[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: https problems

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: Re: https problems
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Thu, 14 Jul 2005 07:34:29 -0500 (CDT)
In-reply-to: <29635622.1121254749051.JavaMail.www@wwinf3103>
References: <29635622.1121254749051.JavaMail.www@wwinf3103>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

[SSL_ERROR_NOT_TRUSTED_ROOT]
The certificate is not signed by a trusted certificate authority.
Is that error caused by the server or the client?

The idea behind certificates is that they prove the identity of whomever you're talking to. How do they do that? If they send a certificate that says "I am Acme, Inc's HTTP server." how do you know that they're not lying?

The answer is: They register their certificate with a trusted certificate authority. If the certificate bears the signature of the certificate authority, then you know that they're telling the truth. After all, you trust the CA, and it contains their cryptographic signature.

So, in the Digital Certificate Manager, there's a place where you can define which certificate authority your application will trust. (or, you can choose "Trust All" to trust any CA that's installed on your system.)

The problem is: The certificate that the server is sending to you isn't signed by a CA that you have in your trust list.

The iSeries ships with the CA certificates for the big CA companies. VeriSign and Thawte are the really big ones, and then there are a bunch fo smaller ones that come with the iSeries. It's possible, however, that they're using a CA that isn't shipped with the DCM. If that's the case, you'll need to get the CA certificate and install it.

It's also possible that you *do* have the correct CA certificate installed, but you haven't marked it as a "trusted CA" for this application. Or, it's possible that you have it marked as trusted, but that the CA certificate has expired.

I now have the necessary authority on the 400 to do stuff to the DCM, but we have no certificates. The notes in the original README and the beta release assume the existence of a certificate. The V5R1 Unix type API manual is no help.

This error has nothing to do with whether your application needs a certificate. It has to do with whether you trust the certificate that the server automatically sends you as part of the connection process.

Do I need to get a certificate from somewhere? I am most appreciative of any help. I suspect this nightmare might be repeated when we move my applications to our live box. But by then I might have some clue.........

In the current beta, HTTPAPI writes a bunch of extra information about the SSL conversation to the debug file. It might be interesting to look at that info (if it's getting that far!)

You might also want to check the archives of this mailing list, since this has been discussed quite a few times before. http://www.scottklement.com/archives/ftpapi/

You might also want to do some reading to get a good high-level knowledge of how SSL works. There's a pretty good introduction on Apache's web site: http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

References:
- Re: Re: https problems
  - From: michael

Prev by Date: Re: http_url_post_xml questions
Next by Date: Re: http_url_post_xml questions
Previous by thread: Re: Re: https problems
Next by thread: RPG calling a web service / HTTP 1.1 500 Internal Server Error
Index(es):
- Date
- Thread