Month: February 2016

Speaking at Engage: “Dev04. XPages and Office 365 development – more familiar that you think”

Marky Roden Engage , , , , ,

I am very proud to be speaking at the Engage 2016 User Group conference, in Eindhoven March 24th

Thursday, March 24 | 09:00 – 10:00 | D. Saturn

This is a very interesting session for me personally because it reflects how my job has allowed me to evolve into areas of development which are not just XPages. Don’t get me wrong, I am far from done with the XPages world, but with a lot of our customers having a mixed Domino and Office 365 environment the past year has presented some new challenges and opportunities.

I always believe that a picture is worth more than a thousand words and in this session I will show many demonstrations of what is possible and go into some details of how O365 development and modern Domino web development are really very similar.

I look forward to seeing as many people as possible bright and early on march 24th 🙂

Abstract

Many companies run a mixed IBM Notes and Microsoft Office 365 (O365) environment. SharePoint/Outlook and Domino should be viewed as a new opportunity to create rich and engaging user experiences. Using both IBM and Microsoft REST services as the core to the solution, this presentation will show how both technologies stacks can be integrated to maximize application functionality and present a seamless experience to the user. Mark will provide lots of demonstrations including Office Web Add-Ins, how to access O365 data from your Domino applications and many others. Come and see how your core Domino webdev skills are equally applicable to the Office 365 environment.

Adding your Let’s Encrypt SSL certificate into your Domino keyring file

Marky Roden Letsencrypt , , ,

In this article I will show how to use a slightly modified version of IBM help documentation to get your  Let’s Encrypt issues certificate to work as the SSL certificate on your Domino server.

Introduction

Since the introduction of R9.0.1FP3 server we have had the ability to load a TLS certificate into the notes SSL keyring.kyr file. There is existing documentation on how to handle this using the new KYRTOOL and openssl but those instructions are not entirely clear as how they relate to let’s encrypt. This article is as much for my own edification and memory as anything else!

Part of the disconnect was that the instructions from IBM did not match the names fo the files which were created for me by Let’s Encrypt. This community posting helped explain things – https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2

Existing IBM instructions

The following article from IBM show how to create the certificate file using openssl Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation.

In there you will find a link to download the kyrtool – I places the win32 version in my notes client installation directory (C:\Program Files (x86)\IBM\Notes)

Let’s Encrypt

If you follow the instructions in this article you can create your own Let’s Encrypt certificate .pem file(s).

w1

 

I copied all the filed into a c:\certs folder to prevent a lot of typing and to simplify my life.

You will need to download the root certificate and an intermediate certificate from Let’s Encrypt – https://letsencrypt.org/certificates/

w2

Save the files into your c:\certs directory as root.pem and intermediate.pem

Make sure you get the Signed by ISRG Root X1 intermediate

w3

Open a command window in your notes client directory by holding down SHIFT and right clicking on the folder

w4

Open a second command window in the c:\certs directory

Copy the following and then right click into the command window

  • type privkey.pem cert.pem intermediate.pem root.pem > server.txt

w5

Copy the following and back in the C:\Program Files (x86)\IBM\Notes CMD window and right click again

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\certs\server.txt”

You should get the happy message….

w6

The final step is to import the new server.txt file into a new Notes keyring file.

Create a new keyring file by copying the following and right clicking into the C:\Program Files (x86)\IBM\Notes CMD window

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -p password

w7

Then import the server.txt file by again copying the following and right clicking in the C:\Program Files (x86)\IBM\Notes CMD window

  •  kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -i “C:\certs\server.txt”

w8

You can now

  • take the keyring.kyr and keyring.sth files, copy them into the server’s data directory
  • Configure your website document (or server document) to use the keyring.kyr file
  • restart the http task on the server
  • and it should work….

