[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Consuming a web service that requires certificate-based authentication

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Consuming a web service that requires certificate-based authentication
Date: Thu, 02 May 2013 11:23:39 -0500

   Nick,
   Just to verify:  You are giving HTTPAPI an application ID via
   https_init(), and you have created/configured that appid in the digital
   certificate manager to include a client-side certificate to be used for
   authentication.  Correct?
   If so, I believe that the "peer not recognized" is a bug in the IBM
   GSKit code, it's not something you or I can fix.   From your log, it's
   clear that you are_are_ successfully connecting to the HTTP server, and
   successfully negotiating SSL (handshake).   So the GSKit has already
   determined that the connection is okay.   Then, part way through, it's
   determining that the SSL message is corrupt...   410 =
   GSK_ERROR_BAD_MESSAGE.    As if what the server is sending is an
   invalid message.
   I would try googling GSK_ERROR_BAD_MESSAGE and see if you can find a
   PTF.  If not, I'd say the problem is on IBM's end in this case.  If it
   were occurring during the connection start  (handshake) then I could
   see this possibly being a misconfiguration of some sort...  but, it's
   not.
   I don't understand the comment about "the answer seemed to be that
   HTTPAPI didn't support it. "   Doesn't support what?  Client-side
   certificates?  HTTPAPI has always supported that.  (It doesn't require
   any programming to support this -- it's just a configuration in the
   Digital Certificate Manager.)

   On 5/1/2013 11:50 AM, Nick Townsend wrote:

   Hi,


   I am using HTTPAPI to consume a .net web service written by our PC
   developers.  I've done this before without any problems, but they now
   want to use certificate-based authentication rather than basic HTTP
   authentication which we have used before.  I generated a new cert to
   use for testing and provided the PC guys with it together with our
   internal CA cert, both of which they say they have loaded at their
   end.  When I fire the web service with authentication switched off it
   works fine, but when authentication is on everything appears OK in the
   log until the response comes back from the web service, when GSKit
   throws a 410 error.  I've attached the logs with authentication on and
   off, and the code of the test rig that I'm using.

   I've searched the archive and some time ago someone did ask about using
   certificates for authentication, but the answer seemed to be that
   HTTPAPI didn't support it.  I Googled a bit and the Wikipedia entry for
   TLS has descriptions of the "Simple TLS handshake" and the
   "Client-authenticated TLS handshake" which suggest that there are extra
   exchanges that take place during the setup of an authenticated
   conversation, but if that was the problem here I would have expected
   the error to occur before things got as far as the sending of the
   request.


   I assume that GSKit must provide a way of doing whatever is required to
   authenticate using certificates, but looking at the API documentation
   has left me completely baffled. Can anyone see what I'm doing wrong or
   point me in the right direction to get this working?


   Thanks,


   Nick



   _______________________________

   Nick Townsend

   Technical Architect

   Endsleigh Insurance Services Limited

   Telephone: +44 (0)1242 866426

     __________________________________________________________________

   Information contained in this email is intended for the use of the
   addressee only, and is confidential and may be the subject of legal
   professional privilege. Any dissemination, distribution, copying or use
   of this communication without prior permission of the addressee is
   strictly prohibited. If you have received this email in error please
   notify the Help Desk at Endsleigh on 01242 866866.
   The contents of an attachment to this email may contain software
   viruses, which could damage your computer system. While Endsleigh has
   taken every reasonable precaution to minimise this risk, we cannot
   accept liability for any damage, which you sustain as a result of
   software viruses. You should carry out your own virus checks before
   opening the attachment.
   [1]http://www.endsleigh.co.uk
   Endsleigh Insurance Services Limited is authorised and regulated by the
   Financial Services Authority. This can be checked on the FSA Register
   by visiting its website at [2]www.fsa.gov.uk/register/
   Company number: 856706
   Registered in England at Shurdington Road, Cheltenham Spa,
   Gloucestershire GL51 4UE


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
[3]http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References

   1. http://www.endsleigh.co.uk/
   2. http://www.fsa.gov.uk/register/
   3. http://www.scottklement.com/mailman/listinfo/ftpapi

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Consuming a web service that requires certificate-based authentication
  - From: Nick Townsend

Prev by Date: NULL CHARACTERS AT THE END OF STRING FIELD
Next by Date: RE: NULL CHARACTERS AT THE END OF STRING FIELD
Previous by thread: Consuming a web service that requires certificate-based authentication
Next by thread: NULL CHARACTERS AT THE END OF STRING FIELD
Index(es):
- Date
- Thread