configure SSL on Domino

we could follow the instruction illustrated in the link below:

http://www-128.ibm.com/developerworks/lotus/library/ls-Java_access_2/index.html

SSL encryption

The previous article in this series discussed running a Java application locally or remotely. Remote calls require HTTP and DIIOP access. You can encrypt transmissions over the DIIOP port using SSL (Secure Sockets Layer). See the previous article for instructions on how to set up DIIOP. The client code signals the desire to encrypt by specifying a new second parameter in the createSession call. This parameter is a String array whose first element has -ORBEnableSSLSecurity as its value, for example:

String args[] = new String[1];args[0] = “-ORBEnableSSLSecurity”; Session s = NotesFactory.createSession(“myhost.east.acme.com:63148”, args, “Jane Smith/East/Acme”, “topS3cr3t”);

You still use a non-SSL port (63148 in the above example) to get the IOR. The actual service requests take place over the DIIOP SSL port, which is 63149 by default.

Before running the code, you must set up the server and client with a common trusted root certificate from a certificate authority. This process is best covered as a series of steps.

Step 1

Create a key ring. Open the Server Certificate Admin (certsrv.nsf) database on a Domino server and use its forms to create and populate a key ring. See Administering the Domino System, Volume 2 or the Domino Administrator Help for detailed information. For testing purposes, you can use the CertAdminCreateKeyringWithSelfCert form to create a key ring with a self-certified certificate.

Step 2

Move the keyring to the server. The keyring consists of a keyring file (KYR file) and stash file (STH file). These files are generated on the computer from which you’re accessing the Server Certificate Admin database. Move or copy the two keyring files to the computer containing the Domino server. Place them in the server’s data directory. For example, if you create a keyring with a self-certified certificate using default names and copy the files to a computer with a server whose data files are installed at C:\Lotus\Domino\Data, the server files would be:

C:\Lotus\Domino\Data\selfcert.kyr C:\Lotus\Domino\Data\selfcert.sth.

Step 3

Copy TrustedCerts.class to the client and put it in the classpath. Once the keyring files are on the server, starting or restarting the DIIOP task generates a file named TrustedCerts.class in the Domino data directory. Distribute this file to any computer from which you are going to access the server using CORBA with SSL, and put the directory containing the file in the classpath. For example, if you copy the file to C:\Lotus\TrustedCerts.class on a client, set the classpath as follows:

set classpath := %classpath%;c:\lotus

Step 4

Enable the server for SSL. In the Server document in the server’s Domino Directory, go to the Ports tab, then the Internet Ports tab. Under SSL settings, specify the SSL key file name (for example, selfcert.kyr). Go to the DIIOP tab. Ensure that the SSL port number is correct-it defaults to 63149. Enable the SSL port. Set Name & password and Anonymous authentication as desired.

The instruction above is good enough to perform a SSL test. But here is a problem I have met and fixed:Set the TrustedCerts.class to your classpath, and make your application code read this path is a really important part! I set the proper classpath there, but, my java application could not get that classpath when running in Eclipse. I didn’t realize this at first time, and wasted a lot of time on it. Finally, I call my java class using the command line. Then it works.

Here is the code and the stack trace when the class could not be found:

————————- start

String hostName = “192.168.66.101“;

String userName = “test”;

String password = “test”;

String[] arg = new String[]{“-ORBEnableSSLSecurity”};

Session s = NotesFactory.createSession(hostName, arg, userName, password);

————————- end

but I keep getting the error blow:

————————- start

NotesException: Session closed due to communications failure

at lotus.domino.cso.ORBCallback.make_error(Unknown Source)

at lotus.priv.CORBA.iiop.Generic.make_error (Unknown Source)

at lotus.priv.CORBA.portable.ObjectImpl._invoke(Unknown Source)

at lotus.domino.corba._IObjectServerStub.createSession (Unknown Source)

at lotus.domino.cso.Session.initSession(Unknown Source)

at lotus.domino.cso.Session .<init>(Unknown Source)

at lotus.domino.cso.Session.createSession(Unknown Source)

at lotus.domino.NotesFactory.createSessionUP (Unknown Source)

at lotus.domino.NotesFactory.createSession (Unknown Source)

at GetSession.doGetSession_2(GetSession.java:62)

at TesterGetSession.main(TesterGetSession.java:13)

Caused by: org.omg.CORBA.COMM_FAILURE: java.io.IOException: Connection closed: Host: 127.0.0.1 Port: 63149 vmcid: 0x0 minor code: 1 completed: Maybe

at lotus.priv.CORBA.iiop.IIOPConnection.purge_calls(Unknown Source)

at lotus.priv.CORBA.iiop.ReaderThread.run (Unknown Source)

Caused by: java.io.IOException

at lotus.priv.CORBA.iiop.Message.readFully(Unknown Source)

at lotus.priv.CORBA.iiop.Message.createFromStream(Unknown Source)

at lotus.priv.CORBA.iiop.IIOPInputStream.prefill (Unknown Source)

at lotus.priv.CORBA.iiop.IIOPConnection.createInputStream (Unknown Source)

… 1 more

————————- end

The code is fine. It will run smoothly if the classpath could be read by the application. But for it could not get the cert from the class file. The code could not get the access.

I also tried this: Getting the SSL first, through HTTPS. And here is the code and the stack trace:

String hostName = “192.168.66.101”;

String userName = “test”;

String password = “test”;

String[] arg = new String[1];

arg[0] = “-HTTPEnableSSLSecurity”;

String IOR = NotesFactory.getIOR(hostName,arg,userName,password);

———————— error start

NotesException: Could not get IOR from Domino Server: {0}

at lotus.domino.NotesFactory.requestIORUsingSSL(Unknown Source)

at lotus.domino.NotesFactory.requestIORUsingArgs(Unknown Source)

at lotus.domino.NotesFactory.getIOR(Unknown Source)

at lotus.domino.NotesFactory.getIOR(Unknown Source)

at ssltest.tibco.lotus.com.GetSession.doGetSession_2(GetSession.java:67)

at ssltest.tibco.lotus.com.TesterGetSession.main(TesterGetSession.java:13)

Caused by: java.lang.ClassNotFoundException: TrustedCerts

at java.net.URLClassLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.net.URLClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClassInternal(Unknown Source)

at java.lang.Class.forName0(Native Method)

at java.lang.Class.forName(Unknown Source)

at lotus.priv.CORBA.iiop.ssl.SSLSecurity.createSSLSocket(Unknown Source)

… 6 more

———————— error end

Please note that, there is a ‘Caused by: java.lang.ClassNotFoundException: TrustedCerts’. It reminds me of the cert class.

 

There is another things I have to say. When using the Domino Java API to code, I noticed that, The status of the first calling may be stored. If you do not exit your current process, the calling of the next time will be concequentially succeed. For example, I disabled the commen http port, and enabled the SSL port only. Then I run the following code:

String[] arg = new String[1];
arg[0] = “-HTTPEnableSSLSecurity”;
String IOR = NotesFactory.getIOR(hostName,arg,userName,password);
System.out.println(“IOR = ” + IOR);
String IOR2 = NotesFactory.getIOR(hostName);
System.out.println(“IOR2 = ” + IOR2);

I have disable the common http, so, I thought the second call of getIOR should be failed. But it didn’t. Maybe, “-HTTPEnableSSLSecurity” is like a switch to turn the SSL on, and there may be another switch to turn it off.

Anyway, it works finally. CHEERS!

Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

You are commenting using your WordPress.com account. Log Out /  更改 )

Google+ photo

You are commenting using your Google+ account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )

Connecting to %s


%d 博主赞过: