This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Cheryl Dwojipyetsi
Jan 27, 2016, 5:26 PM
6 Posts

X.509 client certificates and web user authentication

  • Category: Administration
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: x509,ssl,security
  • Replies: 3

Hi,

I am trying to set up a Domino  web sever so it ONLY authenticates users that have x.509 client certificates. However the certificates have been issued by a third party (in this case comodo).  I have switched off all authentication methods except client certificates.  However I never get prompted in my browser to present a certificate to Domino. It just treats me as an anoymous user and so I get a 403 and get not access to anything.

I have imported the users internet certificate into a person document. But even if I had not done that I would at least expect to get asked to provide a certificate before domino decided it did not like me! If its not even asking for the certificate there is no way its going to be able to match me with that person document.

I can not find any comprehensive documentation on how to do this / what should work with third party issued certificates, so any pointers on what I am missing etc would be welcome!

there is some old documentation that says I should use the certpub.ntf to create a database to update person documents but even that moans that I dont have a certificate!

 

Mike

 

 

 

~Tanita Desweverobu
Jan 27, 2016, 6:35 PM
94 Posts
Have you added the certifier root cert that issued your client certificates to the server'...
In the SSL/TLS protocol, when the server requests a certificate from the client it passes along a list of names of trusted certifiers that it will (or might) accept. The client will then prompt for or automatically send (depending on configuration) a client certificate that was issued by one of those trusted certifiers.  If the server doesn't trust your client certificates, most browsers won't even give you the option to send them.

This is a fairly simple operation when using kyrtool: (example below on linux64)

[domino@paranoia notesdata]$ /opt/ibm/domino/notes/latest/linux/startup /opt/ibm/domino/notes/latest/linux/kyrtool -h


        KyrTool v1.1.2

kyrtool [=/path/to/notes.ini] command [subcommand] [flags]

Commands:
        create              Create a new keyring file
        delete              Delete a root in a keyring file
        import              Import into a keyring file
        show                Show information about a keyring or PEM file
        verify <path>         Verify the content of a PEM import file

Use 'kyrtool [command] -h' to view help for each command.

The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.

[domino@paranoia notesdata]$ /opt/ibm/domino/notes/latest/linux/startup /opt/ibm/domino/notes/latest/linux/kyrtool import -h


        KyrTool v1.1.2

Imports keys and certificates into a Domino SSL keyring file

kyrtool import all [flags]
         -i arg          Input PEM file  (Mandatory)
         -k arg          Path to keyfile (Mandatory)

kyrtool import roots [flags]
         -i arg          Input PEM file  (Mandatory)
         -k arg          Path to keyfile (Mandatory)

kyrtool import keys [flags]
         -i arg          Input PEM file  (Mandatory)
         -k arg          Path to keyfile (Mandatory)
         -n arg          Distinguished name

kyrtool import certs [flags]
         -i arg          Input PEM file  (Mandatory)
         -k arg          Path to keyfile (Mandatory)

Common 'import' flags:
         -h              Print this help message
         -v              Verbose mode; repeating increases verbosity levels

'import all' will import an RSA keypair and the server's certificate chain into the
    keyring file. The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' and
    at least one '-----BEGIN CERTIFICATE-----' PEM blob.
    This operation combines the functionality of 'import keys' and 'import certs'
    without the need to correctly specify a distinguished name.
    The 'kyrtool verify file.pem' command can be used to check the file before importing.

'import roots' will import one or more certificates into the keyring file as trusted roots.
    The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.

'import keys' will import an RSA keypair into the keyring file, but requires
    the distinguished name from the leaf cert (CN=www.example.com) as input.
    The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' PEM blob.
    'kyrtool show keys -i file.pem' can be used to check the file before importing.

'import certs' will import the server's certificate chain into the keyring file.
    The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.
    The certificate chain must be ordered with the leaf first and the root last.
    'kyrtool show certs -i file.pem' can be used to check the file before importing.


You would therefore use "kyrtool import roots -k <keyfile.kyr> -i <cacert.pem>" to add a new trusted root to your server keyring file.
~Cheryl Dwojipyetsi
Jan 28, 2016, 1:40 PM
6 Posts
Error 500 HTTP Web Server: IBM Notes Exception - Invalid name syntax

Hi Dave,

Thanks for that. I am now getting prompted to select a certificate. However I now get  HTTP Web Server: IBM Notes Exception - Invalid name syntax once I have.

I have added the certificate to the users person document and also aliased all variations of what the subject name is (eg e=user@domain.com, email=user@domain.com, user@domain.com) so not sure whats up.

any ideas?

Thanks

 

~Tanita Desweverobu
Jan 28, 2016, 4:31 PM
94 Posts
Does the name in the X.509 cert contain characters not allowed in Notes names?
For example, does the name contain "/" characters inside of a name part?  That is prohibited by Notes/Domino, but occasionally seen in the freakishly long names generated by some CAs.

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal