Administration Guide - OHDomino
OpenHand Server for Lotus Domino v5.4 Administration Guide
Table of contents
- OpenHand Server for Lotus Domino v5.4 Administration Guide
- Table of contents
- Hardware Requirements
- Minimum x86 hardware Requirements (concurrent users < 100)
- Recommended x86 hardware Requirements (100 < concurrent users < 500)
- Recommended x86 hardware Requirements (concurrent users > 500)
- Other hardware platforms
- Software Requirements
- OpenHand Server structure.
- Connection/Communication scenario.
- Installation.
- Lotus Domino preparation steps
- DIIOP service.
- Network and Firewalls.
- OpenHand clients connections.
- OpenHand server connections.
- OpenHand Front- and Back-end connections.
- The Primer Tool.
- The OpenHand Users database
- Address book access
- First time set-up
- Unread/Read agent (optional)
- Preparing Lotus Domino Server.
- Enabling read/unread marks
- Configuration.
- Manual configuration.
- The Configuration Tool
- General description
- Editing the default configuration files
- Editing other configuration files
- Importing old configuration files
- Configuration files, file sections and variables
- Installation Notes
- First connection from OpenHand server to Lotus Domino
- Installation methods
- HTTP service.
- Interesting Lotus Documents
- Contact information
- Appendix A - Enabling DIIOP
- Appendix B - Creating an OpenHand user on the Domino server
Hardware Requirements
Minimum x86 hardware Requirements (concurrent users < 100)
OpenHand Software recommends the following minimum dedicated server specification (100 concurrent users and below):
- IBM Compatible PC
- 1 GHz Intel Pentium 4 Processor or Equivalent
- 512 MB RAM
- 500 MB Free Disk Space
- 10/100 Mb Network Card
Recommended x86 hardware Requirements (100 < concurrent users < 500)
For a high usage OpenHand Server, the suggested dedicated server specification should be (100+ concurrent users):
- IBM Compatible PC
- 2GHz Intel Pentium 4 Processor or Equivalent (Dual if possible)
- 1GB+ MB RAM
- 1GB MB Free Disk Space
- 100/1000 Mb Network Card
Recommended x86 hardware Requirements (concurrent users > 500)
For a high usage OpenHand Server, the suggested dedicated server specification should be (100+ concurrent users):
- IBM Compatible PC
- 2GHz Intel Pentium 4 Processor or Equivalent (Dual if possible)
- 4GB+ MB RAM
- 10GB MB Free Disk Space
- 1000 Mb Network Card
Other hardware platforms
OpenHand Server runs comfortably on any hardware platforms with Operating Systems that supports Java 2 SE 1.6 or later (JRE or JDK). It has been used on Windows, Unix, Linux and IBM iSeries. It should run on all common Unix systems and mainframes.
Software Requirements
Operating System
OpenHand Server runs on any Operating System supporting Java 2 Platform Standard Edition version 1.6 or later.
For example:
- Any 32-bit Microsoft Windows desktop or server operating system.
- Most newer Unix and Linux systems
- Most newer IBM iSeries systems.
Java Runtime Environment.
OpenHand Server runs on any Java 2 Platform Standard Edition version 1.6 or later.
It does not use any GUI classes (AWT, Swing or other) so it can run on Java server runtimes. Using Java server runtimes makes OpenHand Server run faster and use fewer resources. The Sun Java 2 Windows JDK runtime includes a server runtime version, while the JRE one does not. Unix Java runtime usually includes a server version.
The Sun Java runtime uses the server runtime version if it is given the -server flag on startup.
Other Java runtimes found to work include the IBM Java Runtimes and the BEA WebLogic Jrockit(TM) Java Runtimes.
All OpenHand Server startup options assume that -server is not supported, but the server runtime can easily be enabled.
Lotus Domino.
OpenHand Server supports Lotus Domino version 6.0.3 and 6.5.1 or newer.
The Lotus Domino built-in DIIOP server task must be running.
For OpenHand Server to work the NCSO.jar Java library found in the Domino/Data/domino/java directory on the Domio server must be copied to the jlib directory of the OpenHand Server installation.
OpenHand Server structure.
The OpenHand Server system contains at least tree types of components:
- One Frontend.
- One Usermaster.
