Engage 2022: The Superpower of Integrating External APIs for Notes and Domino Apps
0 likes35 views
The document discusses the integration of external APIs with Notes and Domino applications, focusing on best practices for security, authentication, and various integration methods. It provides an overview of tools, libraries, and coding techniques, as well as real-world examples of application scenarios involving REST APIs and other data interactions. Key points include the importance of secure coding, using modern Java practices, and the evolution of tools and technologies within the Domino environment.
![#engageug
Storing Credentials / Keys
๏Create a profile form, e.g. frm.fancyAPI
๏ Add a readers field
๏ Add yourself (Admin) and the Signer of the database
๏Create an agent, e.g. ag.fancyAPI
๏ Set security settings
๏ Run on behalf of [Database signer] (select the signer)
๏Run the code
๏ Run your Agent or script
๏ Call ag_fancyAPI
๏ Within ag_fancyAPI use
๏ db.GetProfileDocCollection(“frm.fancyAPI”).getfirstdocument](https://image.slidesharecdn.com/session-published-231201100039-a3b4ed39/85/Engage-2022-The-Superpower-of-Integrating-External-APIs-for-Notes-and-Domino-Apps-10-320.jpg)
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino Apps
- 1. #engageug DE13 The Superpower of Integrating External APIs for Notes and Domino Apps Serdar Basegmez, Developi Thilo Volprich, Team Technology ENGAGE 2022
- 2. #engageug Who is speaking to you today? ▪ CEO of Team Technology GmbH ▪ IBM Champion 2018 - 2019 ▪ HCL Ambassador 2019-2021 ▪ Loving Domino ▪ Doing that stuff since 2003 Thilo Volprich ▪ Developer/Half-blooded Admin ▪ Developi UK ▪ OpenNTF Board ▪ Notes/Domino since 1999 ▪ IBM Champion Alumni (2011-2018) ▪ HCL Ambassador (2020-2022) Serdar Basegmez
- 3. #engageug Our session today ๏What is in our session ๏ A lot :-) ๏ Collective experience with customer projects ๏ Our (very personal) recommendations ๏ Some small code examples that can be easily used ๏ A list of helpers (software and libraries) ๏ Space for your questions and exchange of experience (all together) ๏What is not in our session ๏ Solutions to all your problems ๏ Only a selection of interfaces. The topic is far too big
- 4. #engageug What is an API An application programming interface (API) is an interface or communication protocol between a client and a server intended to simplify the building of client-side software. We focus on consuming APIs from other systems! (Source: en.Wikipedia.org). „ „
- 6. #engageug Authentication Planning ๏Questions to ask… ๏ Process ๏ Who knows the password, who sign in, who changes, how often? ๏ Method ๏ Username/Password, API key, OpenID/OAUTH, Obscurity? ๏ LAN? WAN? Internet? Public/Private Cloud? ๏ Potential eavesdroppers? Security precautions? ๏ What else? ๏ Any regulations to comply? ๏ Test-QA-Dev-Production staging?
- 7. #engageug Authentication Planning ๏API Authentication at a glance… ๏ No Secret ๏ Authentication not needed for some reason ๏ Shared Secret (Credentials) ๏ We know a “thing” (password, api key, etc.) ๏ Generated Secret (Tokens) ๏ We know a “thing” to acquire a token ๏ Delegated Access (Tokens) ๏ Someone knows a “thing” to provide us a token Where to keep these “thing”s?
- 8. #engageug Keep in mind! Forget about security if credentials are crappy! Source: https://www.flickr.com/photos/30478819@N08/29613520138
- 9. #engageug Best practise around security ๏Always run your code on the server ๏Clients and Users should not store/use the keys ๏ Beware of … ๏ LotusScript Debug ๏ Document Properties ๏ Malicious code to access data ๏Never trust your local network. Always use secure channels (Use SSL!)
- 10. #engageug Storing Credentials / Keys ๏Create a profile form, e.g. frm.fancyAPI ๏ Add a readers field ๏ Add yourself (Admin) and the Signer of the database ๏Create an agent, e.g. ag.fancyAPI ๏ Set security settings ๏ Run on behalf of [Database signer] (select the signer) ๏Run the code ๏ Run your Agent or script ๏ Call ag_fancyAPI ๏ Within ag_fancyAPI use ๏ db.GetProfileDocCollection(“frm.fancyAPI”).getfirstdocument
- 11. #engageug Best practise around security ๏Additionally, you can use encrypted field ๏ Every ID file has Public/Private keys ๏ Including servers! ๏ So, native support for encryption! ๏ Example: “WebSSOConfig” (Public Addressbook) ๏The lifecycle of credentials ๏ Plan ahead! ๏ Do they expire? How often? Do they need changing? ๏Please, RTFM!
