SSLHandshakeException connecting to LDAP server in Notes

Question

I have some java code that connects to an LDAP server via SSL:

protected DirContext getDirectoryContext(String usersDn, String password)
        throws NamingException {
    Hashtable<String, String> env = new Hashtable<String, String>();

    System.out.println("Connecting to LDAP.  Server=" + mURL + " User="
            + usersDn + " Password=" + password);

    env.put(Context.INITIAL_CONTEXT_FACTORY,
            "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, mURL);
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, usersDn);
    env.put(Context.SECURITY_CREDENTIALS, password);
    if (mURL.startsWith("ldaps") || mURL.endsWith("636")) {
        env.put(Context.SECURITY_PROTOCOL, "ssl");
    }

    return new InitialDirContext(env);
}

The code is being run from a button on a Notes form in the Notes client V8.5.3. The code is in a Java script libray.

Some people get a SSLHandshakeException No trusted certificate found, while others do not get the excpetion and code runs fine. The issue seems to be workstation related.

I do not get the error. I have my own id which might have special access to the Notes server but I have a test id with no special access and both work from my PC.

I have a user that is also our ldap support so he should have everything he needs to connect to the server. But the code gives him an exception. Trying the Notes ldapsearch works fine from his PC so we know connectivity is good.

Error occurs for one user on both our Dev server and our QA server. In Dev, I gave her the exact same access that I have. Made he a developer and everything yet she still gets the exception.

So far the only people that the code has worked fine for are people in my group. But as I mentioned I added the one woman to our group also I used a test ID that is not in our group that worked. The only difference I can think of is that we all have designer and the others don't But I don't understand how that could be an issue.

And ideas why some people would get the error and others not?

Answer 1

IBM got back to us with the fix. Turns out the "other" users needed to import the cert. They never answered why it worked for people with designer. Perhaps a public cert gets installed when designer is installed that worked with our server.

Answer 2

AFAIK the Lotus ldapsearch utility does not do SSL connections, so I believe the fact that it works is meaningless. I would take the error message at face value: the LDAP server's SSL certificate is either self-certified, or certified by a CA whose root certificate is not in the users' key store. Since this is Java running in a Notes button, I'm not quite sure what is used for the key store. I.e., I'm not sure if it's using a file in the JVM installed within Notes, or whether it's been wired up to use the local names.nsf. But being a Notes guy at heart, I'd look at the Certificates view in the client names.nsf on the machines where it works and on the machines where it doesn't.