This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Tate Kikigengon
May 29, 2013, 3:24 PM
39 Posts
topic has been resolvedResolved

Embedded experiences SSL issue

  • Category: Administration
  • Platform: All Platforms
  • Release: 9.0
  • Role: Administrator
  • Tags:
  • Replies: 1

We have a problem with SSL and Locked Domain Suffix when configuring Embedded experiences.

I follow the guide SHOW 110.pdf which suggests *-locked.gadgets.company.se

 

This is totally ok if you are not using SSL. We have purchased a wildcard SSL that covers: *.company.se and we want to use this one.

 

Social Edition generates URL like this (depending how you set it up)

XXXYYZZZ-locked.gadgets.company.se

This will not the client accept with our SSL certificate. That means that we have to buy this SSL certificate:

*.gadgets.company.se

and have a dominoserver that uses this certificate instead of the default one (*.company.se) that we put as default on all servers.

 

 

Is that really needed?  Can we walk around it and still use SSL?

 

It all comes down to the CNAME and DNS.

From my DNS provider I can get this one:

*.gadgets.company.se CNAME ourshindigserver.company.se

But this one is not possible:

*-locked.company.se CNAME ourshindigserver.company.se

that is <wildcard><hyphen>locked.company.se

 

~Joseph Nimjumimanettu
May 30, 2013, 9:23 PM
34 Posts
RE: Embedded experiences SSL issue
Hi Anders,

First and foremost, I want to point you to the Deployment Cookbook, which provides far more details than the SHOW110 session did.  http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_9.0_Social_Edition_OpenSocial_Deployment_Cookbook

For the  benefit of others who may read this thread, the reason your wild card SSL certificate for *.company.se did not work for *-locked.gadgets.company.se is because of the way SSL certificate matching works.  Matches are only valid for a single domain component or component fragment.  See the fourth paragraph of http://www.ietf.org/rfc/rfc2818 for more information.

To get to your actual question, you have 3 options moving forward.

1) Obtain a wildcard SSL cert for your locked domain, i.e., *.gadgets.company.se

From a security standpoint this is the ideal option.  From a practical standpoint this may not be an option if cost is prohibitive.  If this is not an option, consider #2 and #3 below carefully.

2) Disable HTTPS for gadgets

One can disable HTTPS for all OpenSocial gadgets by following the instructions here: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Gadget+iframe+Scheme

One can set the scheme to always be HTTP.  Browsers may complain about this if the parent page is using HTTPS but the gadgets in a child iframe are using HTTP.  Depending on the browser being used and the way it handles the scheme mismatch, this option too may be prohibitive.  If that is the case, consider #3 very, very carefully.

3) Disable locked domains

This is the last option and should only be used if #1 and #2 aren't feasible for some reason.  This option is outlined in more detail here: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Locked+Domains

In a development or proof of concept environment, this option is OK.  In a production environment, this needs to be considered very carefully from a security perspective.

-Stanton

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal