[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on HTTPAPI and GSKIt API's
Hello,
Peter is referring to CLIENT CERTIFICATES... which is a specific
usage of digital certificates that's not very commonly used. (However,
it's still supported by HTTPAPI..)
I just wanted to clarify the terminology. Digital certificates are
*always* used in SSL. Specifically, there's always a server certificate
and a CA certificate that's used. Client certificates are an
additional option that's also available, not infrequently used.
Peter Connell wrote:
> Yes, we have used it to talk to a government web service that
> protects access by requiring clients to authenticate via a digital
> certificate issued by them as the issuing authority. They provide a
> web site where clients can register and create a digital certificate
> that establishes an identity that is retained within the government
> certificate store. To use their web service, the client must download
> their unique digital cert and use it to authenticate when attempting
> to access the web service.
>
> The downloaded certificate should be imported into the i5 certificate
> store via the import facility of the DCM provided by the *ADMIN
> server where it should also be assigned to an application ID of your
> choice. The application ID is simply used as a parameter when
> establishing a connection via an SSL socket API.
>
> Once the cert has been installed via the DCM, Scott has provided a
> means of using it by adding procedure call that simply accepts the
> application ID as a parameter that will subsequently be passed to the
> GSK API on a connection attempt. Providing that you have elected to
> compile Scott's HTTPAPI with the option to support digital certs,
> then that's about all there is to it.
>
> Of course, all authorities that supply digital certs, issue them with
> an expiry date, so a certain amount of vigilance is required to
> ensure that you download and install a new (or renewed) certificate
> prior to the expiry date to avoid the operational errors that might
> arise when authentication begins failing because your client
> certificate has expired.
>
> Peter
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------