Re: RV: Problem when connecting from AS/400 to a Link with https

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Gregorio,

It sounds like the Certificate Authority (CA) certificate that you're 
using to verify the server's certificate is either missing, expired, or 
you don't have them selected as "trusted".

If you are, indeed, connecting to wwwcie.ups.com, they use VeriSign 
certificates. These are installed in your iSeries by default, so they're 
probably not missing.  More likely, they're expired.

My suggestion, first of all, is to make sure you're running the latest 
version of HTTPAPI (Version 1.15).

Next, do NOT call https_init() and do NOT specify an APP_ID.  You don't 
need to do that with UPS, you can use the default settings for your 
certificate store, you don't have to create your own application setup in 
the Digital Certificate Manager (DCM).

If that doesn't help, then verify that the VeriSign CA certificates are 
set up properly in your DCM. To do that, follow these steps:

a) Make sure the HTTP admin server is running on your system:
     STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

b) Connect to it with a browser:
     http://as400.example.com:2001

c) Click "Digital Certificate Manager"

d) Click "Select a Certificate Store" and use *SYSTEM.  You'll need the 
correct password to access it.

e) On the left, click "Manage Certificates"

f) Then "Validate Certificates"

g) Then "Certificate Authority (CA)" certificates

h) You should have an entry for "VeriSign Class 1".  Select it and click 
"Validate"

i) Repeat the last step for "VeriSign Class 2" and "VeriSign Class 3". 
Make sure that they're all valid.

j) If one of them is invalid, there should be PTFs available from IBM to 
update them.

---
Scott Klement  http://www.scottklement.com

On Wed, 12 Apr 2006, Gregorio Alarcón B. wrote:

> Hi Scott, I have the following problem, we cannot be connected to a safe 
> site HTTPS, but we do not have problems with a site HTTP.
>
>
> In program EXAMPLE4 library libhttp (AS/400 Scott Klement), in the head 
> I define the certificate that already this created in the digital 
> certificate administrator.
>
> D APP_ID          C                 CONST('EUROAMERICA_HTTPAPI_EXAMPLES')
>
> In the following rutine it is part of the example which we are using to 
> connect us to a safe site HTTPS, this same rutine works to us well with 
> HTTP.
>
> C**  The only diff between using HTTPS and using HTTP is
> C**  the URL that we pass.  It starts with 'https://'
> c                   eval      rc=http_url_post(
> c                                 'https://wwwcie.ups.com/ups.app'+
> c                                 '/xml/Track':
> c                                  %addr(data): %len(%trimr(data)):
> c                                  '/home/httptest.html')
> c                   if        rc <> 1
> c                   eval      msg = http_error
> c                   dsply                   msg
> c                   return
> c                   endif
>
> The error message is the following one:
>
> (GSKit) the certificate is not indicated by a verified Authority certifier.
>
> in log of the AS/400 it gives the following message:
>
> Any certificate available for the process of SSL, error does not exist = 
> 403.
>
> What I this needing so that this works?
>
> Regards,
> Gregorio