Using custom client certificates on Domino? Attention!

Friday, January 29, 2021 at 9:33 AM UTC

I have a customer who uses our Aveedo platform for a banking application. This application utilizes a REST service of a nationwide service provider for banks. To use these services you need to use a client certificate. Usually this client certificate is issued individually for each single bank.

Our app has Java code that does the HTTPS calls to the REST endpoints of the service provider to gain an initial access token etc.

To make this work we had to import this client certificate to the cacerts file. I did this on the development machine I use (9.0.1FP10) using IKEYMAN. This little tool is not available anymore with version 11 as IKEYMAN was an exclusive IBM tool. With Domino now being 100% HCL this tool is replaced with the generic "keytool" which comes with any Java runtime.

I used a 3rd party keystore manager as I didn't want to type these aweful long commands in the command line terminal (Windows).

Anyhow, this does not seem to work anymore with 11 in general. I did setup a new fresh machine for my customer on Windows, using version 11.0.1 and added FP2 etc. I repeated all the steps with the certificate - and my application stopped working. This was the first time I encountered this problem.

After dabbling around for several hours now I could not get it running. I even used my original cacerts from my development machine (still 9.0.1 and running fine) on the new machine - no luck.

My final test was cloning my VM where I run my 9.0.1 dev server and then upgrading it to 11.0.1 (I didn't even install FP2) and guess what: nothing works anymore. So I now opened a case (CS0202030) and now me and my customer are looking forward to a solution. I keep you posted...

Latest comments to this post

Bob Yesenskiy wrote on 29.01.2021, 20:39

Let me know if you find a solution.  I'm having a similar problem with java agent on Domino 11

 Link to this comment

Leave a comment right here