[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: HTTPAPI and Digital Certificate

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>


Hi Elbert,

> I need to ftp a file to a bank. The bank requires a
> SSL connection. They have supplied the digital
> certificate and I need to attach it to our AS400 FTP
> server.

If you are FTPing it to the bank, then you want to attach it to the FTP
client -- not the server!   The FTP server is for when they FTP to/from
your system.

> With Scott's HTTPAPI, I trusted the certificate to the
> application. But I don't have a registrated
> application with FTP, unless I need to register one as
> the first step.

IBM automatically registers it's applications with the DCM when they're
installed.

For example, if I go into the Digital Certificate Manager, and try to
update the certificate assignment for a client application, I have the
following applications to choose from:

   Directory Services publishing
   Download ACS updates for GiftBox
   Directory Services client
   Enterprise Identity Mapping (EIM)
   OS/400 TCP/IP FTP Client
   SCK_HTTPAPI_UPSTRACK

The "Download ACS updates" and "SCK_HTTPAPI_UPSTRACK" are applications
of my own that I added to the DCM.  The others -- including "OS/400 TCP/IP
FTP Client" -- were provided by IBM when OS/400 was installed.

I can change the certificates that are assigned to the OS/400 FTP Client
in the same manner that I'd change my own applications.










>
> If you could point me in the right direction, I would
> appreciate it.
>
>
>
> --- Ian Patterson <ian@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> > Sender: "Ian Patterson" <ian@xxxxxxxxxxxxxxxxxxxx>
> >
> > If you can 'see' the Vendors website in a browser,
> > do this (Using IE - thats
> > all I have)
> >
> > View the Website.
> > 'Padlock' appears in bottom right of browser to
> > signify SSL
> > Double click padlock & you see certificate details
> > click cert path tab & see cert chain
> > highlight top (CA) cert & view certificate
> > use details tab, then copy to file button
> > Choose p7B format from wizard
> > Copy saved certificate (anyname.p7b) to IFS
> >
> > Go into DCM
> > Follow links to CA certs (in *SYSTEM store)
> > import a cert
> > specify p7b cert on IFS (e.g. /myfolder/anyname.p7b)
> >
> > then trust the cert to your client app
> >
> > er.. thats it
> >
> >
> > Regards
> >
> > Ian Patterson
> >
> > ian@xxxxxxxxxxxxxxxxx <mailto:ian@xxxxxxxxxxxxxxxxx>
> >
> > Grange IT Limited
> > tel 01947 880458
> > www.grangesystems.com
> >
> >
> >
> > -----Original Message-----
> > From: owner-ftpapi@xxxxxxxxxxxxx
> > [mailto:owner-ftpapi@xxxxxxxxxxxxx]On
> > Behalf Of Elbert Cook
> > Sent: 26 July 2004 15:42
> > To: ftpapi@xxxxxxxxxxxxx
> > Subject: Re: HTTPAPI and Digital Certificate
> >
> >
> > Sender: "Elbert Cook" <elbert@xxxxxxxxxxxxxxx>
> >
> > Thanks for the reply.
> >
> > Sorry to bother you again but I'm a novice at this
> > and have another
> > question.
> > We use a vendor's website that uses a certificate
> > authority that is not
> > already installed on our Iseries.
> >
> > Can I capture the certificate and install it on our
> > Iseries?
> >
> >
> > ----- Original Message -----
> > From: "Scott Klement" <sk@xxxxxxxxxxxxxxxx>
> > To: <ftpapi@xxxxxxxxxxxxx>
> > Sent: Friday, July 23, 2004 1:39 PM
> > Subject: Re: HTTPAPI and Digital Certificate
> >
> >
> > > Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>
> > >
> > >
> > > Hi Elbert,
> > >
> > > > It create a certificate application, and I
> > assigned an self-signed
> > > > certificate to it.
> > > >
> > > > (GSKit) Certificate is not signed by a trusted
> > certificate authority.
> > > > ssl_error(6000): (GSKit) Certificate is not
> > signed by a trusted
> > > > certificate authority.  SetError() #30: SSL
> > Handshake: (GSKit)
> > > > Certificate is not signed by a trusted
> > certificate author
> > >
> > > When you receive a digital certificate from a
> > computer that you connect
> > > to, you have to decide whether or not you trust
> > that computer.  The way
> > > that trust works in SSL, is that each certificate
> > is "signed".  It gets a
> > > digital signature from a company.
> > >
> > > This company can be anybody, but there are
> > companies like VeriSign and
> > > Thawte that specialize in signing certificates.
> > Whomever signed the
> > > certificate is called the "certificate authority."
> > >
> > > The theory is, if you trust the certificate
> > authority, then you know that
> > > any certificate that they've signed is genuine.
> > For example, if VeriSign
> > > signed my certificate then VeriSign thinks I'm a
> > real person.  If you
> > > trust VeriSign, then you should also trust me.
> > >
> > > If I were a hacker, I wouldn't want you to be able
> > to trace the
> > > certificate back to me, so I wouldn't give
> > VeriSign my information, and
> > > they wouldn't sign a certificate for me.
> > >
> > > Hopefully you get the idea...
> > >
> > > To get HTTPAPI (or any other SSL application on
> > the iSeries) to trust a
> > > certificate, you have to make sure that the
> > certificate authority for that
> > > certificate is installed on the iSeries, and that
> > your application trusts
> > > it.
> > >
> > > The server in the case of EXAMPLE3 uses a
> > certificate from VeriSign which
> > > is installed on the iSeries by default.  All you
> > have to do is tell the
> > > DCM that you trust certificates signed by
> > VeriSign.
> > >
> > > To do that:
> > >
> > > a) Go into the Digital Certificate Manager (DCM)
> > and log-in to the *SYSTEM
> > > certificate store.
> > >
> > > b) Select "Manage Applications" -> "Define CA
> > Trust List" -> "Client"
> > >
> > > c) Select "SCK_HTTPAPI_EXAMPLES" and click the
> > "Define Trust List" button.
> > >
> > > d) The next list will show all of the certificate
> > authorities that are
> > > installed on your iSeries.  Either select all of
> > the certificate
> > > authorites that you'll trust manually, or click
> > the "Trust All" button.
> > >
> > > e) Click the OK button at the bottom of the page.
> > >
> > >
> > > Now try running EXAMPLE3 again.
> > >
> > >
> >
> -----------------------------------------------------------------------
> > > This is the FTPAPI mailing list.  To unsubsribe
> > from the list send mail
> > > to majordomo@xxxxxxxxxxxxx with the body:
> > unsubscribe ftpapi mymailaddr
> > >
> >
> -----------------------------------------------------------------------
> >
> >
> -----------------------------------------------------------------------
> > This is the FTPAPI mailing list.  To unsubsribe from
> > the list send mail
> > to majordomo@xxxxxxxxxxxxx with the body:
> > unsubscribe ftpapi mymailaddr
> >
> -----------------------------------------------------------------------
> >
> >
> >
> -----------------------------------------------------------------------
> > This is the FTPAPI mailing list.  To unsubsribe from
> > the list send mail
> > to majordomo@xxxxxxxxxxxxx with the body:
> > unsubscribe ftpapi mymailaddr
> >
> -----------------------------------------------------------------------
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubsribe from the list send mail
> to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------