[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RV: Problem when connecting from AS/400 to a Link with https



Sender: "ian" <ian@xxxxxxxxxxxxxxxxx>

I had a quick look at the URL https://wwwcie.ups.com/ups.app in a
browser.
Obviously the page is blank, but it does show the certificates used (see
padlock at the bottem of the page)

They are not Verisign, but GTE Cyber certs.

The certificate chain is:
GTE Cyber Trust Global Root
-- Akamai Subordinate CA2
---- wwwcie.ups.com (issued by Akamai)

The easiest way to get the GTE and Akamai CA2 certs into the iSeries is
to go to the Details tab of the certificate information in IE and  to
'Copy to file...'
This starts the export wizard. Export to .p7B format.

Move the exported cert to the IFS then import using Digital Cert
Manager.

Regards,
 
Ian Patterson


-----Original Message-----
From: owner-ftpapi@xxxxxxxxxxxxx [mailto:owner-ftpapi@xxxxxxxxxxxxx] On
Behalf Of Scott Klement
Sent: 12 April 2006 23:25
To: ftpapi@xxxxxxxxxxxxx
Cc: Boris Henríquez S.
Subject: Re: RV: Problem when connecting from AS/400 to a Link with
https



Gregorio,

It sounds like the Certificate Authority (CA) certificate that you're 
using to verify the server's certificate is either missing, expired, or 
you don't have them selected as "trusted".

If you are, indeed, connecting to wwwcie.ups.com, they use VeriSign 
certificates. These are installed in your iSeries by default, so they're

probably not missing.  More likely, they're expired.

My suggestion, first of all, is to make sure you're running the latest 
version of HTTPAPI (Version 1.15).

Next, do NOT call https_init() and do NOT specify an APP_ID.  You don't 
need to do that with UPS, you can use the default settings for your 
certificate store, you don't have to create your own application setup
in 
the Digital Certificate Manager (DCM).

If that doesn't help, then verify that the VeriSign CA certificates are 
set up properly in your DCM. To do that, follow these steps:

a) Make sure the HTTP admin server is running on your system:
      STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

b) Connect to it with a browser:
      http://as400.example.com:2001

c) Click "Digital Certificate Manager"

d) Click "Select a Certificate Store" and use *SYSTEM.  You'll need the 
correct password to access it.

e) On the left, click "Manage Certificates"

f) Then "Validate Certificates"

g) Then "Certificate Authority (CA)" certificates

h) You should have an entry for "VeriSign Class 1".  Select it and click

"Validate"

i) Repeat the last step for "VeriSign Class 2" and "VeriSign Class 3". 
Make sure that they're all valid.

j) If one of them is invalid, there should be PTFs available from IBM to

update them.

---
Scott Klement  http://www.scottklement.com

On Wed, 12 Apr 2006, Gregorio Alarcón B. wrote:

> Hi Scott, I have the following problem, we cannot be connected to a 
> safe
> site HTTPS, but we do not have problems with a site HTTP.
>
>
> In program EXAMPLE4 library libhttp (AS/400 Scott Klement), in the 
> head
> I define the certificate that already this created in the digital 
> certificate administrator.
>
> D APP_ID          C
CONST('EUROAMERICA_HTTPAPI_EXAMPLES')
>
> In the following rutine it is part of the example which we are using 
> to
> connect us to a safe site HTTPS, this same rutine works to us well
with 
> HTTP.
>
> C**  The only diff between using HTTPS and using HTTP is
> C**  the URL that we pass.  It starts with 'https://'
> c                   eval      rc=http_url_post(
> c                                 'https://wwwcie.ups.com/ups.app'+
> c                                 '/xml/Track':
> c                                  %addr(data): %len(%trimr(data)):
> c                                  '/home/httptest.html')
> c                   if        rc <> 1
> c                   eval      msg = http_error
> c                   dsply                   msg
> c                   return
> c                   endif
>
> The error message is the following one:
>
> (GSKit) the certificate is not indicated by a verified Authority 
> certifier.
>
> in log of the AS/400 it gives the following message:
>
> Any certificate available for the process of SSL, error does not exist

> =
> 403.
>
> What I this needing so that this works?
>
> Regards,
> Gregorio
>
>
>


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------