Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

    Cross Certifing a Notes ID only works with a Safe.ID via C-API/Lotus Script/Java

    Daniel Nashed  24 July 2019 06:03:35

    For the Docker project I looked into cross certifying IDs via C-API and the Lotus Script/Notes Java classes.
    It turned out that this only works well for safe.ids. The information from the ID files which is needed for cross certification requires to open the Notes.ID.

    In Lotus Script/Java in a client you are prompted for the password. On C-API there is an error returned for a normal ID --  Wrong Password. (Passwords are case sensitive - be sure to use correct upper and lower case.).

    This behavior isn't documented and they don't mention that it only works well for safe.ids. There is no way to specify the password for the Notes.ID to be cross certified.
    I have a support ticket open and they created an enhancement request.
    They also created an AHA idea for me ->
    https://domino.ideas.aha.io/ideas/DOMINO-I-875

    In Lotus Script/Java there isn't a way to check in advance if a Notes.ID is a safe.id. In C-API you can check before calling REGCrossCertifyID () if the ID is a safe.id.
    This call has been around for a long time and I am surprised nobody ever reported this limitation.

    For the Docker project it makes sense to pass a safe.id anyway. So for us it's not really a show stopper.

    It looks like the limitation is that reading the public key from the Notes.ID already needs the password.


    In the client you can create a cross certificate from a signature. But this isn't available in any exposed API either.
    Having a way to create a cross certificate from a signature would helpful for auto registration applications ;-)
    A signed request could be used to cross certify the ID...

    -- Daniel

    Comments

    1Brian Benson  24.07.2019 17:26:43  Cross Certifing a Notes ID only works with a Safe.ID via C-API/Lotus Script/Java

    I'm probably telling you something you already know, but you can call the REGGetIDInfo C API call from LotusScript to determine if an ID is a safe ID.

    I use it because I need to make sure an ID is not processed if it is a safe ID.

    2Daniel Nashed  24.07.2019 21:22:20  Cross Certifing a Notes ID only works with a Safe.ID via C-API/Lotus Script/Java

    @Brian, we didn't hear from each other for ages!

    Yes of course I could call the C-API from LS but I don't like LS2CAPI!!

    And the whole functionality in C-API/Lotus Script/Java is not working as I would expect it to work to be useful!

    There are is also missing details in the documentation. That's why I am posting to have people aware and to mention the enhancement request.

    -- Daniel

    Links

      Archives


      • [HCL Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]