Front cover - IBM Redbooks

11.2 HTTP server security
New for
Domino 6
Starting with Domino 6, Lotus Domino has a completely new HTTP server. This
new HTTP “stack” is more modern than the original code that was incorporated
into Domino at the time of the introduction of support for the HTTP protocol with
Domino 4.5. This new Domino 6 stack no longer incorporates legacy HTTP code
components from the original IBM HTTP server (also known as ICS). This means
that Domino 6 has changes in its HTTP stacks API support.
The new stack includes enhanced Web site/virtual host administration, HTTP 1.1
persistent connections, and improved session handling. From the security side of
things, there is also better denial of service (DOS) attack handling, with more
administrative control over the number of path segments, max header size, URL
length, and so forth. One can also do IP filtering with wildcards by having access
or deny lists based on IP address.
Additionally, the new stack includes improved HTTP plug-in support to allow for
the ability to plug the Domino HTTP server into third-party Web servers
(including putting a firewall between the Web server and Domino), and an
extended/improved DSAPI plug-in to make it easier to write custom plug-ins to
the Domino HTTP server. These two features (DSAPI and HTTP plug-ins) are
described in more detail in the next two sections.
11.2.1 Domino Web Server API
The Domino Web Server Application Programming Interface (DSAPI) is a C API
tool that lets you write your own extensions to the Domino Web server. These
extensions, or filters, let you customize the authentication of Web users.
At the time of Domino 4.6.1, the original IBM Web Server (ICS) was renamed as
the Domino “GO” Web Server, and the common API for both Domino and this
new Domino “GO” server was called GWAPI (Go Webserver Application
Programming Interface). However, starting with Domino 5.0, a new, totally
cross-platform API was provided to extend the functionality of such custom
plug-ins. This Domino 5 DSAPI interacted with the “legacy” ICS HTTP stack that
was still part of Domino 5, so it still provided GWAPI compatibility (though not
advertised, just tolerated compatibility). This was a source of complexity and was
streamlined in the new Domino 6 HTTP stack, which includes an improved
DSAPI.
Given the historical changes in the DSAPI, it is important to examine any
R5-based DSAPI plug-ins that may exist in your architecture when upgrading to
Domino 6. Despite the fact that a DSAPI designed for Domino 5 “could” run in
Lotus Domino 6, if it has not been designed to support the new HTTP stack
architecture, it may not perform optimally. In other words, it may be functioning,
Chapter 11. Domino/Notes 6 security features 447