#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Choose which kyr-file to use when running a webserver consumer from an agent.

make it possible to set which keyfile.kyr to use when a web service consumer is run from an agent.

  • Guest
  • Dec 17 2020
  • Likely to implement
  • Attach files
  • Guest commented
    24 Jan 08:52pm

    OK I understand. It wasn't clear why you want it.

    This is the only use case, I could think of.


    But how would you make the TLS Credentials (new termin in V12 for the private key+ certificate and chain) selectable? There is no configuration option on server side and it looks like you would need it configurable in the application?

  • Admin
    Thomas Hampel commented
    19 Jan 04:17pm

    Ref. CS0192135

  • Guest commented
    18 Jan 11:31am

    Hi Daniel, Thanks for your comments.

    I may not understand you correctly but in this case we include the certificate in kyr-file, not just trusted roots.

    In many cases we can exchange trust between us and the provider as you describe, but unfortunately not with everyone.

    Services we communicate with require login with a certificate. Before calling, we set the property "setSSLOptions(PortTypeBase.NOTES_SSL_SEND_CLIENT_CERT).

    In the best of worlds, the other party should trust the issuer of our certificate, but unfortunately some authorities require a certain type of certificate and other service providers other types of certificates. As it is now, when exchange of trust is not possible, we are forced to use different servers depending on the certificate to be used.

    Our application communicates with a large number of services via soap web services, both as a consumer and provider. All communication is server-based and secured with certificates and certificates are used for login.

  • Guest commented
    18 Jan 10:24am

    The kyr file in this case should only contain the trusted roots -- not the key.

    It's a client operation -- right?

    So what exactly do you need? different trusted roots?

    Why can't you put all trusted roots into a single kyr file?

    Can you explain exactly what the issue is?

    I would put the trusted roots into Domino Directory and pull them from there.

    Would this help? Or is there anything specific that would be needed? Do you have the requirement to have separate root certs defined for separate targets?

    For example the new HTTP Request uses the cacerts.pem in the data directory, which cannot be changed today as well. But you can customize the file and add/remove root certs.

    [ Daniel Nashed / HCL Ambassador]

  • Guest commented
    18 Jan 08:55am

    We use soap web services to communicate with many Goverment functions, and as the guest comment says we need to communicate with different parties that require different certificates. Now we can only run one certificate per Domino server

  • Guest commented
    18 Jan 08:35am

    If the server communicates with several different parties that require different certificates, then it would be good to be able to choose in the code which certificate you want to connect with.

  • Admin
    Thomas Hampel commented
    18 Jan 08:10am

    Can you please explain a little more on why the *.kyr file defined in the server document does not fit your needs ?