YellowDay: LotusLive Notes and the meaning of Hybrid
Unless you've been on a cruise for the
last couple of days, you've probably heard about the announcement of LotusLive
Notes (LLN). Whether you take the angle that this pushes IBM into immediate
market leadership, or that they left out the crucial piece of custom applications,
or that Lotus simply isn't as good a hosting provider as their business
partners are -- you probably aren't aware of the key market differentiator
that LLN provides: the hybrid model.
Well, let me amend that: you're probably aware of it, insofar as you've heard it mentioned. But you probably don't know how it works. And because this is an IBM offering, you're probably figuring that integrating an on-premises Domino implementation with the LLN hosted implementation means putting the IBM Tivoli Cross-Domain Federation Identity Broker Gateway Server into your DMZ with the custom IBM Lotus Domino Blarficator Addon pack that can only be installed by a team of 5 architect-level consultants from the Global Services team who charge $300 every 10 minutes and will only install the software on genuine IBM Z series hardware. So your minimum investment in that integration is $5.3 gagillion and it takes 17 months.
You're wrong.
Here's what you need to integrate your on-premises Domino implementation with LLN: an OU certifier and a single Domino server in the DMZ
Yup. That's it.
Why? Because LLN is built on Domino, not some mishmash of technologies pretending to be Domino. And because it's Domino, it uses the Notes PKI and NRPC from the ground up. So when IBM asked themselves "how can we allow customers to manage the delegation of identity to our hosted environment?" they looked at how they'd solved that problem for customers since Notes 3 and said "we just need a certificate branch that we can control." So you give them an OU branch from your top-level O certificate, and they spawn all the servers they need from that.
Because they do it in Domino terms, that also means that every one of those servers can talk to your Domino server in the DMZ. You just need to enable it as a pass-thru server. All the gateway services were built into Domino 4 versions ago. There's nothing new there -- just 128-bit symmetric key encrypted NRPC travelling point-to-point between your DMZ and the LLN data center, and reaching from there into whatever directory and mail servers you've defined in your own Domino domain.
So what that really means is that when you use the hybrid features of LotusLive Notes, you're effectively using a hosted extension to your own existing domain. They even replicate your NAB.
That's all there is to it. It's crazy elegant, really, because it doesn't worry about introducing a bunch of NEW stuff. All these problems were addressed ages ago by the platform itself, and now there's just a really cool way to implement it with IBM as a service vendor instead of a product vendor.
And because it doesn't introduce a bunch of new stuff, it JUST WORKS. Your users get to their new LLN-based servers in exactly the same way they would if you migrated them from one server to another in your on-premises environment. They work with calendar federation, schedule management, directories, authentication, local replicas and transparent mail routing exactly as they would with a high-quality Domino implementation: seamlessly. A cloud-based user can run a busy-time query against on-premises users the same way a pure premises implementation can -- because the server just proxies the request between all the individual home servers as defined by the directory.
Now I won't claim that the implementation is perfect. There are unsupported features. There are quirks. There are limitations. But on the whole, what IBM has done here is incredibly innovative and could only be accomplished with a technology like Notes, where identity and security are built into the DNA of the platform.
Here's the real kicker: IBM doesn't care if your "on-premises" servers are really on-premises. They don't even know whether they are. So if you want to, say, put your email services into the LotusLive cloud, but you're disappointed that you can't move your custom applications, you should realize: YOU CAN. You just can't move them to LotusLive. But you can move them to another hosting vendor that supports custom applications. And as far as IBM is concerned, that's just part of your "on-premises" Domino environment.
Have I mentioned the GROUP Live Platform-as-a-Service offering? As many of you saw at Lotusphere, that is our data center middleware platform that lets you dynamically implement and scale Lotus servers with a few clicks of a button. Naturally, we're now extending that platform to allow seamless integration with LLN, using the same fundamental strategy as the IBM team: exploiting Domino's existing capabilities to seamlessly extend a cloud-enablement to be cross-vendor. Whether you use it in your on-premises facilities, outsource your hosting to a third party, or want specific networks deployments for specific applications, the approach chosen by IBM will allow maximum flexibility.
Of course, while this addresses the IT support need of servers & infrastructure, it doesn't address the business need of end user experience. Whether they're in the cloud or on-premises, your mission critical custom applications are still whatever you designed them to be. So the next big question is: how can we make a 10 year old workflow app not only sit in a hosted data center, but also work better when it does.