- One or more Backends.
- Optional Files Service.
In most installations all the components reside on the same server machine and in the same Java Runtime Environment. We say the Usermaster, Backend and Files Service run internally with the Frontend, in this case you will see the hostname for the Usermaster, Backend and Files Service specified as internal.
Often you will want to have the components run on different server machines, usually to have the Frontend running in a DMZ, i.e. within an outer firewall but outside an inner firewall, but the Usermaster, Backend and Files Service within the inner filrewall where the Domino server and FTP server (for the Files Service) are placed.
You can also set up extra Backends close to Domino Mail servers at remote sites.
The OpenHand Frontend.
OpenHand clients connect to the OpenHand Frontend.
The Frontend delegates user authentication to the Usermaster but handles the low level implementation of the initial challenge/response encryption setup and the following en- and decryption of communication between the clients and the OpenHand server. The Frontend also handles persistent connections from clients.
After the initial connection setup and authentication all client communication is forwarded to the appropriate Backend.
The OpenHand Server Frontend receives connection requests from OpenHand clients on IP-port 10622 (configurable). After the TCP-connection to the client has been established and the first client request has been received, the Frontend will contact the OpenHand Server Usermaster to get basic OpenHand user information and then use that information to connect to the correct OpenHand Backend, using the password received from the client to log into the Domino server on belhalf of the connecting user.
The OpenHand Usermaster.
The OpenHand Usermaster maintains OpenHand user information in a Lotus Domino database. Upon an authentication request from the Frontend the Usermaster will look up the username first in the Domino servers directory (names.nsf) and then in the OpenHand User Database. If the user is both a valid Domino and OpenHand user it returns enough information so
- Frontend can set up en-/decryption to the clients and connect to the correctct Backend.
- Backend can connect to the correct Domino server as the user specified and knows the OpenHand user privileges.
The OpenHand Server Usermaster receives connection requests from the Frontend either internally (when Usermaster and Frontend are then running on the same machine), or on IP-port 10624 (configurable) if the Frontend and Usermaster are running on different machines.
For the Usermaster to function as an OpenHand User Database, OpenHandUsers.nsf (configurable), must be installed on a Domino server whose Domain Directory (names.nsf) contains information on all Domino users which will be using OpenHand. The Usermaster should be set up on the same Local Area Network as the Domino Server containing the Domain Directory and OpenHand User Database, and could even be located on the same machine.
The Usermaster uses the Domino Domain Directory to find the real Domino user name and mailserver of the OpenHand client user. The users mailserver name is used to select which Backend the Frondend should connect to and which Domino server the Backend should connect to on behalf of the OpenHand client..
The Usermaster returns other user information from the OpenHand User Database to the Frontend, some of which is used by the Frontend, while the rest is forwarded on to the Backend.
The OpenHand Backend.
The _OpenHand Backend_s read and write to the users mail, address book, calendar and task information in a Lotus Domino server. It also talks to the OpenHand Files Service if present.
The OpenHand Server Backend receives connection requests from the Frontend either internally or on IP-port 10623 (configurable) if the Frontend and Backend are running on different machines.
The Backend does all the real work of OpenHand Server, reading and updating the Domino users mail database and sending information back to the client. The Backend should be set up on the same Local Area Network as the Domino servers it connects to, and could even be located on the same machine.
The OpenHand Files Service.
The OpenHand Files Service allows OpenHand clients access to parts of file systems through the OpenHand protocol. The current Files Service implementation uses an FTP server for access to the file system.
One common set-up is to have the OpenHand Server run all three parts in one Java runtime on one machine for installations that use only one Domino server and one Firewall, effectively working as one program.
Another common setup is to have the Frontend running in the DMZ and the Usermaster and the single Backend running together inside the inner firewall along with the Domino server.
 | NOTE It is very important that the Usermaster and Backends are on the same fast Local Area Network as the Domino servers they connect to. The Lotus Domino NCSO.jar library we use to communicate with the Domino server is very sensitive to network speed and especially latency. The OpenHand Frontend and Backends can be in different continents without adversly affecting clients. |
Connection/Communication scenario.
