Search code examples
javarestssl-certificatexpageslotus-notes

com.ibm.jsse2.util.h: No trusted certificate found

In our IBM Domino based application we are about to integrate with a system using REST API.

However, recently we came across a problem which seems very hard to solve.

When sending a request, we get the following exception

Error while executing JavaScript action expression
Script interpreter error, line=14, col=32: Error calling method 'initializeAuthProcess(string, string)' on java class 'ru.iteko.egrz.requestprocessors.EGRZAuthorization'
com.ibm.jsse2.util.h: No trusted certificate found
No trusted certificate found

The reason why it's so embarassing is because lack of documentation and any kind of a guide why all this happens.

So, there's a click action on a button like so 

 <xp:eventHandler event="onclick" submit="true"
    refreshMode="complete">
    <xp:this.action><![CDATA[#{javascript:
    var redirectUrl = 'https://oursystem.ru';
    var errorRedirectUrl = 'https://oursystem.ru/errorPage';

    var EGRZAuthObject = new ru.iteko.egrz.requestprocessors.EGRZAuthorization();

    EGRZAuthObject.initializeAuthProcess(redirectUrl, errorRedirectUrl);

    }]]></xp:this.action>
 </xp:eventHandler>

In an instance of EGRZAuthorization class there's the following method called

public static void initializeAuthProcess(String redirectUrl, String apiRedirectUrl) throws ClientProtocolException, IOException 
{
    CloseableHttpClient httpclient = HttpClients.createDefault();
    String urlToGoTo = AuthURLs.ESIALoginURL(redirectUrl, apiRedirectUrl);
    System.out.println(urlToGoTo);
    HttpGet httpGet = new HttpGet(urlToGoTo);
    CloseableHttpResponse response1 = httpclient.execute(httpGet);
    System.out.println("resp code " + response1.getStatusLine());
    response1.close();
}

The exception occurs where the request gets executed.

Stacktrace:

com.ibm.jsse2.util.h: No trusted certificate found
    com.ibm.jsse2.util.g.a(g.java:183)
    com.ibm.jsse2.util.g.b(g.java:43)
    com.ibm.jsse2.util.e.a(e.java:4)
    com.ibm.jsse2.aB.a(aB.java:211)
    com.ibm.jsse2.aB.a(aB.java:5)
    com.ibm.jsse2.aB.checkServerTrusted(aB.java:49)
    com.ibm.jsse2.E.a(E.java:166)
    com.ibm.jsse2.E.a(E.java:121)
    com.ibm.jsse2.D.r(D.java:223)
    com.ibm.jsse2.D.a(D.java:198)
    com.ibm.jsse2.at.a(at.java:649)
    com.ibm.jsse2.at.i(at.java:627)
    com.ibm.jsse2.at.a(at.java:689)
    com.ibm.jsse2.at.startHandshake(at.java:432)
    org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    ru.iteko.egrz.requestprocessors.EGRZAuthorization.initializeAuthProcess(EGRZAuthorization.java:32)

Here's the smart bit. The urlToGoTo variable equals to http://lk.egrz-test.i-teco.ru/fws/api/esia/login?errorRedirectUrl=https://oursystem.ru/errorPage&redirectUrl=https://oursystem.ru

And what it does is redirecting a user to an external resource for authorization.

To sum up here what it all looks like:

  1. We send a GET request to the urlToGoTo
  2. Then that service redirects us to a resource which uses HTTPS (if it matters)

But we can't even see it, cause get the exception above. The request isn't executed at all.

We have already installed the required certificate (external source, auth, HTTPS, where we get redirected in the end) and cross-certified it. But still with no luck.

I hope that there's any solution, please help. Personally, I have no idea why this happens.

Thanks in advance

Solution

  • Well, the way to fix that is as follows:

    sudo /*path to ikeycmd*/ -cert -add -db /*path to cacerts*/ -file /*path to ssl certificate*/ -format binary -trust enable -type jks

    It might prompt for password. Default is changeit

    Better to import the entire chain

    Then execute command res ser in Domino Administrator.

    Now it should work