Monday, June 27, 2011

IBM Domino Java: No trusted certificate found. Fail?

I've faced with quite major problem when use IBM Java (the one from Domino 8.5.2 FP2). Our Domino grabs data from some webservices via 'https' (webservice does not have authentication, its free to everybody). Using simple Java Agent in Domino we grabbed data and was very happy :), here is few lines what we do
 URL url = new URL("https://here url");  
 URLConnection connection = url.openConnection();  
 HttpsURLConnection httpConn = (HttpsURLConnection) connection;  
 byte[] bytes = msg.getBytes("UTF-8");  
 httpConn.setRequestProperty("Content-length", String.valueOf(bytes.length));  
 OutputStream out = httpConn.getOutputStream(); // and on this line we now have an error: "no trusted certificate found"  
It worked fine for years but their (webservice provide) certificate has expired and they generate new one using same official CA. After they did it, Domino refuse to use new certificate and we can't grab data anymore from Domino.

We did some tests and noticed that non Domino JVM works just fine (we did tests in Eclipse with Oracles JVM) with exactly same code and it worked fine.

Of course we tried much more thing i.e.: we tried to add new certificate to cacerts storage in Domino and it did not work, we also tried to replace cacerts on Domino and use the one from Oracle JVM and lot of more things without any luck. Also when we tried to add new cert to cacerts in Domino it started to report about another issue: certificate chaining error.

Maybe Domino or Domino's JVM has problem/issue or we need to do something we just do not know. Would be nice to get more details about it because we are stacked now, does anybody know why we get this problem and if it is really problem in IBM Java?
There is also post on IBM with exactly same problem with not trusted certificates.
Would be nice if somebody share his suggestions/opinions.

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java


Anonymous said...

probably nothing, but was the key strength of the old cert vs the new one? Was the old one 1024 and the new one 2048?

Mark Leusink said...

Depending on the security requirements of your application, you might try a solution that accept all SSL certificates, regardless the CA.

I've used that solution in the past using the EasySSLProtocolSocketFactory class from the Apache Commons project.


Don said...

We had exactly the same problem with a site (certificate chaining error). Eventually we found out that the installation of the new SSL-certificate was not correct on the webserver that we tried to connect to. Reinstalling it on their server fixed the problem.

NotesSensei said...

Eventually this sample helps:

It uses, like Mark and Don suggested, the trusting SSL type.