The following is a general overview of a typical OpenHand client/server scenario. The initial challenge/response mechanism and the persistence mechanism are not described here
- An OpenHand client connects to the OpenHand Server Frontend sending a message containing a Domino username or alias and an Internet Domino password.
- The whole message, excluding the username, is encrypted using the security key.
- The Frontend sends the unencrypted username to the Usermaster.
- The Usermaster looks in the Domino Domain Directory for the Domino user with the specified username or alias and which mailserver he uses.
- The Usermaster looks in the OpenHand User Database user table to see if the Domino user is also an OpenHand user.
- The Usermaster looks in the OpenHand User Database user table (and sometimes the group table) for other user information including the users security key, permissions and to which Backend the user should connected to, and to which Domino server the Backend should connect to.
- The Usermaster sends the Security Key, Backend specification, Domino server specification and other user information back to the Frontend.
- The Frontend uses the Security Key received from the Usermaster to decrypt the rest of the client message, including the Domino password.
- The Frontend uses the Backend specification received from the Usermaster to connect to the correct Backend, forwarding the Usermaster supplied Domino server specification and the client supplied password and message.
- The Backend connects to the Domino server specified and logs into Domino using the client supplied username and password.
- The Backend performs the Domino server operations the client requested and sends the results back to the Frontend.
- The Frontend forwards the results from the Backend to the OpenHand client.
- The OpenHand client, Frontend and Backend exchange messages until the session is closed.
Installation.
See the "Quick Windows Install" or "Quick Unix Install" documents.
Lotus Domino preparation steps
Users using RSA SecurIDĀ® authentication
Make sure to carry out the following additional steps when using RSA SecurId for authentication with OpenHand for Lotus Domino:
 | sdconf.rec Copy a sdconf.rec obtained from the data directory of the RSA ACE server install directory to the config directory of your OpenHand server. |
The OpenHand server acts as an agent against the RSA ACE server and thus the RSA server needs to be configured to allow agent connections from the host running the OpenHand server. In addition, one needs to set up a shared node secret between the agent (OpenHand server) and the RSA ACE server. The secret file should be created automaticly the first time the OpenHand server connects to the RSA ACE server if no other agent has connected from this node.For information on how to make a node secret file and allowing agent connections, please refer to the RSA ACE server admin guide. The secret file should be named securid and be located in the config folder of the OpenHand server directory.
In the OpenHand user database, please set "User must use RSA SecurID authentication" to true either for individual users or the appropriate user group.
Note: Users must log into OpenHand using the user name registered as default login in the RSA ACE server, make sure this user name is registered in Lotus Domino.
DIIOP service.
The OpenHand Server uses the Lotus NCSO.jar library to communicate with the Domino server.
The NCSO.jar library, in turn, uses the industry standard CORBA
mechanism to talk to the Domino servers DIIOP service (i.e. Domino IIOP service, IIOP is the protocol used by CORBA for remote object communication).
For OpenHand Server to work, in fact any program that uses CORBA to communicate with the Domino server, the DIIOP service built into the Domino server must be enabled. For information on how to enable DIIOP see the Lotus Domino Administrator Help. For a rudimentary description of the process see the Appendix B: Enabling DIIOP.
NOTE: Make sure you add the DIIOP service to the ServerTasks line in notes.ini file (located in the ...\Lotus\Domino directory on Windows), otherwise the DIIOP service won't be automatically enabled when the Domino server is restarted.
Lotus Domino User Password.
OpenHand Server uses the users Domino Internet password to log in, the same passwords Lotus iNotes uses.These can (and should) be different from the internal Domino one.
| CORBA CORBA is the acronym for Common Object Request Broker Architecture, OMG's open, vendor-independent architecture and infrastructure that computer applications use to work together over networks. Using the standard protocol IIOP, a CORBA-based program from any vendor, on almost any computer, operating system, programming language, and network, can interoperate with a CORBA-based program from the same or another vendor, on almost any other computer, operating system, programming language, and network. (From the Object Management Groups website, OMG is the CORBA standardisation body. See http://www.omg.org) |
Network and Firewalls.
OpenHand clients connections.
OpenHand clients connect to the OpenHand Server from the Internet on TCP port 10622 by default. The port number can be changed in OHDFrontend.config using the Configuration Tool (or a text editor, openhand.client.port variable).