- 12. #engageug Domino How to secure your Domino server Essentials
- 13. #engageug Easy but helpful settings Notes.ini ๏ Disable SSLv3 if you are still pre 9.0.1 FP9 ๏ Disable_SSLv3=1 ๏ Disable TLSv1 ๏ SSL_DISABLE_TLS_10=1 ๏ HTTPDisableServerHeader=1 ๏ HSTS (HTTP Strict Transport Security) ๏ Protects against protocol downgrade attacks ๏ Declares browsers should only interact using HTTPS ๏ It’s actually a HTTP Response Header set via notes.ini
- 14. #engageug HTTP Response Headers HTTP Response Headers: the most important once: ๏ Strict-Transport-Security ๏ X-Frame-Options ๏ X-Content-Type-Options ๏ Content-Security-Policy Set them for every hostname or IP your server is reachable from the internet.
- 15. #engageug Strict-Transport-Security Strict Transport Security ๏ Force clients only to connect via HTTPS ๏ Set completely in notes.ini ๏ Enabled by default since 9.0.1 FP3 IF2 ๏ but: to short: ๏ HTTP_HSTS_MAX_AGE= 17280000 ๏ and: does not include subdomains ๏ HTTP_HSTS_INCLUDE_SUBDOMAINS=1
- 16. #engageug X-Content-Type-Options X-Content-Type Options ๏ Reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content- type, like an executable. ๏ X-Content-Type-Options nosniff ๏ Domino 9: need to be set ๏ Domino 10: active by default ๏ can be disabled by notes.ini parameter starting with 10.0.1 FP4 ๏ HTTP_DISABLE_X_CONTENT_TYPE_OPTIONS_NOSNIFF=1. ๏ Domino 11: active by default ๏ same as above
- 17. #engageug Content-Security-Policy Content-Security-Policy ๏ More complex only needed if you provide input fields ๏ Defines approved sources of content that the browser may load ๏ Can be an effective countermeasure to Cross Site Scripting (XSS) attacks ๏ You can whitelist approved sources ๏ Details about the options: ๏ https://scotthelme.co.uk/content-security-policy-an-introduction/
- 18. #engageug Domino Administration Domino Administration basics ๏ Update to the latest version of domino to be more secure! ๏ Do the minimum on Domino ๏ Disable Port 80 or at least redirect it to 443 ๏ Hide your server type ๏ It’s 2022: use at least TLS 1.2 ๏ Protect your users/customers with HTTP-Headers ๏ More security requires a Reverse Proxy ๏ They are built for that See all details here. Source: https://en.rnug.ru/wp-content/uploads/2021/01/rnug-letsmakeyourdominowebserverrocksolid.pdf
- 20. #engageug API Integration at a Glance ๏User-Initiated ๏ Notes Client / Web / Mobile ๏ User Interaction ๏ Implementation: ๏ Notes Client Actions ๏ Agents (LS / Java) ๏ XPages App (Java) ๏ OSGi Plugins (Java) ๏Unattended ๏ Scheduled / Event-triggered ๏ No user interaction / Background ๏ Implementation: ๏ Agents (LS / Java) ๏ Agent → XPages (Java) ๏ DOTS (Java) ๏ XOTS (Java)
- 21. #engageug Language Selection ๏Java ๏ XPages ๏ Managed Beans, SSJS ๏ XOTS ๏ Plugins ๏ HTTP, DOTS ๏ Agents ๏ Java Agents ๏LotusScript ๏ Notes Client ๏ Actions, Events, etc. ๏ Agents ๏ Client-Side or Server-Side ๏JavaScript (limited) ๏ Web Browser ๏ SSJS ๏ App. Dev. Pack (?)
