Quick Overview - OHDomino
This page last changed on 2007-10-23 by dseifert.

Version 5.2.0

For further details please refer to the "OHD Administration Guide" PDF document.

This is a quick overview of the OpenHand Server for Lotus Domino (OpenHand Server), its structure, mode of communication, and what needs to be done to make it work, and why.

1. The structure of OpenHand Server for Lotus Domino.

Simply put, OpenHand Server is a Java(TM) based software system enabling OpenHand Client access to mail, contacts, calendar and task information on one or more Domino® servers.

For this to be possible OpenHand Server must carry out at least three functions:

  • Accept connections from the OpenHand Clients.
  • Authenticate the OpenHand Client user as a Domino and OpenHand user.
  • Read and/or update the OpenHand Client users mail, contact, calendar and task information on the Domino server.

The OpenHand Server is split internally into three separate components, each handling one of the above functions:

  • The OpenHand Frontend handles all communication with the OpenHand Clients.
  • The OpenHand Usermaster handles Domino and OpenHand user authentication and information gathering.
  • The OpenHand Backend handles all access to the users mail, contact, calendar and task information on the Domino server.

In a simple OpenHand Server setup these three components are not visible, i.e. they all run in the same Java Runtime Environment(TM) (JRE(TM)). If necessary they can be run in separate JREs on separate computers.

1.1 OpenHand Client to OpenHand Frontend communication.

The communication between the OpenHand Clients and the OpenHand Frontend uses the proprietary OpenHand LOUIS(TM) communication protocol over any TCP/IP network, usually over the wired and mobile Internet.

Normal installations of the OpenHand Server are placed behind a company firewall, so an access path through the firewall from the OpenHand Clients to the OpenHand Frontend must be set up.

1.2 OpenHand Usermaster and OpenHand Backend to Domino server communication.

The OpenHand Usermaster and OpenHand Backends must connect to one or more Domino servers.

The method chosen by OpenHand to accomplish this connection is to use the standard Domino DIIOP service task, as this allows us to access Domino without adding software to the Domino server itself (see below for an optional exception)

DIIOP is a Lotus® implementation of the industry standard CORBA "Internet InterORB Protocol" (IIOP) for Domino.

Lotus Domino server installations provide both the built-in DIIOP task and NCSO.jar, a Java(TM) library for clients of the DIIOP service.

For OpenHand Usermaster and OpenHand Backends to connect to a Domino server:

  • The DIIOP service on the Domino server must be enabled (a proxy can be set up in special cases).
  • The NCSO.jar from the Domino server must be copied into the OpenHand Server installation.

2. OpenHand Server for Lotus Domino access to Domino server.

Only the OpenHand Usermaster and the OpenHand Backends connect to Domino servers.

2.1 OpenHand Usermaster access to Domino server.

For the OpenHand Usermaster to fulfill its Domino and OpenHand user authentication and information gathering tasks, it must:

  • Be able to log into the Domino server through DIIOP.
  • Have access to Domino user information.
  • Have access to OpenHand user information.

Therefore the  OpenHand Usermaster needs:

  • A Domino username and (Internet) password for OpenHand Usermaster. It is best to create a new Domino user for this purpose (usermaster).
  • Domino keeps information on Domino users in the Domino Domain Directory database (names.nsf). The usermaster must be able to read this database.
  • A specialized OpenHand User Database must be added to the Domino server the OpenHand Usermaster connects to. The usermaster user must be able to read and write this database.

When the OpenHand Frontend asks the OpenHand Usermaster to authenticate an OpenHand user, the OpenHand Usermaster checks in the Domino Domain Directory:

  • Whether the username is a valid Domino login username.
  • For the full name and full login name of that user.
  • For the name of the Domino mail server for that user.

The OpenHand Usermaster then uses the name of the users Domino mail server to check the OpenHand User Database for:

  • Which OpenHand Backend the OpenHand Frontend should connect to.
  • The DNS-name or IP-number the OpenHand Backend should use to connect to the users Domino mail server.

The OpenHand Usermaster then uses the full login name of the Domino user to check the OpenHand User Database for:

  • Seed for the encryption key used to encrypt and decrypt communication between OpenHand Client and OpenHand Frontend.
  • OpenHand Client permissions (e.g. is user allowed to save his server password locally on the client?)
  • OpenHand Server server settings (e.g. are the users mail messages in reverse date order in the mail file?)

2.2 OpenHand User Backend access to Domino server.

For the OpenHand Backend to access the current OpenHand users Domino mail file for mail, contact, calendar and task information, it must:

  • Be able to log into the Domino server through DIIOP on the users behalf.
  • (Optionally) have read and/or write access to the Domino Domain Directory database.
  • (Optionally) have read and/or write access to other Domino Address Book databases.
  • (Optionally) have read and/or write access to other users Domino mail files.

The  OpenHand Backend uses the information forwarded to it by the OpenHand Frontend, from the OpenHand Usermaster, together with the password sent by the OpenHand Client to log into the Domino DIIOP service as the Domino user.

2.3 Domino Mail Read/Unread marks.

The Domino system is unusual in that it does not maintain read/unread flags for individual mail messages (nor other Domino documents), instead it maintains in each database a list of unread documents for each individual user accessing the database. This means that a mail message is not read or unread as such, but read or unread by a individual users.

This is probably the reason/excuse Lotus does not provide access to read/unread marks through the DIIOP service, so by default OpenHand Server is not able to check read/unread information.

One of the design goals of OpenHand Server for Lotus Domino was to not install anything onto the Domino server. This design goal was met, with two exceptions:

  • The OpenHand User Database
  • The OpenHand Agent Database

The OpenHand User Database needs to be installed into a Domino server, otherwise the OpenHand user administration would have been too cumbersome. The OpenHand User Database contains no Domino agents.

As the read/unread information is very important to OpenHand customers we deliver with the OpenHand Server for Lotus Domino installation an OpenHand Agent Database which may be installed onto the Domino mail servers OpenHand Backends connect to.

The OpenHand Agent Database contains Domino agents and scripts to check the low level Domino read/unread tables for the logged on user.

There are a few potential security problems with this approach.

The easy way to solve those problems would be to require all OpenHand users to have extensive extra privileges on the Domino mail server or have one special super-user with access rights to all OpenHand users Domino mail databases.

As OpenHand is very security conscious, we chose a different approach and tried to find the most restrictive way of enabling those agents but still allowing access to the read/unread information, we have the read/unread agent run on behalf of the user logged in, but owned by someone else. The owner of the database is the user signing it on installation or update.

The signing user (not individual OpenHand users) needs to have three extra Domino privileges set in the Domino Administration Client:

  • Signing user must have privileges to run agents on behalf of other users.
  • Signing user must have privileges to run restricted scripts, as the script uses the standard Domino notes.dll (or equivalent) library to access the read/unread table.
  • Signing user must have privileges to run unrestricted scripts (this must be set explicitly even though the Domino Administrator documentation says the opposite).

(If the OpenHand Agent Database is server signed instead, these privileges need not be added, but the agent will have more privileges than it needs)

Additionally the Access Control List for the OpenHand Agent Database must be set correctly.

3. Further information.

Lotus Domino is a registered trademarks of International Business Machines Corporation in the United States and other countries.

For further details see the "OpenHand Server for Lotus Domino Administration Guide" or email support@openhand.is

2007.04.10
Document generated by Confluence on 2008-03-25 15:04