Potential firewalls between the Internet and the OpenHand server must allow connections from the Internet to this port on the machine running the OpenHand server.
OpenHand server connections.
The OpenHand Server (Backend, see below) connects to the Lotus Domino server DIIOP service on port 63148 by default. If the port number is changed in the Domino Administrator program it must be changed also in the OHDUsermaster.config using the Configuration Tool (or a text editor, openhand.domino.usermaster.ior.port variable).
Note that the openhand.domino.usermaster.ior.host/port variables are only used by OpenHand to get the real host/port of the Domino server (see HTTP service section above).
Potential firewalls between the OpenHand server and the Lotus Domino server must allow connections from the OpenHand server to this port on the machine running the Lotus Domino server, see the next section for exceptions.
OpenHand Front- and Back-end connections.
The OpenHand Server can be run in two or more parts, the Frontend which clients connect to, a Usermaster used for authentication and one or more Backends which connect to Lotus Domino servers on behalf of lthe user. The Frontend connects to remote Backends on port 10623 by default. The Backend host port number can be changed in OHDBackend.config using the Configuration Tool or a text editor (openhand.domino.backend.port variable).
The most common reason for running the OpenHand server in two parts is to be able to run the Frontend on a DMZ but the Domino server is on a MZ and you don't want to open connections to the DIIOP service from the DMZ.
Potential firewalls between the OpenHand Frontend and the OpenHand Backend must allow connections from the OpenHand Frontend to this port on the machine running the OpenHand Backend.
The Primer Tool.
OpenHand Server Primer Tool is used to check if the Domino server, and especially the DIIOP service, have been set up correctly for OpenHand to work.
To start the tool either double-click the OHDPrimerTool.jar or run the OHDPrimerTool.bat on Windows or OHDPrimerTool.sh on Unix. You can also give the command java -jar OHDPrimerTool
Here are some figures from a typical run of the Primer Tool:
The OpenHand Users database
The OpenHand Server ships with a user database template. A OpenHand User database must be created from this template on the Lotus Domino server that is being used by the OpenHand Usermaster. This database is used by OpenHand for individual user settings and to manage who is allowed to use OpenHand.
User Database Tables
Mail server mapping
Mail server mapping maps a Lotus Domino mail server to an OpenHand Backend.
| Field | Description |
|---|---|
| Mail server | A Lotus Domino mail server. All users using the selected mail server will connect through the OpenHand Backend configured below. |
| (OpenHand Backend) Host | The OpenHand Backend server DNS name or ip-number as seen from the OpenHand Backend if set to "internal" the Backend runs within the OpenHand Frontend |
| (OpenHand Backend) Port | The OpenHand Backend port. |
| (OpenHand Backend) unread count agent database | Path to the database where to execute the count unread messages agent from. If left blank unread messages will not be counted. |
| Lotus Domino host | The Lotus Domino servers (selected in "Mail server") DNS name or ip-number as seen from the OpenHandBackend above. |
| Lotus Domino port | The Lotus Domino servers port. |
| Lotus Domino IOR | Optional. The Lotus Domino servers IOR string. If specified overrides the Lotus Domino Host and Port settings. |
Groups
OpenHand users can be divided into groups. A group sets all the default settings for its users, each users settings can be set to override the group settings.
| Field | Description |
|---|---|
| Group name | The name of the group. |
| User is enabled | This enabled or disables the users in this group, disabled users can not log in to OpenHand and are not counted as a part of the license number. |
| Users security key | This sets the encryption key for the users in this group, the key must match the encryption key on the users client. |
| Users must use challenge response login | This should always be used |
| User must use RSA SecurID authentication | Set if users must use RSA SecurId to login |
| User can save password | Set if users can save their password on the clients. |
| User can use attachments | Set if users can send/receive attachments |
| User can save to local folders | Set if users can save information to their local folders. |
| User can take snapshot of servers contact directory | Set if user can take a snapshot of all contacts in Domino servers directory. |
| User can use files services | Set if users can use the files services |
| User can take snapshot of server contact directory | Set if users can take snapshots of the server contact/user directory. Warning: Enabling this can cause the server to run out of memory. |
| Reverse mail order | Set to true if the oldest email appears at the top of the email list in the clients. |
| Users timezone | The timezone the users are in. The default is the servers timezone. Note: Instead of selecting "Local time" you should check "Server timezone" |
| Users address books | The address books the users can access. The topmost will be the users default Address Book in OpenHand Clients. |
| Mail template type | If the mail template is a customization of a standard template and the template name has been changed, then select ''"Renamed" ''and enter the standard template name in the textbox. Ex. if your template is based on ''iNotes6'' then enter ''iNotes6.'' |
| View other peoples calendar | List of users members of this group will be able to view in OpenHand clients. |
| Special settings | Do not change this unless advised to do so by the OpenHand technical support. |
Address book definitions must be of the form: database;access;view;sort_index}}where: {{database is the path of the database containing the address book (from the Domino data directory). If database file is on a different Domino server, prepend the server name and !! to the database name.
