代理和可信服务器访问

Question

我的问题是关于Domino代理，可信服务器和DIIOP。在我描述这个问题之前，让我给我一些背景 -

我正在创建一个与Domino集成的应用程序，并且能够从某些用户邮箱中删除某些电子邮件。我的初始设计和实现是将我的所有应用程序写在中间件服务器（不同于Domino服务器）上，并通过DIIOP和Java API远程设置与Domino服务器的会话，并远程删除相应的电子邮件消息。在当前的部署环境中，客户拥有多个Domino邮件服务器，并且为了使我当前的设计/解决方案正常工作，客户必须在所有Domino邮件服务器上打开/启用DIIOP，以便解决方案能够删除相应的电子邮件从适当的Domino邮件服务器。在他们所有的邮件服务器上开放/启用DIIOP并不是客户所熟悉的，因此我在一个需要重新设计解决方案的地方。

满足此要求 - 根据我的研究，我觉得我可以通过将我的解决方案转换为＆＃34; Agent＆来解决这个限制（不在所有Domino邮件服务器上运行DIIOP） ＃34;模型。我的代理将在其中一个Domino服务器上运行，并从那里可以访问任何服务器上的数据库/邮件文档并删除它们。我目前的想法是，我将通过中间件服务器的URL调用代理，该URL将作为我的代理的触发器，然后代理将继续访问并删除相应的邮件文档。请参阅下面的屏幕截图，以获取＆＃34;可信服务器＆＃34;似乎旨在允许代理访问另一个Domino邮件服务器上的数据库的元素。

我的问题如下 -

1. 如果我继续使用此代理设计模型，那么当DominoMailServer1上运行的代理尝试在DominoMailServer2上打开/访问数据库时，该连接是否不通过DIIOP？使用这种架构，不需要在DominoMailServer2上启用/打开DIIOP？这种通信是通过其他一些RPC机制发生的，还是在DominoMailServer1上（在场景后面）执行的代理用于访问DominoMailServer2上的数据库的某些底层操作系统级文件共享机制？

2. 使用我的初始设计（我的中间件服务器上的解决方案通过DIIOP与所有单独的服务器进行通信） - 有没有办法增强/修改初始设计，这样就不需要在所有的设备上打开DIIOP环境中的Domino邮件服务器仍然可以完成访问/删除电子邮件？

Answer 1

When an agent running on DominoMailServer1 connects to DominoMailServer2, it is using NRPC - the prorprietary protocol that Lotus invented in the late 1980s that allows Lotus Notes and Domino, and the Notes C API that lies underneath them (and underneath the implementation of all other APIs that work with Notes data), to communicate across different platforms and network types. NRPC on TCP/IP networks (which are all that really matter these days) runs on port 1352.

Re question 2, you don't have to use DIIOP. Your Java code can use Notes.jar instead of NCSO.jar. In order to use Notes.jar, though, you must have Notes or Domino code installed on the machine where your code is running. If it's a Windows machine you can install the Notes client. If it's not Windows, you can install the Domino server code for whatever the platform is, assuming it's one of the ones that IBM supports. The code needs to be installed, and it needs to be set up, but it doesn't have to be running for your Java code to work. All your Java code would actually be using is the underlying DLLs or libraries, along with the id file for authentication purposes, and this will allow Notes.jar to use NRPC. You'll need to check with your Notes/Domino management people and quite possibly with your IBM rep about any licensing implications this might have. IMHO, since your code is acting as a client, it ought to be considered a client even if it is using the libraries that came with a server install - but I can't tell you whether IBM agrees with this or not.

BTW, even though you didn't ask... The trusted server setting does what you surmise. It allows agents on one Domino server to access databases and documents on another Domino server. Prior to Domino 6, this was not allowed becasue when the agent contacted the other server via NRPC the other server had no way of knowing whose rights should be used to determine the level of access that was granted. All the target server knew was the identity of the server that was making the request. Even if the agent server told the target server who owned the agent, the target server would not trust that information because that could be a shortcut around the strong authentication Notes and Domino normally requires. The trusted server setting was implemented to identify servers that Donino will trust when they pass along the identity information associated with an agent.