javalotus-domino
Create cross certificate for Domino Java agent?
I am trying to connect to an https enabled web service using a Domino java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 have a bug with TLS 1.2 and Java).
Now I get the following errors...
[1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
[1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
[1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
[1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00 '.......'
[1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
[1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: WebServiceEngineFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
faultActor:
faultNode:
faultDetail:
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.websvc.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at JavaAgent.NotesMain(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: Caused by:
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: ... 15 more
[1034:0005-11A0] 12/08/2015 05:44:58 PM AMgr: Agent 's0001' in 'testweb.nsf' completed execution
The service I am connecting to is a DigiCert SSL certificate. I tried using Explorer and exporting a .cer file and importing that to the Domino directory with no luck. I also tried importing it into cacerts but that did not do anything either.
Any suggestions? Howard
Solution
Before consuming the WS you need to cross certificate (in Domino) the api.qa.silverlining.synovia.com certificate.
The Official doc, is not so clear so find below how to cross certify with the web server that have the ssl your want to cross certify to:
- copy the server id in your notes client.
- in your client, switch to id of the server
- go to User Security / People, Services / Find more about people/services:
- click the "Retrieve Internet service certificate" button
- check that the protocol is ok (sometime specify "Other" and fill port manually) and do not put "https" for service name.
- go to the LOCAL names of your client
- copy the cross certification (it's a document) from your local names.nsf to your server names.nsf:
I don't remember if it is necessary:
tell http refresh
- Hibernate: How to fix "identifier of an instance altered from X to Y"?
- Validate list inside request with springboot against [null]
- Java - Having a huge ArrayList (1 million +), how to create a String of it in a acceptable amount of time?
- What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
- Month name from Month Numbers in android
- Lottie animation is showing as a still image but not playing
- Building an uberjar with Gradle
- How to disable security in Quarkus
- How to Compress/Decompress tar.gz files in java
- How to compare JSON documents and return the differences with Jackson or Gson?
- Sonarqube: Missing blame information for the following files
- How can the Page Size, Page Orientation, and Page Margins of an ods Spreadsheet Be Set Using ODFDOM?
- Don't get any result using Saxon Xpath 2.0
- Convert ISO 8601 string in UTC to local time - JodaTime is adding the opposite of local time zone
- Gradle could not start your build
- How to provide a null value for a bean using Mockito and JUnit?
- spring batch dependency cycle
- SimpMessagingTemplate not sending messages in spring boot
- java.net.ConnectException: Failed to connect to localhost/127.0.0.1:xxxx while invoking Firefox browser in Headless mode
- Fernflower and IntelliJ IDEA's java-decompiler
- Joda Time get date from Year + WeekOfYear + DayOfWeek
- Using two values for one switch case statement
- Audio timescale-pitch modification - Open source examples?
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- Hibernate StaleObjectStateException After Upgrading to 6.6.3: Row was updated or deleted by another transaction or unsaved-value mapping was incorrect
- How to convert message to (copco) open protocol based on tcp/ip with Java sockets?
- Spring doesn't recommend to annotate interface methods with @Cache* annotation on Spring HttpInterface
- How to add self-signed generated certificate to trusted certificates from inside a Java keystore?
- Spring Boot 3.4.0 lets integration tests with JPA/Hibernate fail
- How to hash some String with SHA-256 in Java?