Create cross certificate for Domino Java agent?

I am trying to connect to an https enabled web service using a Domino java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 have a bug with TLS 1.2 and Java).

Now I get the following errors...

    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
    [1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00                              '.......'
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: WebServiceEngineFault
      faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
      faultSubcode: 
      faultString: Error connecting to &apos;api.qa.silverlining.synovia.com&apos; on port &apos;443&apos;, SSL invalid certificate, may need to cross-certify.
      faultActor: 
      faultNode: 
      faultDetail: 
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.websvc.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at JavaAgent.NotesMain(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.AgentBase.runNotes(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.NotesThread.run(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Caused by: 
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   ... 15 more
    [1034:0005-11A0] 12/08/2015 05:44:58 PM  AMgr: Agent 's0001' in 'testweb.nsf' completed execution

The service I am connecting to is a DigiCert SSL certificate. I tried using Explorer and exporting a .cer file and importing that to the Domino directory with no luck. I also tried importing it into cacerts but that did not do anything either.

Any suggestions? Howard

Before consuming the WS you need to cross certificate (in Domino) the api.qa.silverlining.synovia.com certificate.

The Official doc, is not so clear so find below how to cross certify with the web server that have the ssl your want to cross certify to:

copy the server id in your notes client.
in your client, switch to id of the server
go to User Security / People, Services / Find more about people/services:
click the "Retrieve Internet service certificate" button
check that the protocol is ok (sometime specify "Other" and fill port manually) and do not put "https" for service name.

go to the LOCAL names of your client
copy the cross certification (it's a document) from your local names.nsf to your server names.nsf:
I don't remember if it is necessary:

tell http refresh

Create a cross certificate from your Domino CERT.ID to the SSL/TLS CA of the server certificate. By doing so, every server in you domain is trusting the SSL/TLS CA and any server that has as derived certificate from that CA. If you move the Notes Database to another server you don't have to worry about creating a cross certificate for that new server. You can also push this cross certificate by policy to all Notes Clients, so al users will trust this CA.

Step-by-Step Domino Configuration

Check what public certificates you need.

Use e.g. SSL Labs enter the web service target server and go to the section "Certification Paths". In your case the Public Certificates are:
- DigiCert SHA2 Secure Server CA
- DigiCert Global Root CA
Download the two public certificates from DigiCert
Import Certificates

Importing an Internet certifier into the Domino Directory
Cross Certificate Certificates

Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.

Certifier: Choose your certifier ID or your Domino CA

Creating an Internet cross-certificate in the Domino Directory from a certifier document

Java/LotusScript Side

The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.

Java

HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS); 
String answer = "" + stub.HELLO("world"); 
System.out.println("The answer is : " + answer);

LotusScript

Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")

来源：https://stackoverflow.com/questions/34167733/create-cross-certificate-for-domino-java-agent

标签

java

lotus-domino