为Domino Java代理创建交叉证书？ [英] Create cross certificate for Domino Java agent?

问题描述

我正在尝试使用Domino java代理连接到启用https的Web服务。它使用http工作正常但在https上失败。我禁用了TLS 1.2（显然Fix Pack 4和5有TLS 1.2和Java的错误）。

现在我收到以下错误......

  [1034：0007-1164] 12/08/2015 05：44：57.75 PM SSLAdvanceHandshake退出> State HandshakeCertificate（8）
 [1034：0007-1164] 12/08/2015 05：44：57.75 PM SSLProcessHandshakeMessage Enter>消息：证书（11）状态：HandshakeCertificate（8）密钥交换：15密码：ECDHE_RSA_WITH_AES_256_CBC_SHA（0xC014）
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSLCheckCertChain>收到的证书链无效
 [1034：0007-1164]证书链评估状态：错误：3659，无法建立对证书或CRL的信任。 
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSLSendAlert>发送警报0x0（close_notify）级别0x2（致命）
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSLProcessHandshakeMessage退出>消息：证书（11）状态：SSLErrorClose（2）密钥交换：15密码：ECDHE_RSA_WITH_AES_256_CBC_SHA（0xC014）
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSL_Handshake>将SSL状态从-6986更改为-5000以刷新写入队列
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSL_Handshake>握手状态= SSLErrorClose（2）之后;状态= -5000 
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM int_MapSSLError>将SSL错误-5000映射到4176 [SSLHandshakeNoDone] 
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM S_Write>输入len = 7 
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM SSL_Xmt> 00000000：15 03 01 00 02 02 00'.......'
 [1034：0007-1164] 12/08/2015 05：44：57.80 PM S_Write>切换端点同步
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM S_Write>发布7字节的nti_snd 
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM SSL_EncryptData> SSL不是init退出
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM S_Write>将端点切换为异步
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM SSL_EncryptDataCleanup> SSL不是init退出
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM S_Write> nti_done返回7个字节rc = 0 
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM S_Write>退出，写入7个字节
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM SSL_Handshake>握手2后状态SSLErrorClose（2）
 [1034：0007-1164] 12/08/2015 05：44：57.81 PM int_MapSSLError>将SSL错误-6986映射到4163 [X509CertChainInvalidErr] 
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理管理器：代理错误：WebServiceEngineFault 
 faultCode：{http：// schemas.xmlsoap.org/soap/envelope/}Server.generalException 
 faultSubcode：
 faultString：连接到&'api.qa.silverlining.synovia.com&的错误。在端口& 443&，SSL无效证书上，可能需要交叉验证。 
 faultActor：
 faultNode：
 faultDetail：
 [1034：0007-1164] 12/08/2015 05:44:57 PM Agent Manager：代理错误：连接到'时出错' api.qa.silverlining.synovia.com'在端口'443'上，SSL无效证书，可能需要交叉验证。 
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.axis.InternalFault.makeFault（未知来源）
 [1034：0007 -1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：at lotus.domino.axis.transport.http.HTTPSender.invoke（未知来源）
 [1034：0007-1164] 12 / 08/2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.axis.strategies.InvocationStrategy.visit（未知来源）
 [1034：0007-1164] 2015年8月12日05： 44:57 PM代理经理：代理商错误：在lotus.domino.axis.SimpleChain.doVisiting（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理错误：at lotus.domino.axis.SimpleChain.invoke（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：at lotus.domino.axis .client.AxisClient.invoke（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.axis.client.Call.invokeEngine （Unkno wn来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：at lotus.domino.axis.client.Call.invoke（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.axis.client.Call.invoke（未知来源）
 [1034：0007- 1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：at lotus.domino.axis.client.Call.invoke（未知来源）
 [1034：0007-1164] 12/08 / 2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.axis.client.Call.invoke（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理管理器：代理错误：at lotus.domino.websvc.client.Call.invoke（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理管理器：代理错误：at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001（BasicHttpBinding_ISynoviaApi1Stub.java:11）​​
 [1034：0007-1164] 12/08/2015 05:44:57 PM Agent Manager：Agent error：at JavaAgent.NotesMain（Unknown）来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：at lotus.domino.AgentBase.runNotes（未知来源）
 [1034：0007-1164] 12 / 08/2015 05:44:57 PM代理经理：代理商错误：在lotus.domino.NotesThread.run（未知来源）
 [1034：0007-1164] 12/08/2015 05:44:57 PM代理经理：代理商错误：由以下原因引起：
 [1034：0007-1164] 12/08/2015 05:44:58 PM代理经理：代理商错误：连接到'api.qa.silverlining.synovia.com'时出错在端口'443'上，SSL无效证书，可能需要交叉验证。 
 [1034：0007-1164] 12/08/2015 05:44:58 PM代理经理：代理商错误：at lotus.domino.axis.transport.http.NotesSocket.openConnection（原生方法）
 [1034：0007-1164] 12/08/2015 05:44:58 PM代理经理：代理商错误：在lotus.domino.axis.transport.http.NotesSocket。< init>（未知来源）
 [ 1034：0007-1164] 12/08/2015 05:44:58 PM代理经理：代理商错误：在lotus.domino.axis.transport.http.HTTPSender.getSocket（未知来源）
 [1034：0007- 1164] 12/08/2015 05:44:58 PM代理经理：代理商错误：... 15更多
 [1034：0005-11A0] 12/08/2015 05:44:58 PM AMgr：Agent' 'testweb.nsf'中的s0001'已完成执行
  

