[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTPAPI GSKit access not allowed

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: HTTPAPI GSKit access not allowed
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Wed, 11 Aug 2004 17:40:24 -0500 (CDT)
In-reply-to: <HPEKKDIMOPJGDLOFEBCEIEELDGAA.ian@grange-systems.co.uk>
References: <HPEKKDIMOPJGDLOFEBCEIEELDGAA.ian@grange-systems.co.uk>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

The user needs to be granted access to the SSL key database, etc.  The
GSKit API cannot transmit encrypted data or certificates if it can't read
them from the files that they're stored in!

Adopted authority does not work for files in the IFS -- and since that's
where the Digital Certificate Manager stores it's data, adopted authority
won't do it.

The certificates & keys are usually stored under /QIBM/UserData/ICSS in
the IFS.  Though, if you create your own certificate store, I think you
can store them just about anywhere.

Anyway, if you give the user permission to read the directories and files
where this info is stored, the problem should go away.  My users can run
SSL programs without *ALLOBJ, no problem..

On Wed, 11 Aug 2004, Ian Patterson wrote:
>
> Strange problem raised its head today.
>
> A program using HTTPAPI (SSL mode) runs normally when the User is signed on
> with my profile. I have special authorities to *ALLOBJ and *IOSYSCFG but
> nothing else significant.
> When they signon with their own profile, we get the error:
>
> https_connect(): entered
> (GSKit) Access to the key database is not allowed.
> ssl_error(6003): (GSKit) Access to the key database is not allowed.
> SetError() #30: SSL Handshake: (GSKit) Access to the key database is not
> allowed.
>
> Now the controlling CL program beneath which my program runs is compiled
> with
>  User profile . . . . . . . . . . . . . . . . . . :   *OWNER
>  Use adopted authority  . . . . . . . . . . . . . :   *YES
>
> This program calls my RPGLE program compiled with:
>    User profile . . . . . . . . . . . . . . . . . :   *USER
>    Use adopted authority  . . . . . . . . . . . . :   *YES
>    Coded character set identifier . . . . . . . . :   65535
>
> I would have assumed that the User then adopts my authority, and that would
> circumvent the key database access error, but obviously not.
>
> Is there something I am missing here ?
>
> Regards
>
> Ian Patterson
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

Follow-Ups:
- RE: HTTPAPI GSKit access not allowed
  - From: Ian Patterson

References:
- HTTPAPI GSKit access not allowed
  - From: Ian Patterson

Prev by Date: HTTPAPI GSKit access not allowed
Next by Date: RE: HTTPAPI GSKit access not allowed
Previous by thread: HTTPAPI GSKit access not allowed
Next by thread: RE: HTTPAPI GSKit access not allowed
Index(es):
- Date
- Thread