w9

Conclusion

In this article we have seen how to successfully import the Let’s Encrypt certificates into the notes kry file. This is only part of the story though. As the Let’s Encrypt certificates are only valid for 90 days, this is a laborious repetitive task to have to accomplish on that time frame. Now I know what I am doing, for my local server it shouldn’t take very long to re-do, but this is far from a production solution. I might try and batch file it, that would probably help. We’ll see how annoyed I get when my cert fails right before a client demo 🙂

 

Using Let’s Encrypt to create an SSL certificate for my Bluemix hosted web site

Marky Roden Bluemix, Letsencrypt , , , , ,

In this article I will demonstrate how to secure your custom domain IBM Bluemix web application by creating your own free SSL certificate using the https://letsencrypt.org/ certification authority.

Introduction

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta” (Feb 2016). Under the covers uses openssl to create SSL certificates and as such there is no “Windows” interface for doing so. I used this opportunity to learn about VirtualBox, Unbuntu and other linux related technologies. I set up a Virtualbox VM for Unbuntu by following the instructions posted here. I then went through a torrid two days of learning how to make Unbuntu work in VirtualBox, changing the resolution of the VM, learning new Linux commands and other weird and wonderful things.

This brought me to the point of being able to create an SSL cert for my Bluemix site.

If you create a website in Bluemix you get a blah.mybluemix.net hosted site as default. http://xominosocket.mybluemix.net is my socket.io chat example I keep running. You can also create your own “route” by  clicking on the icon next to the domain at the top of your application dashboard.

I set an A record in my domain provider so that copper.xomino.com pointed at the bluemix IP address and the site appeared miraculously quickly within a few minutes. The site will work under SSL but the browser whines and complains about it.

l12

The instructions on how to upload your own SSL certificate are posted here – https://developer.ibm.com/bluemix/2014/09/28/ssl-certificates-bluemix-custom-domains/. I followed a similar path and won’t repeat too much as this post is really about Let’s Encrypt

Let’s Encrypt

As I was going through the documentation on how to use Let’s Encrypt the first problem I had was around the auto creation of a certificate. The code reaches out to the internet to check and see if you actually own the domain. When I did this the first time I got the following message telling me that it actually found my site has a certificate already for *.mybluemix.net. That is not surprising at this stage because I haven’t uploaded the correct certificate yet.

l1

So I went the manual route and performed the following:

letsencrypt certonly --manual --email myemailaddress -d copper.xomino.com

This presented me with the following information.

l2

For the manual process to work (to verify that I do in fact own the domain I am claiming to own) I have to make the very specific URL respond with a very specific answer.

To do this is set up a simple route manager in my node code

app.get('/.well-known/acme-challenge/kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4', function(req, res){
  res.send("kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4.PQf6X-2A2s213el2HHSOIMzTm2BLIBAtrEdXkFDPGIU");
});

Once checked into the repo and pushed to Bluemix, this then responded appropriately on the web site

l4

I hit Enter on the Unbuntu terminal prompt – et voila !!

l5

As you can see from the above picture I was able to navigate to the folder and find the files. (BTW I had to chmod 777 -R live the folder because permissions were not created correctly when the files were generated by Let’s Encrypt)

Back in Bluemix I am now able to upload the cert.pem and privkey.pem through the manage domains option. As you can see from the image below – there is an insecure icon next to copper.xomino.com

l6

Manage Domains

l7

Once the upload is complete I was able to view the certificate

l9l8

The route for the application now has a secure icon next to it


 l10

Within a few minutes I was then able to access the application using my SSL certificate successfully

l11

Conclusion

Overall this was a relatively painless way of getting a free SSL certificate – and by painless I mean if you know what you are doing with an Unbuntu machine painless. If you don’t, expect a lot of googling. I think it is worth it to learn more about a new (to me) technology and I also have a nefarious docker based reason for learning Unbuntu for the future. This was just the start.

Certificates are only available for 3 months at a time right now – you can read more about the why here (https://community.letsencrypt.org/t/pros-and-cons-of-90-day-certificate-lifetimes/4621).