2

I am trying to connect to an https enabled web service using a Domino java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 have a bug with TLS 1.2 and Java).

Now I get the following errors...

    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
    [1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00                              '.......'
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: WebServiceEngineFault
      faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
      faultSubcode: 
      faultString: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
      faultActor: 
      faultNode: 
      faultDetail: 
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.websvc.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at JavaAgent.NotesMain(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.AgentBase.runNotes(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.NotesThread.run(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Caused by: 
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   ... 15 more
    [1034:0005-11A0] 12/08/2015 05:44:58 PM  AMgr: Agent 's0001' in 'testweb.nsf' completed execution

The service I am connecting to is a DigiCert SSL certificate. I tried using Explorer and exporting a .cer file and importing that to the Domino directory with no luck. I also tried importing it into cacerts but that did not do anything either.

Any suggestions? Howard

Howard
  • 1,503
  • 7
  • 16
  • have same issue :( can't resolve for days. Getting Network IO Error when try to import certificate. However I manage to do that from Mac Lotus Notes client, it looks like it is an issue in client? – Dmytro Pastovenskyi Dec 09 '15 at 18:33

2 Answers2

4

Before consuming the WS you need to cross certificate (in Domino) the api.qa.silverlining.synovia.com certificate.

The Official doc, is not so clear so find below how to cross certify with the web server that have the ssl your want to cross certify to:

  1. copy the server id in your notes client.
  2. in your client, switch to id of the server
  3. go to User Security / People, Services / Find more about people/services:enter image description here
  4. click the "Retrieve Internet service certificate" button
  5. check that the protocol is ok (sometime specify "Other" and fill port manually) and do not put "https" for service name.

enter image description here

  1. go to the LOCAL names of your client
  2. copy the cross certification (it's a document) from your local names.nsf to your server names.nsf: enter image description here

  3. I don't remember if it is necessary:

    tell http refresh

Emmanuel Gleizer
  • 1,990
  • 16
  • 26
  • 1
    Thanks, tried that but get an error when I click the connect button in step 5: SSL Error: Network IO Error – Howard Dec 09 '15 at 15:16
  • I understand you can open the WS in Internet Explorer on the same computer you have notes client. In such case you need to apply client fix. Which version are you using for the client ? – Emmanuel Gleizer Dec 09 '15 at 21:18
  • I tried another Notes client and your method above worked. Thanks!!! What client fix were you referring to? A Notes client fix? I was using FixPack4 with Notes 9.0.1... – Howard Dec 09 '15 at 22:25
  • @Howard which version of Lotus Notes worked for you? – Dmytro Pastovenskyi Dec 10 '15 at 09:06
  • They were both Notes 9.0.1 Fix Pack 4. I think the one machine with the error did NOT have TLS 1.2 disabled and the one that worked had it disabled. Note there is a bug in Fix Pack 4 and 5 that prevents Java from working with TLS 1.2 (as best as I understand) and a fix is in the works from IBM. – Howard Dec 10 '15 at 14:43
0

Create a cross certificate from your Domino CERT.ID to the SSL/TLS CA of the server certificate. By doing so, every server in you domain is trusting the SSL/TLS CA and any server that has as derived certificate from that CA. If you move the Notes Database to another server you don't have to worry about creating a cross certificate for that new server. You can also push this cross certificate by policy to all Notes Clients, so al users will trust this CA.

Step-by-Step Domino Configuration

  1. Check what public certificates you need.

    Use e.g. SSL Labs enter the web service target server and go to the section "Certification Paths". In your case the Public Certificates are:

    • DigiCert SHA2 Secure Server CA
    • DigiCert Global Root CA

  2. Download the two public certificates from DigiCert

  3. Import Certificates

    Importing an Internet certifier into the Domino Directory

  4. Cross Certificate Certificates

    Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.

    Certifier: Choose your certifier ID or your Domino CA

    Creating an Internet cross-certificate in the Domino Directory from a certifier document

    Issue Cross Certificate

Java/LotusScript Side

The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.

Java

HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS); 
String answer = "" + stub.HELLO("world"); 
System.out.println("The answer is : " + answer);

LotusScript

Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")
notes-jj
  • 1,437
  • 1
  • 20
  • 33