IBM Support

LO87877: NOTES FEDERATED LOGIN REQUIRES CROSS-CERTIFICATES WITH KEYUSAGE SETTINGS NOT FOUND ON STANDARD WEB SERVER CERTIFICATES.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as user error.

Error description

  • Notes Federated Login requires the Notes client has a
cross-certificate for the IIS web server used by ADFS.
We document that the certificate from IIS must have the
keyUsage setting keyCertSign or cRLSign, as Domino will not
create a cross-certificate if these keyUsage settings are not
present.

The standard keyUsage settings for certificates issued to
web servers such as ISS are for for Key Encipherment and Data
Encipherment, and not for Certificate Signing (keyCertSign) and
CRL Signing (cRLSign).   As Web servers do not act as
certificate signers, such a keyUsage setting may be considered
non-standard and could be considered a security risk.

Changing the SSL certificate on an existing ADFS server is not
feasible for many customers.  This requirement results in many
organizations being unable to rollout Notes Federated Login, or
to even test its use.

Requesting if development can identify a way that organizations
can use NFL without adding these inappropriate keyUsage
settings to a web server's certificate, such as allowing use of
cross-certificates made with the certificate from the
organization's CA, establishing trust by the NFL client with
the web server through another means than a cross-cert,
permitting issuance of cross-certificates without regards to
keyUsage settings, or so on.

Local fix

  • The currently documented workaround is to issue a new server
certificate on the ADFS server using a program such as OpenSSL,
or an organization's certificate authority could issue another
certificate with the necessary keyUsage settings added.
Neither of these are viable  options for many organizations.

Problem summary

  • 



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# PJONA6S8LH.
The problem was caused by a user error or user misunderstanding.

    



APAR Information




    

  • APAR number
    LO87877
    • 

  • Reported component name
    DOMINO SERVER
    • 

  • Reported component ID
    5724E6200
    • 

  • Reported release
    901
    • 

  • Status
    CLOSED  USE
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-02-03
    • 

  • Closed date
    2017-08-08
    • 

  • Last modified date
    2017-08-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 August 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback