[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: FW: HTTPAPI IP address
Scott,
My issue is a lot simpler than what would be required within a generic
API.
These request are to several specific enterprises with whom we transact
as a 3rd party data source.
I don't believe the IP address changes, but you may have a point should
they do so.
In fact I figure it's probably simpler if I log by the hostname supplied
instead since I just need to be able to identify the traffic for each of
the parties.
The lines for the mod to https_init() are data 071130 in the attached
file.
Cheers, Peter
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott
Klement
Sent: Thursday, 5 February 2009 12:55 p.m.
To: HTTPAPI and FTPAPI Projects
Subject: Re: FW: HTTPAPI IP address
hi Peter,
Peter Connell wrote:
> I'm only interested in logging the IP address resolved from the url
> input to the request.
What about proxies? If HTTPAPI is configured to go through a proxy, it
currently doesn't resolve the end-point's IP address, it only resolves
the proxy's IP address. Which should HTTPAPI return in that instance the
proxy's address or the end-point?
> I guess either method could return a data structure comprising the
> components.
Components of what? Do you need other information besides the IP
address?
> I figure I'll just add a separate procedure that does a
> gethostbyname() then. I was trying to avoid the overhead of repeating
> that.
You could do that -- but it wouldn't always be accurate. For example, a
DNS lookup on www.google.com will result in a different IP address
almost every time. That's one way that Google does load-balancing across
multiple servers, they provide a different IP address on each lookup,
thus moving the workload to a different computer on each request.
So your call to gethostbyname() might return a different IP address than
HTTPAPI did when it called gethostbyname().
> I had to do a minor hack to support the need to use a separate
> certificate store as well as an APPID for the DCM.
> I needed to replace an existing https request program, written in
java,
> with one that uses HTTPAPIR4, without having to change the current
> administration process by which the client certificate is imported. It
> was simple enough to use the APPID field and just check if it is
> supplied as a pathname that begins with a slash.
So if it begins with a slash, you're using GSK_KEYRING_FILE, and
otherwise you use GSK_OS400_APPLICATION_ID? That seems reasonable to
me. Send me your copy of https_init() (I assume that's all you changed)
and I'll incorporate your changes in the next release.
> Also, I've had to start using a callback for SoapAction since we have
an
> endpoint that requires an action string which is a url of over 100
> bytes.
Yep, that's a problem -- not just for peSoapAction but also for
peContentType. That needs to be fixed, but it's hard to do without
breaking backward compat. I wish I had more time to work on it...
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
#####################################################################################
This correspondence is for the named person's use only. It may contain confidential or legally privileged information, or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of Veda Advantage. If you need assistance, please contact Veda Advantage on either :- Australia 133124 or New Zealand +64 9 367 6200
P https_init B export 040727
D https_init PI 10I 0 040727
D peAppID 100A const 050503
D peSSLv2 1N const options(*nopass) 040727
D peSSLv3 1N const options(*nopass) 040727
D peTLSv1 1N const options(*nopass) 040727
070823
D LastAppId s 100A static inz(*blanks) 070823
070515
D FdBk ds inz 070515
D sev 5u 0 070515
D msgno 5u 0 070515
D flags 1a 070515
D facid 3a 070515
D isi 10u 0 070515
040727
D CEE4RAGE PR 040727
D procedure * procptr const 040727
D feedback like(fdbk) options(*omit) 070515
070515
D CEESGL PR 070515
D cond_rep like(fdbk) 070515
D q_data_token 10i 0 const options(*omit) 070515
D feedback like(fdbk) options(*omit) 070515
040727
D rc S 10I 0 040727
040727
c callp debug_msg('https_init(): entered') 040727
070823
c if wkEnvH <> *NULL 070823
c and peAppID <> LastAppId 070823
c callp https_cleanup 070823
c eval wkEnvH = *null 070823
c endif 070823
040727
c if wkEnvH <> *NULL 040727
c callp SetError(HTTP_GSKENVI: 'SSL environment'+ 040727
c ' was already initialized!') 040727
c return 0 040727
c endif 040727
070823
c eval LastAppId = peAppId 070823
040727
c eval rc = gsk_environment_open(wkEnvh) 040727
c if rc <> GSK_OK 040727
c callp SetError(HTTP_GSKENVO: 'gsk_env_open: '+ 040727
c ssl_error(rc)) 040727
c return -1 040727
c endif 040727
040727
