APAR status
Closed as user error.
Error description
Notes Federated Login requires the Notes client has a cross-certificate for the IIS web server used by ADFS. We document that the certificate from IIS must have the keyUsage setting keyCertSign or cRLSign, as Domino will not create a cross-certificate if these keyUsage settings are not present. The standard keyUsage settings for certificates issued to web servers such as ISS are for for Key Encipherment and Data Encipherment, and not for Certificate Signing (keyCertSign) and CRL Signing (cRLSign). As Web servers do not act as certificate signers, such a keyUsage setting may be considered non-standard and could be considered a security risk. Changing the SSL certificate on an existing ADFS server is not feasible for many customers. This requirement results in many organizations being unable to rollout Notes Federated Login, or to even test its use. Requesting if development can identify a way that organizations can use NFL without adding these inappropriate keyUsage settings to a web server's certificate, such as allowing use of cross-certificates made with the certificate from the organization's CA, establishing trust by the NFL client with the web server through another means than a cross-cert, permitting issuance of cross-certificates without regards to keyUsage settings, or so on.
Local fix
The currently documented workaround is to issue a new server certificate on the ADFS server using a program such as OpenSSL, or an organization's certificate authority could issue another certificate with the necessary keyUsage settings added. Neither of these are viable options for many organizations.
Problem summary
Problem conclusion
Temporary fix
Comments
This APAR is associated with SPR# PJONA6S8LH. The problem was caused by a user error or user misunderstanding.
APAR Information
APAR number
LO87877
Reported component name
DOMINO SERVER
Reported component ID
5724E6200
Reported release
901
Status
CLOSED USE
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-02-03
Closed date
2017-08-08
Last modified date
2017-08-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
08 August 2017