0

I have a java agent in which I want to send my data over HTTPS. HTTP works. But HTTPS does not. I get this error:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: No trusted certificate found
    at com.ibm.jsse2.o.a(o.java:9)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:340)
    at com.ibm.jsse2.kb.a(kb.java:279)
    at com.ibm.jsse2.kb.a(kb.java:221)
    at com.ibm.jsse2.lb.a(lb.java:97)
    at com.ibm.jsse2.lb.a(lb.java:102)
    at com.ibm.jsse2.kb.t(kb.java:227)
    at com.ibm.jsse2.kb.a(kb.java:425)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:785)
    at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:675)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:669)
    at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:95)
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:162)
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:36)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1044)
    at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:53)
    at JavaAgent.postOrder(Unknown Source)
    at JavaAgent.NotesMain(Unknown Source)
    at lotus.domino.AgentBase.runNotes(Unknown Source)
    at lotus.domino.NotesThread.run(Unknown Source)
Caused by: com.ibm.jsse2.util.j: No trusted certificate found
    at com.ibm.jsse2.util.i.a(i.java:76)
    at com.ibm.jsse2.util.i.b(i.java:136)
    at com.ibm.jsse2.util.g.a(g.java:12)
    at com.ibm.jsse2.pc.a(pc.java:56)
    at com.ibm.jsse2.pc.checkServerTrusted(pc.java:95)
    at com.ibm.jsse2.pc.b(pc.java:84)
    at com.ibm.jsse2.lb.a(lb.java:639)

The code for posting is this:

HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
            conn.setRequestMethod("POST");
            conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            conn.setRequestProperty("Content-Length", String.valueOf(postDataBytes.length));
            conn.setDoOutput(true);
            conn.getOutputStream().write(postDataBytes);

I took the certificates from website (where I am sending my POST to) and installed these certificates on the server > ikeyman.exe (*according to http://www-01.ibm.com/support/docview.wss?uid=swg21588966). Afterwards I rebooted the whole server but still I get the handshake error. How can this be? The agent is on this server also (lets call this server B) but server B is a replicate of Server A. I am manually running the agent on server B.. Installed is IBM Domino Designer 9.0 Social Edition

Release 9.0.1FP4

SOLUTION:

Installed certificates on ikeyman. Agent needs to be run scheduled and not manually.

Nuri Ensing
  • 1,899
  • 1
  • 19
  • 42
  • One option - though it's very unsafe if you're connecting to public web sites - is to write code that explicitly accepts all certificates. I think I've done this with a Domino java agent at some point. An example can be found in the accepted answer to https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https – Scott Leis Aug 06 '18 at 01:30
  • You don't show the URL, but does it match exactly what the certificate says? – Duston Aug 06 '18 at 14:06
  • @Duston The certificate is a wildcard certificate which says like: *.example.com and I post to https://test.example.com, could maybe this be the problem? – Nuri Ensing Aug 06 '18 at 15:08

3 Answers3

1

Oh drat. I had exactly the same as you, and many tests later it still didn't work. I managed at last to fix it, but... I cannot remember how.

My code:

        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
        SSLContext sc = SSLContext.getInstance("TLSv1.2");
        sc.init(null, null, new java.security.SecureRandom());
        conn.setSSLSocketFactory(sc.getSocketFactory());

        conn.setRequestMethod("POST");
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(postDataBytes.length));
        conn.setDoOutput(true);
        if (postDataBytes.length > 0)
            conn.getOutputStream().write(postDataBytes);
D.Bugger
  • 2,300
  • 15
  • 19
  • I dont think it lies in the code but in the server certificate configurations – Nuri Ensing Aug 04 '18 at 12:52
  • I also used ikeyman, in many different ways. I'm afraid I no longer have access to the machine we installed the certificate on. By the way, did you try with a known service, using a certificate from one of the standard providers? – D.Bugger Aug 04 '18 at 14:47
  • The certificate is in a .cer file? Did you include all certificates, from parent CAs as well? I think we needed to install some Java update as well. Please read https://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates And which CA emitted your certificate? – D.Bugger Aug 04 '18 at 15:03
  • I also put in the parents certificates. Its from Comodo. – Nuri Ensing Aug 04 '18 at 15:20
  • Please update to R9.0.1FP9 and it works. A Java update is required, it's in FP9. – D.Bugger Aug 05 '18 at 11:34
  • Wasnt the ssl part fixed in fp3?? – Nuri Ensing Aug 05 '18 at 19:36
  • Dunno... Our problem was solved after installing FP9, some JVM update was essential. – D.Bugger Aug 05 '18 at 20:22
  • Did you try to open a connection to an existing HTTPS server, e.g. google.com, just to prove that your code is ok? – D.Bugger Aug 06 '18 at 16:38
  • I can try doing that but then i need to add the cert of google in cacerts right – Nuri Ensing Aug 06 '18 at 16:40
  • Maybe, but I think it's not necessary. Google's certificate if from a known trusted CA, so it should simply be accepted by the Domino server. – D.Bugger Aug 06 '18 at 19:27
  • If I send a post to google it gives me: java.io.IOException: Server returned HTTP response code: 405 for URL: https://www.google.nl – Nuri Ensing Aug 07 '18 at 08:26
  • Can you try to read a page first, from Google or from any other site? You should be able to read something with your code, using a URL, and display the response. For starters. – D.Bugger Aug 07 '18 at 13:06
  • Can you please elaborate a bit more with examples – Nuri Ensing Aug 07 '18 at 13:14
  • All you have to do is prove that your code is correct, and that you can fetch a page from a website using HTTPS. I suppose you have a method to read (GET) from a website? – D.Bugger Aug 07 '18 at 13:22
  • yes the getter worked. I have get the page of google – Nuri Ensing Aug 07 '18 at 14:10
  • There is something wrong with the certificates but cant seem to figure out what.. the code is all ok – Nuri Ensing Aug 07 '18 at 19:09
  • If you want to test your POST: there are several http test servers on the web, like https://ptsv2.com/ or https://www.mock-server.com/, and there must be a lot more that you can use without loading an explicit certificate. – D.Bugger Aug 07 '18 at 20:24
  • I think it really has to so with the certs. What about keyring I will also install it into that:) – Nuri Ensing Aug 07 '18 at 20:25
  • Are you sure you don't need the setSSLSocketFactory() method? And what is manually running the agent? Do you start it using the server console (so it runs from the server), or from Notes (which makes it a client agent)? Or with RunOnServer ? – D.Bugger Aug 07 '18 at 20:30
  • Then it uses the Notes environment, and not the server's. The best way to start an agent on the server is to use the Domino Admin client, using the Agent Manager task: tell amgr run "database" 'agent'. Please look this up in the Admin Help db. – D.Bugger Aug 08 '18 at 07:27
  • IT WORKED! I runned it from the server and it worked! THANKS :) – Nuri Ensing Aug 08 '18 at 12:21
1

Please have a look at Create cross certificate for Domino Java agent?

Especially the last part ot the answer: Java/LotusScript Side

The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.

arvo part
  • 78
  • 5
-1

You can try to add the (root and/or intermediate) certificates from the website to your java cert store. see https://abdata.ch/add-a-root-certificate-to-ibm-domino-jvm-keystore/ for details.

umeli
  • 1,068
  • 8
  • 14