How to get SSL Domino Session via DIIOP

Question

I try to connect to a Domino Server with a remote Java application started from Eclipse. The Domino Server allows SSL connections only.

I try to get the session with the following code.

String[] arg = new String[1];
arg[0] = "-ORBEnableSSLSecurity";
String IOR = NotesFactory.getIOR(DOMINO_SERVER);
session = NotesFactory.createSessionWithIOR(IOR);

I get the following error message:

Could not get IOR from Domino Server: http:///diiop_ior.txt

I also checked if the URL works in a browser. If I put the URL in a browser I get the correct response from the server.

The TrustedCert.class from the Domino server is included in my Eclipse project.

Here some configuration details from the "diiopcfg.txt":

TCP Port: 0 Disabled
SSL Port: 63149 Enabled
Site TCP Name/Password Allowed: True
Site TCP Anonymous Allowed: False
Site SSL Name/Password Allowed: True
Site SSL Anonymous Allowed: False
Site Multi-Server Session Authentication: Disabled

[Update]

Enabled TCP Port 63148, now I get a session but cannot open a database. Error message NotesException: Database open failed () Only when I access the port directly I get a session object.

[Update 2]

Get the session now. Can't open the database. Error message: NotesException: Database ... has not been opened yet. If I use the "open" method of the Database object => Error message: Database open failed()

Database db = session.getDatabase(DOMINO_SERVER, DOMINO_DATABASE);
db.open();

ACL is correct, Maximum internet name and password = Reader

Any idea why the database could not be opened. Tried another database with the same result.

What's the value of DOMINO_SERVER ? error would suggest it's blank. Should just be an IP or FQDN. — Simon O'Doherty, Nov 18 '13 at 08:34
For added debugging you can use DIIOP_DEBUG_ALL=1 in the server notes.ini (reproduce issue) and "tell diiop dump config" on the Domino console. Post logs (remove confidential information). — Simon O'Doherty, Nov 18 '13 at 08:36
The blank server in the URL was "produced" by me. "Tried" to replace the hostname ;-) ... sorry. I'm waiting now for the file created by the "tell diiop dump config" command. Maybe that helps. — Michael Schlömp, Nov 18 '13 at 09:01
Enabled TCP Port 63148, now I get a session but cannot open a database. Error message NotesException: Database open failed () Only when I access the port directly I get a session object. — Michael Schlömp, Nov 18 '13 at 16:09
re: latest update. Are you sending user/password to the server? It's possible the server denies anonymous access. — Simon O'Doherty, Nov 19 '13 at 14:26
I create the session with username and password. The server denies anonymous access (TCP Anonymous Allowed = False in the diiop config). — Michael Schlömp, Nov 19 '13 at 15:19
Hello @MichaelSchlömp could you do me a favor and test if your diiop connection is really encrypted? See my answer below. — notes-jj, Dec 16 '15 at 13:17

Simon O'Doherty · Accepted Answer · 2013-11-18T08:44:53.870

2

Try the following to connect to SSL.

String args[] = new String[1]; 
args[0] = "-ORBEnableSSLSecurity"; 
Session s = NotesFactory.createSession(host, args, user, pwd);

Another method to connect:

String args[] = new String[1];
args[0] = "-HTTPEnableSSLSecurity";
String ior = NotesFactory.getIOR(host,args);
s = NotesFactory.createSessionWithIOR(ior, user, pwd);

The variable host should just be the host name and nothing else. Your diiop_ior.txt needs to be visible on SSL though (so check that first).

Alternatively you can try accessing the port 63148 directly. For example.

s = NotesFactory.createSession( "server:63148", user, pwd);

But this can move depending on server configuration.

Lastly you can pull the DIIOP_IOR.txt and use it directly. Same issue as previous alternative though.

