-1

Having some trouble with Domino server as client to a Web Service Hope someone can answer a pretty easy question, but the easy question dont have a answer some I can find.

There is lots of Root Certificates in NAB and there is also some common Root Certificates in every *.kyr file you create in certsrv.nsf for your seerver certificates.

I get an error from SSL_DEBUG that says
[108C:005C-0D8C] 2015-12-15 19:07:19,34 SSLCheckCertChain> Invalid certificate chain received
[108C:005C-0D8C] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.

It is pretty obvious what is the problem, I need to include a missing Certificate. But I like to know if Domino is using the *.kyr file or if it is using the Certificates in the NAB when establishing the connection to the remote server.

Anyone know how Domino acts here ?

/Stefan

Stefan K
  • 57
  • 1
  • 4

2 Answers2

2

You have to find out the TLS certificate chain and add all public TLS certificates as trusted internet certificates to you domino directory.

Find out Certificate Chain

  1. Use on of this Tools:

    • For internal and external server SSLyze

      sslyze.exe <servername>:443 --certinfo=basic

      Take a look at Certificate Chain Received:

    • For external server SSL Labs

      Go to the section "Certification Paths"

  2. Download public certificates from CA-Webpage or get from your internal CA responsible person.

Step-by-Step Domino Configuration

  1. Import Certificates

    Importing an Internet certifier into the Domino Directory

  2. Cross Certificate Certificates

    Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.

    Certifier: Choose your certifier ID or your Domino CA

    Creating an Internet cross-certificate in the Domino Directory from a certifier document

    Issue Cross Certificate

Java/LotusScript Side

The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.

Java

HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS); 
String answer = "" + stub.HELLO("world"); 
System.out.println("The answer is : " + answer);

LotusScript

Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")

Further Information

Question "Create cross certificate for Domino Java agent?" is similar but not a duplicate. It shows further aspects.

Community
  • 1
  • 1
notes-jj
  • 1,437
  • 1
  • 20
  • 33
0

Thanks for your input, but that did not solve the problem.

I got solved trough - downloading KYRtool - install in /Domino folder - include the Root certificate(SHA2) from Web Service domain into existing .kyr file - restart http task

So conclusion is that it is the the .kyr file that is handling all stuff in outgoing connections

Stefan K
  • 57
  • 1
  • 4