Thursday 28 November 2013

Domino Web Services SSL Error - Keyring file not found

Today I came across a strange behaviour on our Domino (R9.0.1) server.
We have a database with a web service consumer. This Web Service consumer is used by a schedules background agent. The Web Service makes calls to a third party system using https.
The Domino Web Server is configured using Internet Site documents. All https traffic and calls to the server worked perfectly fine from the evry beginning.
Whenever the web service is called, the following error is thrown on the server console:

Error 4746 Web Service XXXXXXXX method XXXXX error 
Error connecting to 'xxxxx.xxxxx' on Keyring file not found

 So there seems to be something wrong with SSL certificates. After some time of trial and error with some more HTTP server restarts I found two helpful ressources on Google:

IBM Technote LO47722: "SSL ERROR: KEYRING FILE ACCESS ERROR" ON WEBSERVICE CONSUMER US ING INTERNET SITE DOCUMENTS

and a thread in the good, old notes.net IBM DeveloperWorks forum:
HTTPS Web Service - SSL Error: Keyring file not found

Both describe the exactly same scenario as used here. The solution is that in both places, the Internet Site as well as the Server document the specified SSL certificate must match. In general I think this makes perfectly sense. However, as soon as you enable "Load Internet configurations from Server\Internet Sites documents"

in the server document, you cannot specify the SSL certificate in the server doc anymore. What I had to do is temporarily turn this setting off, specify the correct SSL certificate and turn it on again. This is the bit that confused me here. The setting in the server document seems to be used for requests issued by the server itself (i. e. web service consumers).

To make a long story short: 
Make sure you have the same SSL certificates specified both in the server doc and the Internet site document.


1 comment:

  1. Thanks a lot. Nobody in HCL know about this in 2022, and continue to fail with the last domino updates. Now left me to fight to run it with TLS 1.2, I believe.

    ReplyDelete

Comment Form Message