Domino and No trusted certificate found

We have few agents that communicate with other systems via and today at 13:00 we got such answer from Domino when we tried to set connection with external system. That was a huge problem for us since it affect our business.

 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: No trusted certificate found  
  at com.ibm.jsse2.o.a(o.java:8)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549)  
  at com.ibm.jsse2.kb.a(kb.java:355)  
  at com.ibm.jsse2.kb.a(kb.java:130)  
  at com.ibm.jsse2.lb.a(lb.java:135)  
  at com.ibm.jsse2.lb.a(lb.java:368)  
  at com.ibm.jsse2.kb.s(kb.java:442)  
  at com.ibm.jsse2.kb.a(kb.java:136)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495)  
  at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)  
  at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)  
  at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8)  
  at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20)  

It took some time to fix it, but here is a solution

Problem

A Java application running on a Domino server connecting over SSL to another server may require having the SSL certificate authority of the other server imported into its JVM.

Symptom

When a Java application running on a Domino server connects over SSL to another server, but does not have that server's trusted root certificates, an error may occur. One example of such an error is: HTTP JVM: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: No trusted certificate found.

Cause

The trusted root certificates that signed the remote server's SSL certificate must be also be trusted by the Domino server's JVM if a Java application is making an SSL connection.

Resolving the problem

To add the trusted root certificates to a Domino server JVM follow these steps:

A. Obtain the Certificate to be Imported

Each browser displays certificates in different ways, but they are usually quite similar. On the browser's URL bar, there is usually a zone that you can click on to display SSL certificate information. For example, you may see a padlock in the status bar, and clicking on the padlock opens the certificate information. Once the certificate information is open, click on the "Certification Path" informatino. There normally will be a way to export each of the signing certificates (trusted roots). Export the certifiers in the "Base-64 encoded X.509 (.CER)" format. The exported file in this format will be an ASCII text file that has "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at the top and bottom. Once you have exported the certificates that signed the remote server's SSL certificate you can then import them into the JVM.

B. Import the SSL certifier into the JVM.

If Domino is on a UNIX server, perform these steps on a Windows workstation, and then move the cacerts to the server after the import is completed.

Import the SSL Certificate into the JVM using these steps:

• Open a command line and change directory to C:\Lotus\Domino\jvm\bin.
• Run the batch file "IKEYMAN.exe" (a Java application will load).
• Click "Key Database File" then "Open".
• Browse to C:\Lotus\Domino\jvm\lib\security\cacerts. Note, you will have to view "All Files" to locate cacerts.
• Supply the default password of "changeit". Note, consult your administrator if you receive an error pertaining to the password.
• Select "Signer Certificates" in the drop-down menu.
• Click "Add"
• Select "Browse" and locate the .CER file you copied.
• Click "OK" and enter a descriptive label.
• On the Domino console issue the command "restart task http".

Original link I found on IBM Importing an SSL Certificate Authority into the JVM

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java

IBM Designer Java Console effect?

I've faced up with interesting problems. I'm doing integration between MailChimp and Domino application. MailChimp service has very good API so it was not huge problem to push/poll data to/from it and we already implemented solution based on Java. The fun started when I tried to do LS2J part. My first request to java method came up with this dialog

That error does not happen if I enable Java Console in IBM Domino Designer. When Console is up - everything works perfect, otherwise this error:

LS2J Error: Threw java.lang.SecurityException: not allowed to access members in class interface java.util.Map

I can't explain how Java Console affect my security level, however definitely it does. I think it possibly grant users with more access when it is running and maybe there is an explanation why. Does anybody of you can explain that?

Java as backend for web applications based on Domino

Is it enough to use only Java?

Yes. Our newly created applications have been written only for web and we did all back-end with Java only (the only exclusions are selection for Views). No, we do not miss @Formula, Lotus Script or SSJS, we simply do not need those languages in our daily work. Java is better than LS/SSJS for us. You can develop much better/faster using Java and get all candies: open sources, forums, stackoverflow or even shift at some point to Java completely if it has sense for you. However, if you read my main posts I mentioned that we still had some problems while work with Java, Solution isn't really perfect and let me explain all those weakness we have right now.

• Domino has 2 Java runtimes (huge pain for us): one is for xPages and another one for Java Libraries+Agents. Java Libraries can be reuse in xPages and back JAVA/JAR are not accessible from Libraies/Agents. Our Java libraries are core for xPages and it means we have to build JAR from them and include them for xPages. It takes time and we really do not like that, it simply looks wrong. The solution is to put JAR to Domino OS, however we are limited with access to Domino's OS. Due to that fact we have one serious disadvantage - our JAR files that we attached to Libraries and Agents have to be extracted and loaded to memory each time we run agents.
• We are forced to use IBM Designer (and few of us would like to work in different IDE). As I mentioned we work via GitHub and it takes some time to build project (developer -> github -> jenkins -> domino). That's not a problem for FE, as they can do their tasks locally and after all just commit changes. BE part is located on Server so if we work without IBM Designer we have to wait 1-2 mins till changes come to it and only then we can do our tests. That's sad.

