Tuesday, January 19, 2016

Setup XPage / Domino WebSockets with a valid Certificate

Recently, I was approached by another XPager to help setup TLS / SSL using a valid certificate (preferably re-use the same cert as the Domino https server) for XPage WebSockets.  As usual, something that seemed "easy" took a bit longer than expected to research, cycle through, and solve.  The below set of steps assumes you have the private key, issued certificate, and the CA's root and intermediate certificate that you are already using on your Domino server, and that you have OpenSSL, and Java installed.

1) Issue an openssl command to convert the certs into a .p12 store (make sure you start cmd prompt as admin, and record the password you provide)

openssl pkcs12 -export -name {youralias} -in {yourcertificate} -inkey {yourprivatekey} -out {yourp12file}

2)  Convert PKCS12 keystore into a JKS keystore

keytool -importkeystore -destkeystore {yourkeystore.jks} -srckeystore {yourp12file} -srcstoretype pkcs12 -alias {youralias}

3) Import the root, and intermediate certificates (run command once per file)

keytool -import -alias {use-adifferent-alias-for-each-file} -file {certfile} -keystore {yourkeystore.jks}

4) Drop the .jks file into the target directory referenced in your server's notes.ini

5) Make sure the notes.ini is setup to use encryption over the wire (see below)

WEBSOCKET_ENCRYPT=true
WEBSOCKET_KEYSTORE_PATH=C:\websocket-certs\websocket.jks
WEBSOCKET_KEY_PASSWORD=*******
WEBSOCKET_KEYSTORE_PASSWORD=*******
WEBSOCKET_KEYSTORE_TYPE=JKS 




Below are the commands I used to setup my local server.  I used StartSSL's free certificates when setting this up.

openssl pkcs12 -export -name tekcounsel -in 2_tekcounsel.net.crt -inkey private.key -out keystore.p12

keytool -importkeystore -destkeystore websocket.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias tekcounsel

keytool -import -alias websocket_cert -file {certfile} -keystore websocket.jks


No comments: