[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure web sites



I admit that I am not sure of the correct terminology but ....
I mean that it is not set up to contact a secure site and that the management of the IT department is not sure what needs to be done to make it capable of contacting a secure site.

I was able to get as far as registering the certificate and then I got this message from our management:

"You are getting an error when you click Secure Connection  because GONZO is not setup as a secure server.
                
Apparently this  statement in your documentation is what they are taking exception to and I am not sure how to direct them.  and this is where my program fails

8) I already have SSL configured on my system for other apps,   
            and I already have a system certificate store.  So, it    
            asks me the password for it.  I type that. 

I had already done the part you described below and your documentation was very helpful.  I made it all the way through to the above

At 08:16 PM 4/1/2005, you wrote:
Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

Hello Pat,

Thanks for signing up for the mailing list, by the way. It makes things easier for me!

However, the AS/400 I am using (our company owned) is not secure so the developers of the web site have had to create a non-secure site for my development.

What do you mean by "the AS/400 I am using is not secure"?  Do you mean that it's set to security level 20 or lower?  Or that lots of people have access to use it who might not be trustworthy?


Our question is what do we need to do to our AS/400 to allow this secure connection.  I have found the documentation for creating a certificate, etc. and have coded it but the 400 doesn't seem to have all it needs.

SETTING UP SSL SUPPORT IN OS/400:
The first thing you have to do is install the digital certificate manager. This is needed in order for you to configure any SSL applications on your system.

IBM has information about which licpgms you need for this in the Information Center.  Here's a link to the V5R2 version:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzain/rzainplanssl.htm

Once you've done that, you can set up certificates for the first time. (You don't need to buy a certificate from VeriSign or anything like that, a private certificate authority will work fine -- unless of course your pariticlar application requires VeriSign -- but normally that's only for a Web server or Telnet server or something like that.)

Setting up certificates for the first time is covered here:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzahu/rzahudcmfirsttime.htm

CREATING A PROFILE FOR YOUR HTTP APPLICATION
Once you've done that, make sure you've selected the *SYSTEM certificate store (by clicking the "Select a Certificate Store" link) and then you should be ready to set up your HTTP application.

To set up the HTTP application:

a) Choose "manage applications"

b) Choose "add application"

c) Choose "client"

d) Set the "Application ID" to something that fits what you're doing. If you work for a company called ACME, and are working on the POSTDATA program of the PAYABLES application, you could make the application ID be "ACME_PAYABLES_POSTDATA".  The idea is that any program that requests this application ID will get a particular set of SSL settings.  If you tell HTTPAPI to use this application ID, it'll get the settings from this page.

e) I have everything else in my application profile set up with default values.  I like to use "Defined the CA Trust List = NO" so that I don't have to manually tell my application who it does and doesn't trust.

f) Under "Application description" type some text that identifies this profile, like "Settings for Posting data" or whatever makes sense.

g) Leave the other settings at their defaults, and click "ADD"


COMPILE SSL SUPPORT INTO HTTPAPI:
At this point, OS/400's SSL software is configured on your system. The next thing to do is make sure HTTPAPI has SSL compiled into it.

a) CHGCURLIB CURLIB(LIBHTTP)

b) CALL INSTALL

At the prompt, make sure you say YES to compiling SSL support. Answer the other questions so that it'll recompile HTTPAPI from source code.

TRYING IT OUT
a) Open up a sample SSL program that's included with HTTPAPI.  Example 3, I think, is a really simple one.

b) Change the application ID in that program to match the one you configured in the digital certificate manager.  This is how HTTPAPI associates with the settings in the digital certificate manager.

In EXAMPLE3, you'd set the APP_ID constant to 'ACME_PAYABLES_POSTDATA'

c) Recompile EXAMPLE3 (CRTBNDRPG shoudl do it.)

d) Run it. It should download an SSL document and display the raw HTML code for it on your screen.


I'm writing these instructions from a (probably poor) memory of what needed to be done. If there's any steps I'm missing please let me know so I can update the instructions.


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

Pat Greenwood, Sr. SAE
QUALCOMM QWBS Midwest Regional Office
Kansas City, MO
(816) 413-7016 (voicemail)
(785) 749-4065 (office)
(785) 749-3258 (fax)
pgreenwo@xxxxxxxxxxxx (e-mail)