Agents and Trusted Server Access

0
votes

My question is regarding Domino Agents, Trusted Servers and DIIOP. Before I describe the question, let me give me a bit of background -

I am creating an application that integrates with Domino and is able to delete certain emails from certain user mailboxes.My initial design and implementation was to write all my application on a middleware server (different from the Domino server) and via DIIOP and Java API setup a session with the Domino server remotely and delete the appropriate email message remotely. In the current deployment environment the customer has multiple Domino mail servers and for my current design/solution to work, the customer will have to open up/enable DIIOP on all of the Domino mail servers so that the solution is able to delete the appropriate email from appropriate Domino mail server. Opening up / Enabling DIIOP on all their mail servers is not something the customer is comfortable with and hence I am at a place where I need to redesign my solution.

To suffice this requirement - based on my research, I feel that I could get around this limitation (not running DIIOP on all Domino mail servers) by converting my solution to an "Agent" model. My agent will run on one of the Domino servers and from there it can access the database/mail document on any server and delete the same. My current thought is I will invoke the agent via a URL from the middleware server which will serve as a trigger for my agent and then the agent will go ahead and access and delete the appropriate mail document. See screenshot below for reference on the "Trusted Servers" element which seems to be designed to allow an agent to access databases on another Domino mail server.

My questions are the following -

  1. If I go ahead with this Agent design model, then when the agent running on DominoMailServer1 attempts to open/access databases on DominoMailServer2, does that connection not go through DIIOP? With this architecture there is no need to enable/open up DIIOP on the DominoMailServer2? Is this communication happening through some other RPC mechanism or is it some underlying OS level file sharing mechanism that the agent executing on DominoMailServer1 (behind the scene) uses to access the database on DominoMailServer2?

  2. With my initial design (my solution on middleware server communicating via DIIOP with all individual servers) - Is there any way to augment/modify that initial design so that there is no need to open up DIIOP on all of the Domino mail servers in the environments and still accomplish accessing/deleting emails?

Trusted Server Support For Domino Agent

1
javalotus-noteslotus-dominolotusdomino-designer-eclipse

1 Answers

2
votes

When an agent running on DominoMailServer1 connects to DominoMailServer2, it is using NRPC - the prorprietary protocol that Lotus invented in the late 1980s that allows Lotus Notes and Domino, and the Notes C API that lies underneath them (and underneath the implementation of all other APIs that work with Notes data), to communicate across different platforms and network types. NRPC on TCP/IP networks (which are all that really matter these days) runs on port 1352.

Re question 2, you don't have to use DIIOP. Your Java code can use Notes.jar instead of NCSO.jar. In order to use Notes.jar, though, you must have Notes or Domino code installed on the machine where your code is running. If it's a Windows machine you can install the Notes client. If it's not Windows, you can install the Domino server code for whatever the platform is, assuming it's one of the ones that IBM supports. The code needs to be installed, and it needs to be set up, but it doesn't have to be running for your Java code to work. All your Java code would actually be using is the underlying DLLs or libraries, along with the id file for authentication purposes, and this will allow Notes.jar to use NRPC. You'll need to check with your Notes/Domino management people and quite possibly with your IBM rep about any licensing implications this might have. IMHO, since your code is acting as a client, it ought to be considered a client even if it is using the libraries that came with a server install - but I can't tell you whether IBM agrees with this or not.

BTW, even though you didn't ask... The trusted server setting does what you surmise. It allows agents on one Domino server to access databases and documents on another Domino server. Prior to Domino 6, this was not allowed becasue when the agent contacted the other server via NRPC the other server had no way of knowing whose rights should be used to determine the level of access that was granted. All the target server knew was the identity of the server that was making the request. Even if the agent server told the target server who owned the agent, the target server would not trust that information because that could be a shortcut around the strong authentication Notes and Domino normally requires. The trusted server setting was implemented to identify servers that Donino will trust when they pass along the identity information associated with an agent.