Create cross certificate for Domino Java agent?

Question

I am trying to connect to an https enabled web service using a Domino java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 ha

Answer 1

Create a cross certificate from your Domino CERT.ID to the SSL/TLS CA of the server certificate. By doing so, every server in you domain is trusting the SSL/TLS CA and any server that has as derived certificate from that CA. If you move the Notes Database to another server you don't have to worry about creating a cross certificate for that new server. You can also push this cross certificate by policy to all Notes Clients, so al users will trust this CA.

Step-by-Step Domino Configuration

1. Check what public certificates you need.

   Use e.g. SSL Labs enter the web service target server and go to the section "Certification Paths". In your case the Public Certificates are:

   • DigiCert SHA2 Secure Server CA
   • DigiCert Global Root CA

2. Download the two public certificates from DigiCert

3. Import Certificates

   Importing an Internet certifier into the Domino Directory

4. Cross Certificate Certificates

   Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.

   Certifier: Choose your certifier ID or your Domino CA

   Creating an Internet cross-certificate in the Domino Directory from a certifier document

Java/LotusScript Side

The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.

Java

HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS); 
String answer = "" + stub.HELLO("world"); 
System.out.println("The answer is : " + answer);

LotusScript

Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")