HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
OK I understand. It wasn't clear why you want it.
This is the only use case, I could think of.
But how would you make the TLS Credentials (new termin in V12 for the private key+ certificate and chain) selectable? There is no configuration option on server side and it looks like you would need it configurable in the application?
Ref. CS0192135
Hi Daniel, Thanks for your comments.
I may not understand you correctly but in this case we include the certificate in kyr-file, not just trusted roots.
In many cases we can exchange trust between us and the provider as you describe, but unfortunately not with everyone.
Services we communicate with require login with a certificate. Before calling, we set the property "setSSLOptions(PortTypeBase.NOTES_SSL_SEND_CLIENT_CERT).
In the best of worlds, the other party should trust the issuer of our certificate, but unfortunately some authorities require a certain type of certificate and other service providers other types of certificates. As it is now, when exchange of trust is not possible, we are forced to use different servers depending on the certificate to be used.
Our application communicates with a large number of services via soap web services, both as a consumer and provider. All communication is server-based and secured with certificates and certificates are used for login.
The kyr file in this case should only contain the trusted roots -- not the key.
It's a client operation -- right?
So what exactly do you need? different trusted roots?
Why can't you put all trusted roots into a single kyr file?
Can you explain exactly what the issue is?
I would put the trusted roots into Domino Directory and pull them from there.
Would this help? Or is there anything specific that would be needed? Do you have the requirement to have separate root certs defined for separate targets?
For example the new HTTP Request uses the cacerts.pem in the data directory, which cannot be changed today as well. But you can customize the file and add/remove root certs.
[ Daniel Nashed / HCL Ambassador]
We use soap web services to communicate with many Goverment functions, and as the guest comment says we need to communicate with different parties that require different certificates. Now we can only run one certificate per Domino server
If the server communicates with several different parties that require different certificates, then it would be good to be able to choose in the code which certificate you want to connect with.
Can you please explain a little more on why the *.kyr file defined in the server document does not fit your needs ?