Domino version: 8.5.1
Client Version: 8.5.1
Client OS: windows XP
Server OS: different versions tested
Issue reproducibility: ALWAYS
-------------------------------------------------------------------------------
Problem description
I'm developing a new web application that had to use a Web Service that is published from a 3rd part company, let's call it ACME.
This Web Service is under SSL protocol that is redirected on port 8080 on ACME's servers.
Please note that the SSL certificate was issued by ACME because they are in testing mode so it comes from a NOT TRUSTED AUTHORITY.
So the URL to reach the WSDL document is something like that:
https://acme.com:8080/app/servicename.wsdl
First step
First of all I tried to reach the WSDL with a browser to be sure that is reachable: it worked smoothly with IE 6, IE 7 and Firefox 3.0.17, they informed me that a certificate from a non secure Certificate Autorithy had to be accepted. When I answered YES the WSDL pop up on my screen immediately.
Second step
In a newly created database (on Domino 8.5.1 with a client 8.5.1) I created a new Web Server Consumer providing the url where the wsdl was.
The system responded to me like this:
Third step
I thought that we had a problem getting the certificate, so we turned off firewalls, antiviruses…. everything and tried again with these results:
I accepted the defaults (but I had the same results with different combinations of certifier and server) and I obtained:
Fourth step
I checked with my counterparts in ACME that my IP was able to reach their servers and that the ports were open and I had an affirmative answer. Then with a LAN sniffer we checked that our client was reaching their servers on the port 8080 and this was affirmative too.
Fifth step
I thought that the CA certificate issued by ACME had to be put in the keyring.kyr file on our server. So I appended the certificate but to no avail. We had exactly the same results.
Sixth step
To be sure that nothing in our environment was causing problems I installed from scratch a Domino server 8.5.1. completely isolated from the Domino domain.
I created a selfcert.kyr file, configured the server to accept SSL certificate and to use the selfcert.kyr file, then I tried to obtain the WSDL file from my client and from the client of the server but I obtained the SAME results showed before in this document.
Seventh step
I tried to import the CA certificate from the administrator client:
…continue
After the importation I tried again to obtain the WSDL but with no results at all.
PROBLEM SOLUTION
Hi, after a lot of testing, a lot of reading IBM documentation and a lot of sleepless nights on the matter described in my post above, I come to do some tests on the Portlet Factory (it retrieved the WSDL without problems after putting the certificate in the /lib/securitycacert file) and I got a hunch: "Does the domino client have a cacert file in his JVM?"
This morning I looked into the JVM directory and I found it in \CLIENTDIR\jvm\lib\security, so, using the ikeyman.exe program in \CLIENTDIR\jvm\bin I added the certificate (in binary format) to the repository and I tried to import the WSDL in my database: I was required to accept the cross certification and after that it was imported: a piece of cake!
Please not that I'was trying to import a WSDL to obtain Lotus Script Code (NOT JAVA)!
Well, I think that this is a little bug in the client architecture because this it happens only with certificate that are issued by a NOT TRUSTED authority (with a trusted authority it works as documented (with the cross-certification only)). I think that when the certificate is not trusted something goes wrong in the code and it looks for it in the cacerts too and, obviously, it cannot find the certificate... so it raises an error!
I hope that this can be useful!
Alessandro Bignami
Domino developer at ZEL S.r.L.
0 Commenti:
Nessun Commento Trovato