The answer, dear reader, is a tale for another blog post....
Well, let me amend that: you're probably aware of it, insofar as you've heard it mentioned. But you probably don't know how it works. And because this is an IBM offering, you're probably figuring that integrating an on-premises Domino implementation with the LLN hosted implementation means putting the IBM Tivoli Cross-Domain Federation Identity Broker Gateway Server into your DMZ with the custom IBM Lotus Domino Blarficator Addon pack that can only be installed by a team of 5 architect-level consultants from the Global Services team who charge $300 every 10 minutes and will only install the software on genuine IBM Z series hardware. So your minimum investment in that integration is $5.3 gagillion and it takes 17 months.
You're wrong.
Here's what you need to integrate your on-premises Domino implementation with LLN: an OU certifier and a single Domino server in the DMZ
Yup. That's it.
Why? Because LLN is built on Domino, not some mishmash of technologies pretending to be Domino. And because it's Domino, it uses the Notes PKI and NRPC from the ground up. So when IBM asked themselves "how can we allow customers to manage the delegation of identity to our hosted environment?" they looked at how they'd solved that problem for customers since Notes 3 and said "we just need a certificate branch that we can control." So you give them an OU branch from your top-level O certificate, and they spawn all the servers they need from that.
Because they do it in Domino terms, that also means that every one of those servers can talk to your Domino server in the DMZ. You just need to enable it as a pass-thru server. All the gateway services were built into Domino 4 versions ago. There's nothing new there -- just 128-bit symmetric key encrypted NRPC travelling point-to-point between your DMZ and the LLN data center, and reaching from there into whatever directory and mail servers you've defined in your own Domino domain.
So what that really means is that when you use the hybrid features of LotusLive Notes, you're effectively using a hosted extension to your own existing domain. They even replicate your NAB.
That's all there is to it. It's crazy elegant, really, because it doesn't worry about introducing a bunch of NEW stuff. All these problems were addressed ages ago by the platform itself, and now there's just a really cool way to implement it with IBM as a service vendor instead of a product vendor.
And because it doesn't introduce a bunch of new stuff, it JUST WORKS. Your users get to their new LLN-based servers in exactly the same way they would if you migrated them from one server to another in your on-premises environment. They work with calendar federation, schedule management, directories, authentication, local replicas and transparent mail routing exactly as they would with a high-quality Domino implementation: seamlessly. A cloud-based user can run a busy-time query against on-premises users the same way a pure premises implementation can -- because the server just proxies the request between all the individual home servers as defined by the directory.
Now I won't claim that the implementation is perfect. There are unsupported features. There are quirks. There are limitations. But on the whole, what IBM has done here is incredibly innovative and could only be accomplished with a technology like Notes, where identity and security are built into the DNA of the platform.
Here's the real kicker: IBM doesn't care if your "on-premises" servers are really on-premises. They don't even know whether they are. So if you want to, say, put your email services into the LotusLive cloud, but you're disappointed that you can't move your custom applications, you should realize: YOU CAN. You just can't move them to LotusLive. But you can move them to another hosting vendor that supports custom applications. And as far as IBM is concerned, that's just part of your "on-premises" Domino environment.
Have I mentioned the GROUP Live Platform-as-a-Service offering? As many of you saw at Lotusphere, that is our data center middleware platform that lets you dynamically implement and scale Lotus servers with a few clicks of a button. Naturally, we're now extending that platform to allow seamless integration with LLN, using the same fundamental strategy as the IBM team: exploiting Domino's existing capabilities to seamlessly extend a cloud-enablement to be cross-vendor. Whether you use it in your on-premises facilities, outsource your hosting to a third party, or want specific networks deployments for specific applications, the approach chosen by IBM will allow maximum flexibility.
Of course, while this addresses the IT support need of servers & infrastructure, it doesn't address the business need of end user experience. Whether they're in the cloud or on-premises, your mission critical custom applications are still whatever you designed them to be. So the next big question is: how can we make a 10 year old workflow app not only sit in a hosted data center, but also work better when it does.
The answer, dear reader, is a tale for another blog post....
Comments
"It's crazy elegant, really, because it doesn't worry about introducing a bunch of NEW stuff"
It really is that easy.
Posted by Darren Duke At 11:17:11 AM On 08/11/2010 |
Totally badass.
Posted by Erik Brooks At 12:25:47 PM On 08/11/2010 |
Posted by jakejaden111 At 12:38:19 PM On 10/30/2010 |