[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on HTTPAPI and GSKIt API's

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Question on HTTPAPI and GSKIt API's
Date: Wed, 23 Dec 2009 13:49:38 -0600

Hello,

Peter is referring to CLIENT CERTIFICATES...    which is a specific 
usage of digital certificates that's not very commonly used. (However, 
it's still supported by HTTPAPI..)

I just wanted to clarify the terminology.  Digital certificates are 
*always* used in SSL.  Specifically, there's always a server certificate 
and a CA certificate that's used.   Client certificates are an 
additional option that's also available, not infrequently used.


Peter Connell wrote:
> Yes, we have used it to talk to a government web service that
> protects access by requiring clients to authenticate via a digital
> certificate issued by them as the issuing authority. They provide a
> web site where clients can register and create a digital certificate
> that establishes an identity that is retained within the government
> certificate store. To use their web service, the client must download
> their unique digital cert and use it to authenticate when attempting
> to access the web service.
> 
> The downloaded certificate should be imported into the i5 certificate
> store via the import facility of the DCM provided by the *ADMIN
> server where it should also be assigned to an application ID of your
> choice. The application ID is simply used as a parameter when
> establishing a connection via an SSL socket API.
> 
> Once the cert has been installed via the DCM, Scott has provided a
> means of using it by adding procedure call that simply accepts the
> application ID as a parameter that will subsequently be passed to the
> GSK API on a connection attempt. Providing that you have elected to
> compile Scott's HTTPAPI with the option to support digital certs,
> then that's about all there is to it.
> 
> Of course, all authorities that supply digital certs, issue them with
> an expiry date, so a certain amount of vigilance is required to
> ensure that you download and install a new (or renewed) certificate
> prior to the expiry date to avoid the operational errors that might
> arise when authentication begins failing because your client
> certificate has expired.
> 
> Peter
> 
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Question on HTTPAPI and GSKIt API's
  - From: Lowary, Jim
- RE: Question on HTTPAPI and GSKIt API's
  - From: Peter Connell

Prev by Date: WSDL2RPG - Version 1.10 available
Next by Date: Re: FTP_GET dropping the CRLF
Previous by thread: RE: Question on HTTPAPI and GSKIt API's
Next by thread: Re: Question on HTTPAPI and GSKIt API's
Index(es):
- Date
- Thread