C* make sure that whatever happens, we clean up the GSKit environment 040727
C* since it uses a significant portion of memory. 040727
C callp CEE4RAGE(%paddr('GSKIT_CLEANUP'): FdBk ) 070515
c if sev<>0 070515
c if facid='CEE' and msgno=12545 070515
c callp util_diag('HTTPAPI is running in ' + 070515
c 'default activation group. ' + 070515
c 'https_cleanup must be run explcitly.') 070515
c else 070515
C callp CEESGL(fdbk: *omit: *omit) 070515
c endif 070515
c endif 070515
071130
* MOD TO PROVIDE FOR KEYRING FILENAME IN peAppId 071130
C* If peAppId begins with a slash the assume it is the name of the keyring file 071130
c if %subst(peAppId :1 :1) = '/' 071130
c eval rc = gsk_attribute_set_buffer( 071130
c wkEnvh: GSK_KEYRING_FILE: 071130
c peAppId: %len(%trim(peAppId))) 071130
c if rc <> GSK_OK 071130
c callp SetError(HTTP_GSKKEYF:'Attempt to use ' + 071130
c %trim(peAppId) + ' cert store: ' + 071130
c ssl_error(rc)) 071130
c return -1 071130
c endif 071130
c endif 071130
071130
040727
C* If no application ID was given, use the *SYSTEM certificate 050503
C* store as our keyring: 050503
c if peAppId = *blanks 050503
c eval rc = gsk_attribute_set_buffer( 050503
c wkEnvh: GSK_KEYRING_FILE: 050503
c '*SYSTEM': 0) 050503
c if rc <> GSK_OK 050503
c callp SetError(HTTP_GSKKEYF:'Attempt to use ' + 050503
c '*SYSTEM cert store: ' + 050503
c ssl_error(rc)) 050503
c return -1 050503
c endif 050503
c endif 050503
050503
C* If an application ID was given, use that to associate with the 050503
C* digital certificate manager: 050503
c if peAppID <> *blanks 050503
c and %subst(peAppId :1 :1) <> '/' 071130
c eval rc = gsk_attribute_set_buffer( 050503
c wkEnvh: GSK_OS400_APPLICATION_ID: 040727
c %trimr(peAppID): 0) 040727
c if rc <> GSK_OK 040727
c callp SetError(HTTP_GSKAPPID:'Setting ID: ' + 040727
c ssl_error(rc)) 040727
c return -1 040727
c endif 040727
c endif 050503
040727
C* tell GSKit that we're a client app: 040727
c eval rc = gsk_attribute_set_enum(wkEnvh: 040727
c GSK_SESSION_TYPE: GSK_CLIENT_SESSION) 040727
c if rc <> GSK_OK 040727
c callp SetError(HTTP_GSKSTYP: 'Setting ' + 040727
c 'session type: ' + ssl_error(rc)) 040727
c return -1 040727
c endif 040727
051006
C* Allow passthru of the server's info: 051006
C* (Note: GSK_SERVER_AUTH_TYPE isn't available on V5R2 and 070206
C* earlier without a PTF. See APAR SE07984 for more 070206
C* info. If the current system doesn't support this 070206
C* option, GSK_ATTRIBUTE_INVALID_ID will be returned. ) 070206
c eval rc = gsk_attribute_set_enum(wkEnvh: 051006
c GSK_SERVER_AUTH_TYPE: 051006
c GSK_SERVER_AUTH_PASSTHRU) 051006
c if rc <> GSK_OK 051006
c and rc <> GSK_ATTRIBUTE_INVALID_ID 070206
c callp SetError(HTTP_GSKATYP: 'Setting ' + 051006
c 'auth type: ' + ssl_error(rc)) 051006
c return -1 051006
c endif 051006
040727
C* Tell GSKit that we want passthru authentication: 040727
c* 040727
C* FIXME: Using 'AUTH_PASSTHRU' means that we can start 040727
C* even if some elements of the certificate chain are invalid. 040727
C* We should really be checking to see what, if anything, is 040727
C* not valid, and let the user know! 040727
c* 040727
c eval rc = gsk_attribute_set_enum(wkEnvh: 040727
c GSK_CLIENT_AUTH_TYPE: 040727
c GSK_CLIENT_AUTH_PASSTHRU) 040727
c if rc <> GSK_OK 040727
c callp SetError(HTTP_GSKATYP: 'Setting ' + 040727
c 'auth type: ' + ssl_error(rc)) 040727
c return -1 040727
c endif 040727
040727
C* If requested, set the allowed SSL protocol versions 040727
c if %parms >= 4 040727
c if SSL_force_protocol(wkEnvh: peSSLv2: 040727
c peSSLv3: peTLSv1) = *OFF 040727
c return -1 040727
c endif 040727
c endif 040727
040727
C* Initialize the SSL environment. After this, secure sessions 040727
C* can be created! 040727
c eval rc = gsk_environment_init(wkEnvh) 040727
c if rc <> GSK_OK 040727
c if rc = GSK_AS400_ERROR_NOT_REGISTERED 040727
c callp SetError(HTTP_NOTREG: 'Application ' + 040727
c 'is not registered with DCM!') 040727
c return -1 040727
c else 040727
c callp SetError(HTTP_GSKATYP: 'gsk_env_init: '+ 040727
c ssl_error(rc)) 040727
c endif 040727
c endif 040727
041009
c callp debug_msg('---------------------------'+ 041009
c '---------------------------'+ 041009
c '---------------------------'+ 041009
c '----') 041009
041009
c callp debug_msg('Dump of local-side certific'+ 041009
c 'ate information:') 041009
041009
c callp debug_msg('---------------------------'+ 041009
c '---------------------------'+ 041009
c '---------------------------'+ 041009
c '----') 041009
041009
c callp SSL_debug_cert_info(wkEnvh 041009
c : GSK_LOCAL_CERT_INFO ) 041009
040727
c if rc = GSK_OK 041009
c return 0 040727
c else 041009
c return -1 041009
c endif 041009
P E 040727
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------