AppDev Pack

Travis · July 1, 2021, 11:29am

I'm at the final stage of setting up the AppDev Pack, when I logon to the config-test application, all the IAM bits seem to work correctly, the DAS calendar output works, but the domino-db bit fails to create documents in sample.nsf with the following error on the Domino Console:

"PROTON: NotAuthorized: Attempt by Sample Application/Kelros to create Act-as-User, introspection failure"

I've been over the config loads and all seems ok.

I did find this old Community post, but it made no difference for me > https://support.hcltech.com/community?id=community_question&sys_id=74dd09b71b435458beab64e6ec4bcbea&view_source=searchResult

anon-1546 · July 1, 2021, 11:37am

Make sure you have all the CA Trust Chain in your proton KYR file as well as on IAM available. Do you use Let's Encrypt or other public certs on IAM ?

anon-1481 · July 6, 2021, 5:22pm

Checking in, are you still stuck? Did Heiko's suggestion help any?

Travis · July 7, 2021, 2:53pm

Hi Dan

No, I'm still stuck, unfortunately. I have rebuilt my internal CA again from scratch, but yet again, I get to the final step, the domino-db bit of the test application and it continues to fail with the same PROTON error message.

I'm finding it really hard to follow the instructions and adapting them to my environment. I think it's an SSL issue.

I am using a 'live' Domino 11.0.1 FP3 Server, that has existed since v11 was released. I have a wildcard SSL certificate on it, that was issued by GoDaddy.

I do believe I am falling down on two parts of the instructions:

1. Configuring the Server Key Ring > https://doc.cwpcollaboration.com/appdevpack/docs/en/setup-guide-keyring2.html

This bit is hard to translate for use with my wildcard SSL certificate.

Also, I have a GoDaddy.kyr specified in my Internet Site Document for the server using HTTPS for browsers (which works), and in the proton config, I am pointing at my newly created appdevpack.kyr created following the instructions. Is this part of my issue, should the same keyring be used for both of these setups? It's not clear from multiple run-throughs of the instructions.

2. Configuring the config.yml file > https://doc.cwpcollaboration.com/appdevpack/docs/en/setup-guide-cfgtest3.html

If I use my internal CA for the domino-db bit, then it moans about 'self signed' certificates.

anon-1481 · July 7, 2021, 9:01pm

So there's a few things here.

Proton's kyr file needs to contain the certificates it needs for the https server AND the root cert to validate your client certificates.

If in your case you are using your wildcard cert for proton as well as the domino http server, then you can start out with copy of your http.kyr, but you will need to add the root certificate of your internal CA that signed all of your clients.

To keep things separate, it would be better to not have the http server and the proton server share the same exact kyr file on disk.

If you configure proton with a certificate from your internal CA, then all you need is the server certificate and the CA root in the kyr file for proton. Since the internal CA root can be used for both.

Can you verify that your appdevpack.kyr contains your internal CA root, as well as the root and cert for your godaddy wildcard?

Travis · July 9, 2021, 2:00pm

I'm off on holiday now, so will look at this again in a couple of weeks.