Use ${mail} for the users mailfile access is the access right the user has to the address book view is the view to read the contact list from sort_index is the index of the contacts name column in the view (must be sorted).
Example: names.nsf;R;People;1 gives the user read access to the global address book
Enter a list of address books, one on each line
 | Custom address books If a entry for a custom address book is added then that address book must be of the same format as names.nsf, otherwise data integrity is not guaranteed. |
Users
Every Lotus Domino user that should have access to OpenHand has to be added to the OpenHand user database.
| Field | Description |
|---|---|
| User name | The users name, imported from the Lotus Domino names directory |
| Group | The group the users inherits its default settings from. |
Other fields have the same meaning as for groups.
Settings for users can override group settings by setting the explicitly. "Group" or empty settings mean that that setting is inherited from the group.
Address book access
OpenHand both access standard address books (address books that are on the same format as names.nsf) and custom address books.
Accessing standard address books
Standard address books like the Lotus Domino user directory and the private address book synchronized to the users mail file can be accessed simply by adding a definition "Users address books" field.
Address book definitions must be of the form: database;access;view;sort_index where:
- database is the database containing the address book (from the Domino data directory). If database file is on a different Domino server, prepend the server name and !! to the database name. Use ${mail} for the users mail file
- access is the access right the user has to the address book
- view is the view to read the contact list from
- sort_index is the index of the contacts name column in the view (must be sorted).
Example: {{names.nsf;R;People;1 }} gives the user read access to the global address book
Enter a list of address books, one on each line
Accessing custom address books
Warning: For now this is experimental only.
To access custom address books it is necessary to import the "(Contact list view)" view from the OpenHand user database into the address book database and implement the appropriate columns in it.The view can be renamed to any name but the name must end with _ohc (ex. openhand_ohc).
Only the first column (name) is required to be implemented but all columns must return a value even though they are not used, an empty string for unused columns.
The first and second column must be sorted.
Note that the empty string can not be a constant, a function that returns the empty string must be use, the formula @if(name = ""; ""; "") is the default (You might have to change that if "name" is not a field in your contact documents). Note: It is important that the order of columns is not changed and that no column is deleted.
After the ohc view has been implemented an entry for it must be added in the "Users address books" field. The definition entry follows the same rule as for standard address books but the "sort_index" field is ignored and can be omitted.
Example:
contacts.nsf;R;contacts_ohc
gives the user read access to contacts in the contacts.nsf database using the contacts_ohc view.
Note: That for the time being only read access is supported for custom address books.
First time set-up
When the OpenHand user database is opened for the first time there is only one entry in it, a default group.
The first thing you have to do is making a mail server mapping for your mail servers, one for each Lotus Domino mail server your users want to connect to or one for each OpenHand Backend, most small setups only need one mail server mapping.
Next take a look at the DefaultGroup in the group list, most setups only need the DefaultGroup but you should add more groups if you intend to have different settings for different groups of users. Note that a group (or any other) document can be edited by double clicking on the documents background.
Now you are ready to import users to the database. This can be done one at a time or multiple users at once.
Note that if you change the advanced settings for a user it will override the group settings.
The following figures show a typical session:
Creating the user database from the OpenHand Users template:
Initial view of the users database:
Creating a mail server mapping:
Creating a user:
Unread/Read agent (optional)
For OpenHand to be able to display if mail messages are read or not an agent has to be set up on the Lotus Domino server. The agent is provided in the OpenHandAgent or OpenHandAgentDom7 templates for Domino version 6 and 7 respectively. You must create an agent database on the Domino server from one of these tepmlates.