Does it mean @formula, Lotus Script, SSJS are not required to know?

Those languages are still important part of our 'old applications' and it will take years to completely re-write them to web and there should be a sense to do that, as it is time/money, @formula language is still only 1 way to make selection in Notes Views.

Pros

• open source;
• problems resolving (forums, community);
• more abilities;
• in case of migration to java platform, easy migration;

Cons

• 2 Java Runtimes
• ...

Summary

We are happy with what we have so far. We still have problems in terms of how to setup our development process. We will continue to look for perfect solution for our problems.

Other articles in this series

1. How we build our web applications based on Domino
2. Split back-end and front-end areas, they should not block each other and be independent as much as it is possible.
3. Front-end guys should not have any knowledge about Domino, they don't need IBM Designer installed at all.
4. Back-end guys must have knowledge about Domino, however they don't need to use IBM Designer, only in very rare cases. Backend should be done using only Java (no LS/SSJS/@Formula etc)
5. Using Git+Jira is must and Jenkins server as builder server
6. Auto-tests.

How we build our web applications based on Domino

Intro

I've been working with Domino for many years (however very possible less than many of you :-), I started to work with version 5 at the beginning and in few months we migrated to 6.X). I worked in few companies with absolutely different projects and processes of development. There were lot of 'hell projects' (without any structure inside, just mess) and few really 'cool projects' where I could learn something. I always tried to bring the best of the old projects into new. Now I'd like to describe how we develop applications in Domino today. No revolution in our approach, however I believe that is quite good one. The only required thing in that process - you must have time and desire to change process.

Team and projects

We are small and quite typical team: few back-end and front-end developers, manager and no QA as we do not do mistakes :). Roll out each 2 weeks with new features. We are developing CMS that manage external websites of our company.

Few very important points about websites we are doing here:

• website's pages have to load extremely fast (means 200-400 ms to load page);
• clean HTML, all (!) tags, attributes, javascripts should be controlled;
• easy roll out from development environment to production environment without any interrupt for users.

Process of development

Now let's look on most important points of development process. I'll describe each point more deeply in upcoming posts this week. Possibly I will add more points during that time, lets see.

1. Split back-end and front-end areas, they should not block each other and be independent as much as it is possible.
2. Front-end guys should not have any knowledge about Domino, they don't need IBM Designer installed at all.
3. Back-end guys must have knowledge about Domino, however they don't need to use IBM Designer, only in very rare cases. Backend should be done using only Java (no LS/SSJS/@Formula etc)
4. Using Git+Jira is must and Jenkins server as builder server
5. Auto-tests.

We've done almost all the list, some areas require some improvements however concept works and now it's only question of time. All front-end developers do not use IBM Designer in their daily job, back-end developers still use it (rarely), everything goes to GitHub, and then Jenkins take care about rest. That image illustrate what we have.

You are welcome to give your comments, idea, suggestions or something negative about that, everything can help and improve or process and wait for new posts soon :)

Other articles in this series

1. How we build our web applications based on Domino
2. Split back-end and front-end areas, they should not block each other and be independent as much as it is possible.
3. Front-end guys should not have any knowledge about Domino, they don't need IBM Designer installed at all.
4. Back-end guys must have knowledge about Domino, however they don't need to use IBM Designer, only in very rare cases. Backend should be done using only Java (no LS/SSJS/@Formula etc)
5. Using Git+Jira is must and Jenkins server as builder server
6. Auto-tests.

Replacement for DSAPI in Java/XPages

I've written few articles about how DSAPI could help you to control classic web application built on Domino. That solution worked perfect for us and difficulties I encountered were:

• slower development process due to my skill in C;
• poor documentations about how things work in DSAPI (probably most weak side for me);
• deployment process (you need to create new DLL each time and upload it to Domno Server, then restart HTTP);
• you have to be 'very-very' careful with everything, one mistake (i.e. memory leak somewhere) can crash the server at some point;

Last months we worked on new Web CMS based on Java/Velocity in Domino and result I must say was really great. I will make post about most interesting things later: the topic will be about java, html/templates, velocity, git, jenkins, jira and how it works together. I would call it pure Java approach to do development in Domino. The beauty using java as engine allow us to get rid of DSAPI. So everything what have been done with DSAPI (and in total I spend maybe 2-3 weeks) we replaced in 2-3 hours with Java.

case #1: Re-write URL from http://domain/page/subpage/ to http://domain/page/subpage with 301 status. We simply set new location in header and new status

  getResponse().setStatus(MOVED_PERMANENTLY_STATUS);
  getResponse().setHeader(LOCATION_HEADER, uri);

case #2: 404/500 etc error pages we only set correct status for response + throw out required content

  getResponse().setStatus(DEFAULT_ERROR_STATUS);

So my feeling about DSAPI is actually quite good, however be sure you know how to cook it, otherwise - don't go with that solution. Remember my example: I've spent weeks doing DSAPI via C and now we did exactly same in few hours. That feeling when I compared what I spent with DSAPI (via C) compare to new solution with Java. 100 hours agains 3.

