Case:
I was involved in a SugarCRM project and one of the requirements was to rollout a widget to IBM Notes sidebar provided by Sugar.
Description:
Problem was that the instructions from Sugar included an option for the user to bail out of the installation,
because of the signatures where not trusted. also the user needs to cross certify with his own Notes id.
(https://support.sugarcrm.com/Documentation/Plug-ins/Lotus_Notes_Plug-in/Notes_Plugin_Installation_Guide_2/index.html)
From the project perspektive this was not OK.
Solution:
I needed to find a way to cross certify in advance, making the installation in the background without giving the user the option to bail out.
I wanted to cross certify with my organizational certifier instead and avoiding questions.
First problem was to find the certifiers.
What I did was to install the plug-in manually in my testenvironment:
I then took the RSA file located in the workspace\applications\eclipse\features catalog
and in the META-INF catalog there is a file called LPI.RSA.
Using OpenSSL using the command
"openssl pkcs7 -in LPI.RSA -print_certs -inform DER -out lpi.cer"
and then opening it in an editor you could se all of the certifiers.
Using the instructions from Sugar as a guideline I tried to cross certify the certificate
that was used by Sugar, which was:
CN=SugarCRM/OU=Software/OU=Digital ID Class 3 – Java Object Signing/O=SugarCRM/L=Cupertino/ST=California/C=US
but when trying to do that I got the message:
"A cross certificate will not be made due to key usage restrictions in the input certificate"
Found a discussion thread indicating that using crosscertification at a higher would do it
(https://www-10.lotus.com/ldd/nd85forum.nsf/0/565f1122814572b3852579f900521ce0?OpenDocument)
so I imported the certificates into Domino Directory:
CN=VeriSign Class 3 Code Signing 2010 CA/OU=Terms of use at https://www.verisign.com/rpa (c)10/OU=VeriSign Trust Network/O=VeriSign, Inc./C=US
VeriSign Class 3 Public Primary Certification Authority – G5/(c) 2006 VeriSign, Inc. – For authorized use only/VeriSign Trust Network/VeriSign, Inc./US
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO14649
https://www.symantec.com/content/dam/symantec/docs/other-resources/roots.zip
and crosscertified them with my Domino Organizational certifier instead, into Domino Directory.
I then pushed these 2 internet cross certificates out to the clients thru my security policy.
After that I included the widget in my widget catalog according to the instructions provided by Sugar and in this case we made a special desktop policy (explicit because it was in the cloud) that installed it for everyone belonging to a Domino group.
Worked perfectly.
ShareFEB
2017