- 22. #engageug Java Agents ๏Java agents? Really Why? ๏ We still need them! ๏ Unattended run (scheduled agents) ๏ RunOnServer ๏Try to avoid, if possible ๏ Compatibility problems ๏ Memory Leak with JAR files ๏ Tip: Put your JAR files into /jvm/lib/ext ๏ (Very) Low Performance
- 23. #engageug Scheduling XPages Code ๏Why schedule XPages code? ๏ Agents are far from ideal ๏ Reuse the same codebase ๏ Modern(ish) development environment ๏How? ๏ Write your code ๏ /mydb.nsf/myAgent.xsp ๏ Create a scheduled agent ๏ Call “https://myserver.com/mydb.nsf/myAgent.xsp”
- 24. #engageug DOTS ๏DOTS: Domino OSGi Tasklet Services ๏ Server Tasklets for Domino ๏ Tasklet: A lightweight server task ๏ Run background tasks in a lightweight scalable container ๏ Separate JVM and OSGi Container ๏ Various triggers ๏ Manual (console commands / socket trigger) ๏ Scheduled or on server start ๏ Triggered (Hooks through data events)
- 25. #engageug DOTS ๏Some History ๏ 2010 - OpenNTF project contributed by IBM ๏ 2013 - Added to IBM Domino 9 Social Edition ๏ OpenSocial add-on ๏ Out of support (Internal Use Only) ๏ 2018 - Removed in Domino 10 ๏ 2021 - Came back into Domino 12 ๏ Installed with the Core product ๏ Support: Windows 64 and Linux 64 ๏ Upgraded to Eclipse OSGi 4.6.2 (Neon 2)
- 26. #engageug Lotus Script / Agents ๏Lotus Script / Agents ๏ Can do a lot (domino is able to work with other systems) ๏ Read / Write files ๏ Read / Write to SQL databases ๏ Read / Write SOAP Requests ๏ Read / Write REST APIs ๏ Remote control of other programs ๏ Can be invoked by ๏ Time: Scheduled Agent ๏ User: Action Button ๏ User: Events (eg opening a document) ๏Conclusion ๏ Usually works well. Implemented using non modern technology.
- 27. #engageug Real World Examples REAL WORLD EXAMPLES
- 28. #engageug Real World Examples ๏Scheduling XPages Code ๏ Hybrid Application ๏ 80% XPages, 20% Notes ๏ Documents to be sent a remote service over REST API ๏ New content and critical changes => Upload immediately ๏ Other changes => Queue and Upload next hour ๏ Upload code complications ๏ Java SDK supplied, fails in Java agents ๏ Upload should be scheduled ๏ Single document upload triggered by XPages and/or Notes Client ๏All possible complications in a single project…
- 29. #engageug Real World Examples ๏Scheduling XPages Code ๏ Upload business logic ๏ Java classes embedded in managed beans ๏ Utilise SDK and Apache HttpComponents ๏ XPages code ๏ Multimode: Upload specific document or process queue ๏ Java Agents ๏ Notes client can trigger Java agent to upload single document ๏ Scheduled Java agent runs every hour to trigger upload ๏ Security ๏ XPages code should only be triggered by a Java Agent ๏ Precautions: IP limitations, authentication, temporary backend document, etc.
- 30. #engageug Real World Examples ๏Uploading Data via FTP ๏ Problem: ๏ Newsletters and Campaign Communication ๏ Forced migration to a cloud-based e-mail marketing service ๏ Upload text files to a Secure FTP server ๏ Transient Customer data needed daily and weekly ๏ Custom Campaign data to be uploaded instantly ๏ Queries and Uploads take too much time and resource ๏ Security is the top-priority! ๏ Solution: ๏ DOTS Tasklets
- 31. #engageug Real World Examples ๏Uploading Data via FTP ๏ Tasklet can handle long-running upload process ๏ Watching queue every minute ๏ Very small footprint for queue monitoring ๏ Reuse Java code already developed before User builds a target query for the campaign Predefined target lists for newsletters UploadJob Queue DOTS Tasklet (Scheduled / Manual) •Fetch next UploadJob •Run query •Convert to CSV file •Compress •Upload to SCP Server Upload Job #1 Upload Job #2 … Upload Job #N
- 32. #engageug Real world examples ๏Expense Workflow - Accounting App Integration ๏ Very common scenario ๏ Expense form ๏ Reads and caches Project codes, Customers, etc. ๏ Writes back approved expense amounts ๏ Various Solutions ๏ SQL calls to Stored Procedures ๏ LotusScript using a DLL for integration ๏ Web Services (SOAP, REST, etc) ๏ Text file exchange
- 35. #engageug Real world SQLInterface class: run sql
- 36. #engageug Real world SQLInterface class: demo of usage
- 37. #engageug I am confused!?* What should I use? ๏Whenever you can, use an REST JSON API ๏ Instead of interacting with databases directly (LSX, ODBC) ๏ Instead of file transfers (Export / Import) ๏ And yes, instead of using HEI ๏ Use JAVA. Lotus Script implementation is far behind! ๏But keep in mind ๏ APIs can change very frequently (e.g. Microsoft M365) ๏ You don’t have control on details ๏ You don’t know the details (but most of the time, you are not interested in)
- 39. #engageug The question of life, the universe and all the rest There are only two hard things in Computer Science: - Cache invalidation and - Naming things (Source: Phil Karlton (Former Netscape developper)) „ „
- 40. #engageug Caching: How to ๏Caching: Main challenges ๏ When to provide ๏ When you request the same data multiple times ๏ The data you receive do not change very often or you know exactly when ๏ Time required to obtain the data is high ๏ YES, all of them! ๏ When to clean (cache invalidation) ๏ As early as possible without loosing the advantages ๏ Time based ๏ Data change recognised
- 42. #engageug Java Libraries ๏Utilise Libraries ๏ Practical Development ๏ OpenNTF Domino API ๏ Apache Commons ๏ Network Connections (REST APIs) ๏ Performance, compatibility, simplicity, protection from implementation changes ๏ HttpComponents (Apache Commons) ๏ Misc. ๏ POI (Java API for Microsoft Documents)
- 43. #engageug OSGi Plugins ๏Make use of OSGi Plugins ๏ Larger integration projects ๏ Multiple applications/business processes ๏ Broader functionality (UI modules, server-wide caching etc.) ๏ Easier implementations for various scenarios ๏ e.g. OAuth authentication ๏ Libraries ๏ XPages run in a secure container → Compatibility problems ๏ Jackson, Gson, some JDBC-wrappers, etc.
- 44. #engageug Logging ๏Use modern logging ๏ Log Levels ๏ Less is more, more is not enough… ๏ Consider stages ๏ Dev/Test and Production ๏ Tip: notes.ini ๏ Try OpenLog by Julian Robichaux ๏ Lotusscript: OpenLog ๏ XPages: XPages OpenLog Logger (Paul Withers) ๏ Java (XPages, DOTS, OSGi): XLogback (Serdar Basegmez)
- 45. #engageug JSON Processing using JAVA ๏What to process? How to process? ๏ Create/Consume JSON String ๏ Maps, Arrays, etc. ๏ IBM Commons, preloaded in Domino ๏ JSON ↔ Java Object conversions ๏ Direct Conversion between POJO and JSON ๏ Gson, Jackson, etc. ๏ JSON Streaming ๏ Read/Write large files/network streams ๏ Optimised CPU/Memory usage ๏ Gson, Jackson, etc.
- 46. #engageug JSON Processing ๏Java Options ๏ IBM Commons JSON Library ๏ Included in Domino ๏ Encapsulated Maps and Lists ๏ Gson (Google) ๏ Mid-weight, easy to use ๏ Object mapping, POJO conversion, streaming, etc. ๏ Jackson (FasterXML) ๏ More features (JAX-RS provider, language bindings, etc.) ๏ Tip: Gson and Jackson use Reflection ๏ Encapsulate into plugin ๏ Disable security (java.pol file)
- 47. #engageug JSON Processing using Javascript ๏How to process? ๏ Basic functionality of Javascript ๏ Very fast ๏ Very easy ๏ JSON ↔ JS Object conversions ๏ JSON.stringify ๏ JSON.parse
- 48. #engageug JSON Processing using Lotus Script ๏How to process? ๏ Two main classes to work with ๏ NotesJSONNavigator (reading) ๏ NotesJSONObject (writing) ๏ JSON ↔ JS Object conversions ๏ You have to run through the object ๏ No direct access ๏ Avoid to use it, if you work with large objects ๏ Buggy Has some difficulties ๏ Slow Needs time for processing and traversing ๏ Alternative (if you really have to, maybe) ๏ ls.snapps.JSONReader from OpenNTF
- 49. #engageug Java Tricks ๏JavaOptionsFile ๏ Adding JVM Options using notes.ini ๏ Setting TLS protocols (Important for Java Agents) ๏ Additional debugging, tweak third party libraries ๏ Client and Server ๏ Alternative Form: JavaUserOptionsFile ๏ Only custom options (after “-D”) ๏ DOTS uses a different JVM ๏ DOTS_JavaOptionsFile
- 50. #engageug Java Tricks ๏SSL and TLS issues ๏ Issues with HTTPS connections in Java agents ๏ Before Domino 9.0.1FP7, ๏ Use JavaOptionsFile to force TLS1.2 ๏ Technote KB0028812 ๏ SSL Handshake Errors ๏ Certification Authority information outdated ๏ Add trusted certificates to CACERTS ๏ Technote KB0035853 ๏ Much older versions ๏ Try your luck with Bouncy Castle
- 51. #engageug Litte helpers TOOLS / UTILITIES
- 52. #engageug Dev / Testing helper software / apps ๏Postman ๏PAW ๏SOAPUI ๏CURL ๏JSONLINT
- 53. #engageug Security Assessment / test websites Check your server ๏ SSL Labs (www.ssllabs.com) ๏ Grade change in January 2020 if you provide TLS 1.0/1.1
- 54. #engageug Security Assessment / test websites ๏ https://securityheaders.com/ ๏ Not every header is for every site ๏ Check your site functionality! HTTP Response Headers can break your site
- 55. Any questions?