Embedded experiences SSL issue

hcl-bot · May 29, 2013, 10:24am

We have a problem with SSL and Locked Domain Suffix when configuring Embedded experiences.

I follow the guide SHOW 110.pdf which suggests *-locked.gadgets.company.se

This is totally ok if you are not using SSL. We have purchased a wildcard SSL that covers: *.company.se and we want to use this one.

Social Edition generates URL like this (depending how you set it up)

XXXYYZZZ-locked.gadgets.company.se

This will not the client accept with our SSL certificate. That means that we have to buy this SSL certificate:

*.gadgets.company.se

and have a dominoserver that uses this certificate instead of the default one (*.company.se) that we put as default on all servers.

Is that really needed? Can we walk around it and still use SSL?

It all comes down to the CNAME and DNS.

From my DNS provider I can get this one:

*.gadgets.company.se CNAME ourshindigserver.company.se

But this one is not possible:

*-locked.company.se CNAME ourshindigserver.company.se

that is locked.company.se

hcl-bot · May 30, 2013, 4:23pm

Subject: RE: Embedded experiences SSL issue

Hi Anders,

First and foremost, I want to point you to the Deployment Cookbook, which provides far more details than the SHOW110 session did. http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_9.0_Social_Edition_OpenSocial_Deployment_Cookbook http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_9.0_Social_Edition_OpenSocial_Deployment_Cookbook

For the benefit of others who may read this thread, the reason your wild card SSL certificate for *.company.se did not work for *-locked.gadgets.company.se is because of the way SSL certificate matching works. Matches are only valid for a single domain component or component fragment. See the fourth paragraph of http://www.ietf.org/rfc/rfc2818 http://www.ietf.org/rfc/rfc2818 for more information.

To get to your actual question, you have 3 options moving forward.

Obtain a wildcard SSL cert for your locked domain, i.e., *.gadgets.company.se

From a security standpoint this is the ideal option. From a practical standpoint this may not be an option if cost is prohibitive. If this is not an option, consider #2 and #3 below carefully.

Disable HTTPS for gadgets

One can disable HTTPS for all OpenSocial gadgets by following the instructions here: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Gadget+iframe+Scheme http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Gadget+iframe+Scheme

One can set the scheme to always be HTTP. Browsers may complain about this if the parent page is using HTTPS but the gadgets in a child iframe are using HTTP. Depending on the browser being used and the way it handles the scheme mismatch, this option too may be prohibitive. If that is the case, consider #3 very, very carefully.

Disable locked domains

This is the last option and should only be used if #1 and #2 aren’t feasible for some reason. This option is outlined in more detail here: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Locked+Domains http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Server-centric_settings_OSC90#Locked+Domains

In a development or proof of concept environment, this option is OK. In a production environment, this needs to be considered very carefully from a security perspective.

-Stanton