logo

Annoyance With HTTPS Web Services and Domino

Obscure Domino annoyance alert!

If you have a scheduled Java Agent on a server and that Agent connects to an external Web Service over HTTPS then you will likely encounter an error if both the following are true:

  1. You are using Internet Site documents.
  2. The server's Key File isn't in the default place - /keyfile.kyr

The error you will see from a Java stack trace is:

Error connecting to 'www.acme.com' on port '443', SSL Error: Keyring file not found.

After a lot of head scratching and a lot of searching I found the answer in the good ol' Notes forum.

It turns out then, for this type of operation, the server uses the key file setting from the Server Document and NOT the Internet Site documents. If you enabled Internet Site document and set the Key File to something like "/keyfiles/keys.kyr" then the Server Document will still think the key file is at "/keyfile.kyr" and won't be able to find it.

To fix this you need to do this:

  1. Open the Server Document
  2. Disable "Load Internet configurations from Internet Site documents"
  3. On the Ports -> Internet Port tab under SSL settings change the SSL key file name to the right location.
  4. Enable "Load Internet configurations from Internet Site documents"
  5. Save and close Server Document
  6. Restart server

Annoying or what!

Comments

  1. Is this in related to problems we discussed here http://www.codestore.net/store.nsf/unid/BLOG-20110906-0400?OpenDocument#DOC_2F08EDF0 ? So, Domino can use SSL client certificates when consuming web services, despite what IBM says on their site https://www-304.ibm.com/support/docview.wss?uid=swg1LO50384 ?

      • avatar
      • Jake Howlett
      • Thu 29 Mar 2012 05:20 AM

      You're memory is better than mine. I'd forgotten about that post and the comments.

      This work isn't related to what I was talking about there.

      I'm not sure if there's a difference between client and site certificates(?) but yes, Domino can consume HTTPS Web Services from code running on the server. The server I'm using is 8.5.2 and it's using domino's internal Axis code which was generated when I imported the WSDL in to a Web Service Consumer object in Domino Designer.

    • avatar
    • Lauri Laanti
    • Thu 29 Mar 2012 07:01 AM

    Have you tried importing the SSL certificate to the cacerts file? (Located at /jvm/lib/security). We have Java code consuming Web Services over https and that seemed to do the trick for us (no need to touch the .kyr files).

      • avatar
      • Jake Howlett
      • Thu 29 Mar 2012 07:38 AM

      That was going to be the next thing I tried. Luckily I didn't need to as the fix I talked about above has worked.

      I had a feeling the cacert stuff wasn't needed though as the code worked on my dev server (where the keyfile.kyr name/location was standard) but not on the test server (where the keyfile was elsewhere).

  3. - > face buried in hands < -

  4. In related news. If you rather use DOTS or an XAgent the generated code in Domino web service clients is unaccessible... you can use CXF which is also available on Domino. Details here: http://www.wissel.net/blog/d6plinks/SHWL-8SUKV5

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Thu 29 Mar 2012

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content