Preparing Lotus Domino Server.
For the OpenHand "Read/Unread" agent to work several steps must be completed on the all Domino servers containing mail files for OpenHand users.
The Domino Administrator signing the OpenHand Agent template must be added to several security fileds in the Domino Administrator.
The signer must be added to the three fields "Run unrestricted methods and operations", "Sign agents to run on behalf of the invoker of the agent" and "Run simple and Formula agents".
If you look at the Lotus Domino Administration documentation for these fields these settings will make no sense, that is because either the documentation is wrong or the Administration tool is buggy, probably both.
Enabling read/unread marks
Copy the OpenHandAgent.ntf template found in the 0_ToDominoServer folder in the OpenHand server directory to a directory accessible from the Lotus Domino Administrator, e.g. the ../Lotus/notes/data on the machine running the Lotus Domino Administrator or a Domino server data directory (or sub-directory there of).
Do a fixup and sign the OpenHandAgent.ntf template.
Create a new database from the OpenHandAgent.ntf.
Next open the OpenHand user database and find the mail server entry in the mail server table. In the Unread count agent database enter the path to the agent database you just created. Now OpenHand should display if a mail message is read or not.
Note that if you have more than none mail server this process has to be repeated on each of them.
Configuration.
OpenHand Server does not need any special priviledges to run, only to accept TCP connections from clients, connect to Lotus Domino over TCP and write log files in the installation directory.
You can move the installation by just moving the installation directory (see NT service discussion below for an exception).
For a typical simple installation only the Domino host DNS-name or IP-number needs to be changed.
Manual configuration.
Unix/Linux.
If the JAVA_HOME environment variable is not set you must change the JAVABIN variable in the provided OHDServer.sh file to point to the required Java runtime.
Windows.
If you want to start the OpenHand server from the command line (a good idea when testing the installation) and JAVA_HOME environment variable is not set, then you must change the JAVABIN variable in the provided OHDJavaBin.bat file to point to the Java runtime to use.
Windows NT/2000/XP/2003 Service.
If you want to install the OpenHand server as an NT service and JAVA_HOME environment variable is not set you must change the wrapper.java.command variable in the NTService\NTService.config file to point to the required Java runtime.
Run NTService\InstallService.bat to install OpenHand Server as an NT service.
Run NTService\UninstallService.bat to uninstall OpenHand Server as an NT service.
The Configuration Tool
OpenHand Server version 5.4 comes with a configuration program "OHDConfigTool" for editing OpenHand configuration information.
To start the Configuration Tool on Windows you can double-click the OHDConfigTool.jar file in the installation directory. You can also run the OHDConfigTool.bat command file from a command window. On most other platforms you must start the Configuration Tool by issuing 'java -jar OHDConfigTool.jar' from a command line.
To familiarize yourself with the Configuration Tool click the Help button in the Configuration Tool or the question mark button by each configuration parameter.
General description
On the left hand side there is a menu which can be used to browse the configuration. Each menu item represents a configuration file, some of which are divided into sections (tabs) for easier editing. When any changes are made, a star appears at the end of the menu item name, indicating that there are unsaved changes.
Selecting a sub level node displays the variables that can be edited. For the default value leave the field blank or enter "default" (without the quotes). The "Reset" button resets the variable to its default value. Clicking on the "?" button below gives a brief description of the variable.
Editing the default configuration files
The config tool is configured to read and write the config files located in the /config folder in the OpenHand for Domino install folder. To edit the default config files, just edit the variables as needed and hit the "Save all" button. If only one specific file should be saved, hit the "Save" button and the file section currently active (the one being editing) will be saved.
Editing other configuration files
To edit other files than the default ones, hit the "Load" button and browse for the file to edit. This automatically disables the "Save" and "Save all" buttons to prevent accidentally overwriting the default files. To save this loaded config file, make sure that the section being saved is the section currently being edited/viewed and hit the "Save as" button.
Importing old configuration files
This feature is used when the format of the configuration files has been changed. Just import config files in an older format, and the format is then updated to the latest config format. To import a file, just hit the "Import" button and browse for the old file. When the old settings are loaded hit the "Save all" button to save the configuration files at their default locations.
Configuration files, file sections and variables
See separate document: "OpenHand Configuration Variables".
Installation Notes
First connection from OpenHand server to Lotus Domino
The first time the connection is made from OpenHand server to Lotus Domino can take a long time (tens of minutes, depending on the number of users, size of global address lists etc.) During this first connection, the Domino server is creating index placeholders for speeding up the access to the information in the Lotus Domino server. The following connections will not take as long, as the index placeholders have been created.
Installation methods
The installation method described here does not fully support distributed mode of operation where the OpenHand server is split in two, a front end (talks LOUIS to clients) and back end (uses DIIOP and HTTPS to Lotus Domino Server). The back end can reside inside a firewall, and the front end resides either outside of the firewall or in a DMZ.
HTTP service.
The HTTP service is not necessary for Lotus Domino 6 as the DIIOP service contains a simple HTTP server. The HTTP server is used by the NCSO.jar Lotus library OpenHand uses to get the information necessary to connect to the Domino CORBA ORB.
The information returned from this initial HTTP GET request is called the IOR, it contains amongst other things the real DIIOP server host DNS-name or IP-number and the IP-port the OpenHand server should connect to.
It is very important that the IOR information is correct, otherwise the OpenHand server will try to connect to the wrong machine and/or port.
The DIIOP server generates this information in the Domino Web server root directory ".../Lotus/Domino/Data/domino/html/diiop_ior.txt" the first time it starts.
The only way to regenerate this file seems to be to change the DIIOP host or port in Domino Administrator, restart the Domino DIIOP task ("restart task diiop"), change the host or port back to the correct value and restart the Domino DIIOP task again.
To check if the IOR has been generated and is accessible you can point a web browser to http://host:port/diiop_ior.txt where host is the host-name/IP-number of the HTTP server and port is 63148 if you want to use the HTTP server built in to the DIIOP server (and you are using the default DIIOP port) or 80 if you want to use the Domino built-in HTTP server (and you are using the default HTTP port).
If this test works you will get back a very long hexadecimal string (>350 characters) and the host and port can be used by the OpenHand server to get the IOR, if it does not work OpenHand will not be able to connect.
We recommend using the built-in HTTP server in the DIIOP task if possible but it does not always work for some unknown reason. If that does not work you can use the standard Domino HTTP task, or you can insert the content of the diiop_ior.txt file directly into the IOR string field in the OpenHand Configuration Tool. If you use the IOR string from diiop_ior.txt you must update the OpenHand configuration each time the IOR file is regenerated.
The OpenHand Primer Tool/Get IOR option does the same test, but in addition it will also try to decypher the IOR string to tell you which server and port is returned in the IOR string, i.e. the real IOOP host and port the NCSO library will use. If this information is not correct, you must change the DIOOP settings and regenerate the diiop_ior.txt file.
Interesting Lotus Documents
For general information on the DIIOP service configuration point your browser to Java access to the Domino Objects, Part 1
| NOTE Note however that OpenHand Server special priviledges, i.e. does not need to run any scripts or agents. |
Contact information
For further information and support please contact:
UK office
OpenHand Software Limited
Tel: +44 (0) 20 8962 3270
Email: support@openhand-mobile.com
Iceland office
OpenHand hf.
Hafnarstaeti 19, 101 Reykajvik, Iceland
Tel: +354 535-7600
Email: support@openhand.is
Appendix A - Enabling DIIOP
The following screen-shots give hints to what needs to be enabled for the NCSO.jar library being able to connect to Domino.
This is a standard Lotus Domino Administrator task and is fully documented in the Lotus Domino Adminstration documentation.
The following figure shows where the DIIOP port is enabled and configured.
The following figure shows where to add an IIOP Internet Site. This is the best way, and sometimes the only way, to control which DNS-name or IP-address is returned in the IOR.
The following figure shows where to configure an IIOP Internet Site to return the correct DNS-name or IP-address in the IOR.
The following figure shows some help text to explain the previous figure.
Appendix B - Creating an OpenHand user on the Domino server
The pictures are here only for quick reference purposes. Please consult the Domino Administrator Help for further guidance.
A certificate is created by Domino for each person created in Domino.