Related topics
DSAPI for Domino
Rewriting URL in Domino using DSAPI
Solution for Lotus Domino to the trailing slash problem

What is comfort zone for Domino developers our days?

Lotus Script is no longer in my 'comfort zone' anymore but Java/JavaScript. That's actually it. We already moved all (well 90%) of backend to Java. Now Lotus Script serves only to provide validation/picklist/msgbox on forms/views for existing 'classic' applications. Now we are slowly moving everything to web and I like that.

We are aiming in few years to let our users to un-install LN and simply use browsers and that would be perfect. That time we should have no even 1 line LS and @Formula.

Content Is Not Allowed In Prolog

Got this issue in the morning. We have service that "aggregate" data from multiple RSS into 1 RSS. The issue appeared because at one of RSS we enabled encode option [encode UTF-8] but not [encode UTF-8 without BOM]:

encode in UTF-8
encode in UTF-8 without BOM.

our Java parse does not understand this BOM (byte order mark). So we just swtiched to one without BOM byte. I've made tests using this online tool, it worked just as I expected XMLValidator

Using Velocity in Domino

We are using velocity framework to solve our task with html templates and when we started to work with velocity we faced up with problem below

java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key member_access_not_allowed at
java.util.MissingResourceException.(MissingResourceException.java:50) at 
java.util.ResourceBundle.getObject(ResourceBundle.java:400) at 
java.util.ResourceBundle.getString(ResourceBundle.java:421) at 
lotus.notes.JavaString.getFormattedString(Unknown Source) at 
lotus.notes.AgentSecurityManager.checkMemberAccess(Unknown Source) at 
java.lang.Class.checkMemberAccess(Class.java:112) at 
java.lang.Class.getDeclaredMethods(Class.java:675) at 
org.apache.velocity.util.introspection.ClassMap.populateMethodCacheWith(ClassMap.java:167)

We have found the issue in velocity's source (well it is an issue only for Domino).

org.apache.velocity.util.introspection.ClassMap.populateMethodCacheWith(MethodCache, Class)

that line we have to change to get only Public methods but not all declared as it requires more access then Domino gives by default (we are not able to to get all private methods into Domino for security reason), so we just changed getDeclaredMethods to getMethods and problem has gone.

IBM Domino Java: No trusted certificate found. Fail?

I've faced with quite major problem when use IBM Java (the one from Domino 8.5.2 FP2). Our Domino grabs data from some webservices via 'https' (webservice does not have authentication, its free to everybody). Using simple Java Agent in Domino we grabbed data and was very happy :), here is few lines what we do

 URL url = new URL("https://here url");  
 URLConnection connection = url.openConnection();  
 HttpsURLConnection httpConn = (HttpsURLConnection) connection;  
 httpConn.setRequestMethod("POST");  
 httpConn.setDoOutput(true);  
 httpConn.setDoInput(true);  
 byte[] bytes = msg.getBytes("UTF-8");  
 httpConn.setRequestProperty("Content-length", String.valueOf(bytes.length));  
 OutputStream out = httpConn.getOutputStream(); // and on this line we now have an error: "no trusted certificate found"  

It worked fine for years but their (webservice provide) certificate has expired and they generate new one using same official CA. After they did it, Domino refuse to use new certificate and we can't grab data anymore from Domino.

We did some tests and noticed that non Domino JVM works just fine (we did tests in Eclipse with Oracles JVM) with exactly same code and it worked fine.

Of course we tried much more thing i.e.: we tried to add new certificate to cacerts storage in Domino and it did not work, we also tried to replace cacerts on Domino and use the one from Oracle JVM and lot of more things without any luck. Also when we tried to add new cert to cacerts in Domino it started to report about another issue: certificate chaining error.

Maybe Domino or Domino's JVM has problem/issue or we need to do something we just do not know. Would be nice to get more details about it because we are stacked now, does anybody know why we get this problem and if it is really problem in IBM Java?

There is also post on IBM with exactly same problem with not trusted certificates.

Would be nice if somebody share his suggestions/opinions.

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java

Need to zip file with password in Lotus Notes?

I've task where we need to compress and protect attachments and some log files. I did not look in Lotus Script area at all (as I'm sure it would be not possible or to difficult to do such thing). So I started to look for free RAR/ZIP Java libraries that will have what I need (compress and password).

I was surprised a bit, RAR does not have such API at all, but ZIP has already built in Domino library that allow us to zip files but... not to set password (at least I did not find).

So after couple minutes in google I've found only one free Java library that could zip files with password: http://code.google.com/p/winzipaes/

There were no problems during implementation, library is well described.

Java, Java and Java :)