我连接的服务是DigiCert SSL证书。我尝试使用资源管理器并导出.cer文件并将其导入Domino目录，但没有运气。我也尝试将它导入cacerts，但也没有做任何事情。

有什么建议吗？ Howard

解决方案

在使用WS之前，您需要跨越证书（在Domino中）api.qa.silverlining.synovia.com证书。

单击检索Internet服务证书按钮

检查协议是否正常（某些时间指定其他并手动填写端口）并且不要为服务名称添加https。

6. 转到客户的 LOCAL 名称


7. 将交叉认证（这是一份文件）从您的本地names.nsf复制到您的服务器名称.nsf：
   



8. 我不记得是否有必要：

   
   
   

   告诉http刷新

I am trying to connect to an https enabled web service using a Domino java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 have a bug with TLS 1.2 and Java).

Now I get the following errors...

    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
    [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
    [1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00                              '.......'
    [1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
    [1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: WebServiceEngineFault
      faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
      faultSubcode: 
      faultString: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
      faultActor: 
      faultNode: 
      faultDetail: 
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.axis.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.websvc.client.Call.invoke(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at JavaAgent.NotesMain(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.AgentBase.runNotes(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error:   at lotus.domino.NotesThread.run(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:57 PM  Agent Manager: Agent  error: Caused by: 
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
    [1034:0007-1164] 12/08/2015 05:44:58 PM  Agent Manager: Agent  error:   ... 15 more
    [1034:0005-11A0] 12/08/2015 05:44:58 PM  AMgr: Agent 's0001' in 'testweb.nsf' completed execution

The service I am connecting to is a DigiCert SSL certificate. I tried using Explorer and exporting a .cer file and importing that to the Domino directory with no luck. I also tried importing it into cacerts but that did not do anything either.

Any suggestions? Howard

解决方案

Before consuming the WS you need to cross certificate (in Domino) the api.qa.silverlining.synovia.com certificate.

The Official doc, is not so clear so find below how to cross certify with the web server that have the ssl your want to cross certify to:

1. copy the server id in your notes client.
2. in your client, switch to id of the server
3. go to User Security / People, Services / Find more about people/services:
4. click the "Retrieve Internet service certificate" button
5. check that the protocol is ok (sometime specify "Other" and fill port manually) and do not put "https" for service name.

6. go to the LOCAL names of your client
7. copy the cross certification (it's a document) from your local names.nsf to your server names.nsf:

8. I don't remember if it is necessary:

   tell http refresh

这篇关于为Domino Java代理创建交叉证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！