为Domino Java代理创建交叉证书?

时间:2015-12-08 23:00:34

标签: java lotus-domino

我正在尝试使用Domino java代理连接到启用https的Web服务。它使用http工作正常但在https上失败。我禁用了TLS 1.2(显然Fix Pack 4和5有TLS 1.2和Java的错误)。

现在我收到以下错误...... 

    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
    [1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00                              '.......'
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: WebServiceEngineFault
      faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
      faultSubcode: 
      faultString: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
      faultActor: 
      faultNode: 
      faultDetail: 
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.websvc.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at JavaAgent.NotesMain(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.AgentBase.runNotes(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.NotesThread.run(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Caused by: 
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   ... 15 more
    [1034:0005-11A0] 12/08/2015 05:44:58 PM  AMgr: Agent 's0001' in 'testweb.nsf' completed execution

我连接的服务是DigiCert SSL证书。我尝试使用资源管理器并导出.cer文件并将其导入Domino目录,但没有运气。我也尝试将它导入cacerts,但这也没有做任何事情。

有什么建议吗?霍华德

2 个答案:

答案 0 :(得分:4)

在使用WS之前,您需要跨越证书(在Domino中)api.qa.silverlining.synovia.com证书。

Official doc,不太清楚,请在下面找到如何与具有您想要交叉认证的ssl的网络服务器进行交叉认证:

  1. 复制Notes客户端中的服务器ID。
  2. 在您的客户端中,切换到服务器的ID
  3. 转到用户安全/人员,服务/了解有关人员/服务的更多信息:enter image description here
  4. 点击&#34;检索互联网服务证书&#34;按钮
  5. 检查协议是否正常(有时指定&#34;其他&#34;并手动填充端口)并且不要放置&#34; https&#34;服务名称。

    6. enter image description here

    1. 转到您客户的 LOCAL 名称
    2. 将交叉认证(它是一份文件)从您的本地names.nsf复制到您的服务器名称.nsf: enter image description here

    3. 我不记得是否有必要:

      告诉http刷新

答案 1 :(得分:0)

从Domino CERT.ID创建交叉证书到服务器证书的SSL / TLS CA.通过这样做,您域中的每个服务器都信任SSL / TLS CA以及具有该CA的派生证书的任何服务器。如果将Notes数据库移动到另一台服务器,则无需担心为该新服务器创建交叉证书。您还可以按策略将此交叉证书推送到所有Notes客户端,以便其他用户信任此CA.

逐步Domino配置

  1. 检查您需要哪些公共证书。

    使用例如SSL Labs进入Web服务目标服务器并转到“证书路径”部分。在您的情况下,公共证书是:

    • DigiCert SHA2安全服务器CA
    • DigiCert Global Root CA

  2. DigiCert

    3. 下载两张公共证书

  3. 导入证书

    Importing an Internet certifier into the Domino Directory

  4. 交叉证书证书

    服务器:选择托管Domino CA(非SSL CA)的管理服务器或服务器。

    验证者:选择验证者标识或Domino CA

    Creating an Internet cross-certificate in the Domino Directory from a certifier document

    Issue Cross Certificate

    5. Java / LotusScript Side

    必须告诉Java或LotusScript Consumer接受CA安全性(stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)

    基于Creating your first Web Service provider and consumer in LotusScript and Java.

    的示例

    爪哇

    HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS); 
String answer = "" + stub.HELLO("world"); 
System.out.println("The answer is : " + answer);

    的LotusScript 

    Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")
相关问题
最新问题