User D.Bugger on this portal has resolved this issue however did not have more details how he resolved it. So it is great if he can answer or anyone can help who faced this and resolved it.
We are configuring Web service consumption on Domino server. For that purpose we exported remote server Root Certificate and imported on Domino JVM by referring: http://www-01.ibm.com/support/docview.wss?uid=swg21588966 also we imported certificate on Lotus Notes client and IE browser however we are still facing same error of cross certification as below when webagent runs. So we really need to create cross certificate on Domino directory for remote server as we are accessing remote server's service. Do we have any exact steps that we need to follow (some admin guide or so) to achieve this?
Server log:
12/16/2014 12:22:40 PM Opened session for Domino/SVR (Release 8.5)
12/16/2014 12:22:40 PM HTTP JVM: Error ; nested exception is:
12/16/2014 12:22:40 PM HTTP JVM: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
12/16/2014 12:22:40 PM HTTP JVM: WebServiceEngineFault
12/16/2014 12:22:40 PM HTTP JVM: faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
12/16/2014 12:22:40 PM HTTP JVM: faultSubcode:
12/16/2014 12:22:40 PM HTTP JVM: faultString: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
12/16/2014 12:22:40 PM HTTP JVM: faultActor:
12/16/2014 12:22:40 PM HTTP JVM: faultNode:
12/16/2014 12:22:40 PM HTTP JVM: faultDetail:
12/16/2014 12:22:40 PM HTTP JVM: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
Had a similar problem before. As far as I see, this might be related to a known issue, related with an faulty behaviour in the SSL client of some server tasks (SMTP, DA, WebService Consumer, etc.).
http://www-01.ibm.com/support/docview.wss?uid=swg21673152
Here, an IBM engineer explains the problem:
This SPR deals with an issue where the Domino server is acting as the SSL client. After the SSL server has sent the server certificate and server key exchange messages, the SSL server can optionally request a certificate from the SSL client, specifying a list of distinguished names of acceptable certificate authorities. In some instances, no DN list of acceptable certificate authorities is specified by the SSL server.
Currently, in this case (where the SSL server is requesting a client certificate from Domino but does not specify the acceptable certificate authorities), the Domino server will respond with a fatal alert and end the SSL handshake. In a future fix, the Domino server will send a non-fatal SSL alert or the cert that it has, depending on the customer's preference.
However, it seems like fixed in 9.0.1 FP2.
http://www-10.lotus.com/ldd/fixlist.nsf/Public/1CFEB3634431FC6685257C5C0047848B?OpenDocument