Enalbe SSL for DIIOP in Domino

quote:

http://www.ibm.com/developerworks/lotus/library/ls-Java_access_2/

Java access to the Domino Objects, Part 2

Level: Advanced

Robert Perron, Documentation Architect, Lotus
Steve Nikopoulos, Senior Software Engineer, Lotus
Kevin Smith, Advisory Software Engineer, Lotus

04 Aug 2003

Part 2 of 2: This article covers advanced topics in developing Java applications using Domino Objects including SSL encryption, servlets, connection pooling, single sign-on, session timeouts, and recycling, and suggests some troubleshooting techniques.

This article is the second in a series of two. In part one of this series, you learned the basics of using the Domino Objects from a Java application locally and remotely. This month you will learn about SSL encryption, servlets, connection pooling, single sign-on, session timeouts, and recycling. The article also includes a section on troubleshooting. This article assumes that you are familiar with the Domino Java API and have read the first article.

SSL encryption

The previous article in this series discussed running a Java application locally or remotely. Remote calls require HTTP and DIIOP access. You can encrypt transmissions over the DIIOP port using SSL (Secure Sockets Layer). See the previous article for instructions on how to set up DIIOP. The client code signals the desire to encrypt by specifying a new second parameter in the createSession call. This parameter is a String array whose first element has -ORBEnableSSLSecurity as its value, for example:

String args[] = new String[1];
args[0] = "-ORBEnableSSLSecurity";
Session s = NotesFactory.createSession
("myhost.east.acme.com:63148", args, 
"Jane Smith/East/Acme", "topS3cr3t");

You still use a non-SSL port (63148 in the above example) to get the IOR. The actual service requests take place over the DIIOP SSL port, which is 63149 by default.
Before running the code, you must set up the server and client with a common trusted root certificate from a certificate authority. This process is best covered as a series of steps.

Step 1

Create a key ring. Open the Server Certificate Admin (certsrv.nsf) database on a Domino server and use its forms to create and populate a key ring. See Administering the Domino System, Volume 2 or the Domino Administrator Help for detailed information. For testing purposes, you can use the CertAdminCreateKeyringWithSelfCert form to create a key ring with a self-certified certificate.

Step 2

Move the keyring to the server. The keyring consists of a keyring file (KYR file) and stash file (STH file). These files are generated on the computer from which you’re accessing the Server Certificate Admin database. Move or copy the two keyring files to the computer containing the Domino server. Place them in the server’s data directory. For example, if you create a keyring with a self-certified certificate using default names and copy the files to a computer with a server whose data files are installed at C:\Lotus\Domino\Data, the server files would be:

C:\Lotus\Domino\Data\selfcert.kyr C:\Lotus\Domino\Data\selfcert.sth.

Step 3

Copy TrustedCerts.class to the client and put it in the classpath. Once the keyring files are on the server, starting or restarting the DIIOP task generates a file named TrustedCerts.class in the Domino data directory. Distribute this file to any computer from which you are going to access the server using CORBA with SSL, and put the directory containing the file in the classpath. For example, if you copy the file to C:\Lotus\TrustedCerts.class on a client, set the classpath as follows:

set classpath := %classpath%;c:\lotus

Step 4

Enable the server for SSL. In the Server document in the server’s Domino Directory, go to the Ports tab, then the Internet Ports tab. Under SSL settings, specify the SSL key file name (for example, selfcert.kyr). Go to the DIIOP tab. Ensure that the SSL port number is correct-it defaults to 63149. Enable the SSL port. Set Name & password and Anonymous authentication as desired.

 

http://www.ibm.com/developerworks/cn/lotus/ls-java_access_2/index.html

Java 对 Domino Objects 的访问,第 2 部分

Robert Perron, 文档架构师, Lotus
Steve Nikopoulos, 高级软件工程师, Lotus
Kevin Smith, 顾问软件工程师, Lotus

2003 年 8 月 04 日

本文是由两部分组成的系列文章的第 2 部分:本文将介绍使用 Domino Objects 开发 Java 应用程序中涉及的一些高级主题,其中包括 SSL 加密、servlet、连接池、单点登录、会话超时和回收,本文还给出了一些故障检修技术。

本文是由两部分组成的系列文章的第 2 部分。在本系列文章的 第 1 部分中,您了解了本地和远程地从 Java 应用程序使用 Domino Objects 的一些基础知识。本文中您将了解 SSL 加密、servlet、连接池、单点登录、会话超时和回收。文中还包括关于故障检修的一个部分。本文假设您熟悉 Domino Java API,并已经阅读了第一篇文章。

SSL 加密

本系列文章的前一篇文章讨论了在本地或远程运行 Java 应用程序。远程调用需要 HTTP 和 DIIOP 访问权。可以使用 SSL (Secure Sockets Layer) 对通过 DIIOP 端口的传输进行加密。有关如何设置 DIIOP 的说明,请参阅前一篇文章。客户机代码通过在 createSession 调用中指定新的第二个参数来表明加密要求。该参数是一个 String 数组,第一个元素将 -ORBEnableSSLSecurity 作为其值,例如:

String args[] = new String[1];
args[0] = "-ORBEnableSSLSecurity";
Session s = NotesFactory.createSession
("myhost.east.acme.com:63148", args, 
"Jane Smith/East/Acme", "topS3cr3t");

仍然使用非 SSL 端口(上例中为 63148)来获得 IOR。实际服务请求是通过 DIIOP SSL 端口进行的,默认情况下,该端口为 63149。
运行代码之前,必须设置有一个从证书权威机构获得的通用受信任的根证书的服务器和客户机。最好将这个过程分为一系列的步骤来讲述。

步骤 1

创建密钥环(key ring)。打开 Domino 服务器中的 Server Certificate Admin (certsrv.nsf) 数据库,使用其表单创建和填充密钥环。有关的详细信息,请参阅 Administering the Domino System, Volume 2 或 Domino Administrator Help。为了进行测试,可以使用 CertAdminCreateKeyringWithSelfCert 表单创建具有自我认证证书的密钥环。

步骤 2

将密钥环移至服务器。密钥环包含密钥环文件(KYR 文件)和存储文件(STH 文件)。在访问 Server Certificate Admin 数据库的计算机上生成这些文件。将这两个密钥环文件移至或复制到包含 Domino 服务器的计算机上。将它们放在服务器的数据目录中。例如,如果使用默认名称创建具有自我认证证书的密钥环,并将文件复制到服务器的数据文件安装在 C:\Lotus\Domino\Data 中的计算机上,那么服务器文件将为:

C:\Lotus\Domino\Data\selfcert.kyr C:\Lotus\Domino\Data\selfcert.sth.

步骤 3

将 TrustedCerts.class 复制到客户机中并将其放在类路径中。一旦密钥环文件位于服务器中,启动或重新启动 DIIOP 任务会在 Domino 数据目录中生成名为 TrustedCerts.class 的文件。将该文件分布到任何计算机中,您将从这台计算机使用 CORBA 通过 SSL 访问服务器,并将包含该文件的目录放在类路径中。例如,如果将文件复制到客户机的 C:\Lotus\TrustedCerts.class 中,那么设置类路径将如下所示:

set classpath := %classpath%;c:\lotus

步骤 4

为服务器启用 SSL。在服务器的 Domino Directory 的 Server 文档中,转至 Ports 选项卡,然后转至 Internet Ports 选项卡。在 SSL 设置下,指定 SSL 密钥文件名(例如,selfcert.kyr)。再转至 DIIOP 选项卡。确保 SSL 端口号正确 —— 默认端口号为 63149。启用 SSL 端口。并根据需要设置 Name & password 和 Anonymous 身份验证。

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s


%d 博主赞过: