration of further OAuth enabled apps)
  • a test account called app1 (CN=app1) for client certification authentication tests

Make sure that the registration dialog displays the organizational policy you set up before and ID Vault is enabled (though greyed out) in the ID Info tab. After registering the 3 users you should find them in the DD as well in the ID Vault. You don’t need the ID files itself for the upcoming steps as you never will login with a Notes client with these accounts, these are technical accounts. To create those simplified names just use the lastname field.

We will return later to Domino admin once we created certificates but for now we are done.

Next up is part 3: Certs & Keys







Latest comments to this post

Oliver Busse wrote on 20.02.2019, 23:37


you want to explain this in detail or your ask me to explain it? To get started I suggest the official documentation on Domino Administration I mentioned. If you are seeking help in general I'd recommend to contact a local business partner (or us of course) or seek help in the OpenNTF Slack channel for "domino-admin". There are people who can help, too.

 Link to this comment
Johan Arroyo wrote on 20.02.2019, 23:32

Thank you for your publications.

Is there a possibility that I explain these points to a little more in detail, for those of us who do not have as much experience in the Domino Administration?

I am interested in this topic.

Thank you!

 Link to this comment

Leave a comment right here