Consuming Web Services over a self-certified HTTPS web server

Every now and then I take a look to Web Service implementation in Domino Designer, especially since  Designer allows us to develop Web Service Providers using LotusScript or Java.

I don't know if Web Services are or will be successfully, but for sure I like the big picture surrounding them.

Some times ago I tried to consume a Web Service from Jajah voip company: first I tried using LS, but later I had to use Java to overcome LS limitations about name length limits.

Unfortunately even with Java I found problems because the Web Service had to be consumed over a SSL channel (HTTPS) but the remote web server certificate was a self-certified one, so my script simply crashed because the certificate was not trustable... I could not find an easy way to trust/import the that web server certificate.

I gave up with it and decided to use MS Soap client via COM object in a LS agent, successfully. Shame... ;-)

Today I tried for the first time to have a look back to the subject, so on VMware box I installed a brand-new Domino 8.5.1 server with a running self-certified web server certificate.
After that, I published a "calculator" Web Service with just a SUM() function available, just using a LS class.

On the "client" side, I used Designer 8.5.1 to consume that "remote" web service:
  1. I created a Web Service consumer choosing Java as programming language and specifying the remote WSDL file via a HTTPS url
  2. I also created a Java agent and imported the previous Java classes generated by the Web Service Consumer procedure, just to run a remote SUM function

When I tried step 1 to retrieve the WSDL file of the remote web server, I was surprised to see a pop-up window asking me to cross-certify the Internet certificate!

Of course I accepted to cross-certify it and run the client Java agent to consume the remote Web Service via https. I worked!

Ok, I decided to have a look inside the local names.nsf, inside the Certificates view and I could find the following entry:

Well, I decided to remove the certificate and run my Web Service consumer again: as expected, I got the following error on my Designer Java console:
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
 faultString: Error connecting to 'ced75temp.ciemme.loc' on port '443', SSL invalid certificate, may need to cross-certify.

Error connecting to 'ced75temp.ciemme.loc' on port '443', SSL invalid certificate, may need to cross-certify.
    at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
    at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source) .......

Well, I decided to make another test:
  • I removed the certificate from the local names.nsf
  • I run the wizard to import the Web Service WSDL file and try to force the Designer to show (once again) the Internet cross-certificate pop-up window
No way, the pop-up window did not show again and the Java agent did not run successfully!

So, how to "manually" cross-certifiy an Internet certificate?

After some googling I find out the IBM following page and followed instructions from paragraph "From an Internet server": finally I could successfully  run my client Java agent consuming the remote Web Service.

Follow what I did in the following screen shots




Have fun and let me know if it's working for you too.

1 comment:

The Big said...

Hi, I have a problem with a Web Service under https that is going to drive me crazy.

The scenario is:
Web Service under https on port 8080 and username and password (but this will be a problem in the future).
The WS is developed with .NET :(
The certificate is a self certificate from the company that created the WS.
There aren't firewalls, proxies active on my server and client and the same is true for the server that publish the WS.
My platform is Domino Server and Client 8.5.1.

First of all I tried to create a Web Service consumer resource and import the WSDL, I'm asked to cross certify (like described in your article) and then I tried to import the WSDL again. No way to do this, I obtain the following error "The requested operation failed: com.ibm.jsse2.util.g: No trusted certificate found" but the certificate WAS in my PAB.

I tried to import manually the certificate (with Import internet certificate) and I obtained the same result.

I tried the procedure suggested in this article but the result was the same.

The shameful thing is that if I request the WSDL through the browser, after accepting the certificate, I'm able to see it in no time at all.

So, it seems to me that something is very wrong with the certificate or with Domino 8.5.1. (I tend to believe the first one because yesterday I tried another WS on Https and it worked smoothly) but I can't pinpoint what it is. Any suggestion will be VERY appreciated.

Alessandro Bignami
Domino Developer at ZEL S.r.L.