Annoyance With HTTPS Web Services and Domino
Obscure Domino annoyance alert!
If you have a scheduled Java Agent on a server and that Agent connects to an external Web Service over HTTPS then you will likely encounter an error if both the following are true:
- You are using Internet Site documents.
- The server's Key File isn't in the default place - /keyfile.kyr
The error you will see from a Java stack trace is:
Error connecting to 'www.acme.com' on port '443', SSL Error: Keyring file not found.
After a lot of head scratching and a lot of searching I found the answer in the good ol' Notes forum.
It turns out then, for this type of operation, the server uses the key file setting from the Server Document and NOT the Internet Site documents. If you enabled Internet Site document and set the Key File to something like "/keyfiles/keys.kyr" then the Server Document will still think the key file is at "/keyfile.kyr" and won't be able to find it.
To fix this you need to do this:
- Open the Server Document
- Disable "Load Internet configurations from Internet Site documents"
- On the Ports -> Internet Port tab under SSL settings change the SSL key file name to the right location.
- Enable "Load Internet configurations from Internet Site documents"
- Save and close Server Document
- Restart server
Annoying or what!
Is this in related to problems we discussed here http://www.codestore.net/store.nsf/unid/BLOG-20110906-0400?OpenDocument#DOC_2F08EDF0 ? So, Domino can use SSL client certificates when consuming web services, despite what IBM says on their site https://www-304.ibm.com/support/docview.wss?uid=swg1LO50384 ?
Reply
You're memory is better than mine. I'd forgotten about that post and the comments.
This work isn't related to what I was talking about there.
I'm not sure if there's a difference between client and site certificates(?) but yes, Domino can consume HTTPS Web Services from code running on the server. The server I'm using is 8.5.2 and it's using domino's internal Axis code which was generated when I imported the WSDL in to a Web Service Consumer object in Domino Designer.
Reply
Have you tried importing the SSL certificate to the cacerts file? (Located at /jvm/lib/security). We have Java code consuming Web Services over https and that seemed to do the trick for us (no need to touch the .kyr files).
Reply
That was going to be the next thing I tried. Luckily I didn't need to as the fix I talked about above has worked.
I had a feeling the cacert stuff wasn't needed though as the code worked on my dev server (where the keyfile.kyr name/location was standard) but not on the test server (where the keyfile was elsewhere).
Reply
- > face buried in hands < -
Reply
In related news. If you rather use DOTS or an XAgent the generated code in Domino web service clients is unaccessible... you can use CXF which is also available on Domino. Details here: http://www.wissel.net/blog/d6plinks/SHWL-8SUKV5
Reply