edited Nov 18 '13 at 08:44

answered Nov 18 '13 at 08:28

Simon O'Doherty

9,259
3
26
54

Thanks for your quick response. I tried that before. Same error. Could not get IOR from Domino Server: http:///diiop_ior.txt. If I try the http-URL in the browser, it redirects to https ... and I get the diiop_ior.txt. – Michael Schlömp Nov 18 '13 at 08:32
added another option. – Simon O'Doherty Nov 18 '13 at 08:34
Your added option brings the following error message: Could not get IOR from Domino Server: {0} What do you mean by "try accessing the port 63148 directly"? – Michael Schlömp Nov 18 '13 at 08:41
Posted sample of direct connect. – Simon O'Doherty Nov 18 '13 at 08:45
Accessing the port 63148 directly brings the same error message: Could not get IOR from Domino Server: {0} Not using the "getIOR" method brings the error message: Could not get IOR from Domino Server: http://:63148/diiop_ior.txt – Michael Schlömp Nov 18 '13 at 08:49
Trying the URL "http://:63148/diiop_ior.txt" in a browser does not bring the diiop_ior.txt. Is there a configuration problem? – Michael Schlömp Nov 18 '13 at 09:09
63148 is the IIOP port, not where diiop_ior.txt is stored. The text file is to tell your client where the port is. – Simon O'Doherty Nov 18 '13 at 09:27
Ok, understood. But I'm running out of options now. Here some facts from the diiopcfg.txt: TCP Port: 0 Disabled SSL Port: 63149 Enabled Site TCP Name/Password Allowed: True Site TCP Anonymous Allowed: False Site SSL Name/Password Allowed: True Site SSL Anonymous Allowed: False Site Multi-Server Session Authentication: Disabled Any more suggestions what I can try to get the session from the Domino server? – Michael Schlömp Nov 18 '13 at 09:37

score 0 · Answer 2 · edited May 23 '17 at 12:23

Sorry, this answer is almost a duplicate to this answer but is so important, that I think the text needs to be quoted in this post.

In my experience DIIOP doesn't use SSL/TLS at all. Only the DIIOP_IOR.TXT is downloaded via SSL/TLS. Capture your network traffic with Wireshark or something similar and monitor: port 63148 or port 63149. @michael-schlömp : Could you please test in your environment if the connection is encrypted with wireshark?

Wireshark Ourput: GIOP createSession with Username and Password (Blanked with X)

0000   00 50 56 69 f5 2b 00 50 56 c0 00 02 08 00 45 00  .PVi.+.PV.....E.
0010   00 c0 0d 06 40 00 80 06 bb ca c0 a8 58 01 c0 a8  ....@.......X...
0020   58 15 d2 e0 f6 ac ef b6 47 e8 13 10 53 10 50 18  X.......G...S.P.
0030   01 00 29 bb 00 00 47 49 4f 50 01 00 00 00 00 00  ..)...GIOP......
0040   00 8c 00 00 00 00 00 00 00 05 01 00 00 00 00 00  ................
0050   00 31 04 38 35 32 35 36 35 31 61 2d 65 63 36 38  .1.8525651a-ec68
0060   2d 31 30 36 63 2d 65 65 65 30 2d 30 30 37 65 32  -106c-eee0-007e2
0070   64 32 32 33 33 62 35 00 4c 6f 74 75 73 4e 4f 49  d2233b5.LotusNOI
0080   01 00 01 00 00 00 00 00 00 0e 63 72 65 61 74 65  ..........create
0090   53 65 73 73 69 6f 6e 00 00 00 00 00 00 00 00 00  Session.........
00a0   00 01 00 00 00 00 00 00 00 01 00 00 00 0f 00 00  ................
00b0   00 06 00 61 00 64 00 6d 00 69 00 6e 00 00 00 00  ...a.d.m.i.n....
00c0   00 06 00 XX XX XX XX XX XX XX XX XX XX 00        ...XXXXXXXXXX.

Java Code used:

_diiop_args = new String[]{"-ORBEnableSSLSecurity", "-HTTPEnableSSLSecurity"}; 
String ior = NotesFactory.getIOR(_diiop_host + ":" + _diiop_port, 
    _diiop_args, _user_name, _user_pass);
_session = NotesFactory.createSessionWithIOR(ior, _user_name, _user_pass);

If you download and analyse the DIIOP_IOR.TXT with the ILU IOR Parser you will see there is no SSL/TLS information nor port in the IOR File.

SSL/TLS only version:

object key is <#048525651a-ec68-106c-eee0-007e2d2233b5#00LotusNOI#01#00#01>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.1 at host "testdom01.jjtest.site", port 0

SSL/TLS and non SSL/TLS version:

object key is <#048525651a-ec68-106c-eee0-007e2d2233b5#00LotusNOI#01#00#01>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.1 at host "testdom01.jjtest.site", port 63148

How to get SSL Domino Session via DIIOP

2 Answers2