Gegenzertifikat für Domino Java Agent erstellen?
Ich versuche, mithilfe eines Domino Java-Agenten eine Verbindung zu einem https-fähigen Webdienst herzustellen. Es funktioniert gut mit http, schlägt aber auf https fehl. Ich habe TLS 1.2 deaktiviert (anscheinend haben Fixpack 4 und 5 einen Fehler mit TLS 1.2 und Java).
Nun bekomme ich folgende Fehlermeldungen ...
[1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
[1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received
[1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
[1034:0007-1164] 12/08/2015 05:44:57.80 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Enter len = 7
[1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Xmt> 00000000: 15 03 01 00 02 02 00 '.......'
[1034:0007-1164] 12/08/2015 05:44:57.80 PM S_Write> Switching Endpoint to sync
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Posting a nti_snd for 7 bytes
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptData> SSL not init exit
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Switching Endpoint to async
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_EncryptDataCleanup> SSL not init exit
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> nti_done return 7 bytes rc = 0
[1034:0007-1164] 12/08/2015 05:44:57.81 PM S_Write> Exit, wrote 7 bytes
[1034:0007-1164] 12/08/2015 05:44:57.81 PM SSL_Handshake> After handshake2 state SSLErrorClose (2)
[1034:0007-1164] 12/08/2015 05:44:57.81 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: WebServiceEngineFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
faultActor:
faultNode:
faultDetail:
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.axis.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.websvc.client.Call.invoke(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at org.tempuri.BasicHttpBinding_ISynoviaApi1Stub.s0001(BasicHttpBinding_ISynoviaApi1Stub.java:11)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at JavaAgent.NotesMain(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:57 PM Agent Manager: Agent error: Caused by:
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: Error connecting to 'api.qa.silverlining.synovia.com' on port '443', SSL invalid certificate, may need to cross-certify.
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.NotesSocket.openConnection(Native Method)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.NotesSocket.<init>(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
[1034:0007-1164] 12/08/2015 05:44:58 PM Agent Manager: Agent error: ... 15 more
[1034:0005-11A0] 12/08/2015 05:44:58 PM AMgr: Agent 's0001' in 'testweb.nsf' completed execution
Der Dienst, zu dem ich eine Verbindung herstelle, ist ein DigiCert-SSL-Zertifikat. Ich habe versucht, mithilfe des Explorers eine CER-Datei zu exportieren und diese ohne Erfolg in das Domino-Verzeichnis zu importieren. Ich habe auch versucht, es in cacerts zu importieren, aber das hat auch nichts gebracht.
Irgendwelche Vorschläge? Howard