[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure web sites
Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Hello Pat,
Thanks for signing up for the mailing list, by the way. It makes things
easier for me!
However, the AS/400 I am using (our company owned) is not secure so
the developers of the web site have had to create a non-secure site for
my development.
What do you mean by "the AS/400 I am using is not secure"? Do you mean
that it's set to security level 20 or lower? Or that lots of people have
access to use it who might not be trustworthy?
Our question is what do we need to do to our AS/400 to allow this secure
connection. I have found the documentation for creating a certificate,
etc. and have coded it but the 400 doesn't seem to have all it needs.
SETTING UP SSL SUPPORT IN OS/400:
The first thing you have to do is install the digital certificate manager.
This is needed in order for you to configure any SSL applications on your
system.
IBM has information about which licpgms you need for this in the
Information Center. Here's a link to the V5R2 version:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzain/rzainplanssl.htm
Once you've done that, you can set up certificates for the first time.
(You don't need to buy a certificate from VeriSign or anything like that,
a private certificate authority will work fine -- unless of course your
pariticlar application requires VeriSign -- but normally that's only for a
Web server or Telnet server or something like that.)
Setting up certificates for the first time is covered here:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzahu/rzahudcmfirsttime.htm
CREATING A PROFILE FOR YOUR HTTP APPLICATION
Once you've done that, make sure you've selected the *SYSTEM certificate
store (by clicking the "Select a Certificate Store" link) and then you
should be ready to set up your HTTP application.
To set up the HTTP application:
a) Choose "manage applications"
b) Choose "add application"
c) Choose "client"
d) Set the "Application ID" to something that fits what you're doing. If
you work for a company called ACME, and are working on the POSTDATA
program of the PAYABLES application, you could make the application ID be
"ACME_PAYABLES_POSTDATA". The idea is that any program that requests this
application ID will get a particular set of SSL settings. If you tell
HTTPAPI to use this application ID, it'll get the settings from this page.
e) I have everything else in my application profile set up with default
values. I like to use "Defined the CA Trust List = NO" so that I don't
have to manually tell my application who it does and doesn't trust.
f) Under "Application description" type some text that identifies this
profile, like "Settings for Posting data" or whatever makes sense.
g) Leave the other settings at their defaults, and click "ADD"
COMPILE SSL SUPPORT INTO HTTPAPI:
At this point, OS/400's SSL software is configured on your system. The
next thing to do is make sure HTTPAPI has SSL compiled into it.
a) CHGCURLIB CURLIB(LIBHTTP)
b) CALL INSTALL
At the prompt, make sure you say YES to compiling SSL support. Answer the
other questions so that it'll recompile HTTPAPI from source code.
TRYING IT OUT
a) Open up a sample SSL program that's included with HTTPAPI. Example 3,
I think, is a really simple one.
b) Change the application ID in that program to match the one you
configured in the digital certificate manager. This is how HTTPAPI
associates with the settings in the digital certificate manager.
In EXAMPLE3, you'd set the APP_ID constant to 'ACME_PAYABLES_POSTDATA'
c) Recompile EXAMPLE3 (CRTBNDRPG shoudl do it.)
d) Run it. It should download an SSL document and display the raw HTML
code for it on your screen.
I'm writing these instructions from a (probably poor) memory of what
needed to be done. If there's any steps I'm missing please let me know so
I can update the instructions.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------