[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Consuming a web service that requires certificate-based authentication
Nick,
Just to verify: You are giving HTTPAPI an application ID via
https_init(), and you have created/configured that appid in the digital
certificate manager to include a client-side certificate to be used for
authentication. Correct?
If so, I believe that the "peer not recognized" is a bug in the IBM
GSKit code, it's not something you or I can fix. From your log, it's
clear that you are_are_ successfully connecting to the HTTP server, and
successfully negotiating SSL (handshake). So the GSKit has already
determined that the connection is okay. Then, part way through, it's
determining that the SSL message is corrupt... 410 =
GSK_ERROR_BAD_MESSAGE. As if what the server is sending is an
invalid message.
I would try googling GSK_ERROR_BAD_MESSAGE and see if you can find a
PTF. If not, I'd say the problem is on IBM's end in this case. If it
were occurring during the connection start (handshake) then I could
see this possibly being a misconfiguration of some sort... but, it's
not.
I don't understand the comment about "the answer seemed to be that
HTTPAPI didn't support it. " Doesn't support what? Client-side
certificates? HTTPAPI has always supported that. (It doesn't require
any programming to support this -- it's just a configuration in the
Digital Certificate Manager.)
On 5/1/2013 11:50 AM, Nick Townsend wrote:
Hi,
I am using HTTPAPI to consume a .net web service written by our PC
developers. I've done this before without any problems, but they now
want to use certificate-based authentication rather than basic HTTP
authentication which we have used before. I generated a new cert to
use for testing and provided the PC guys with it together with our
internal CA cert, both of which they say they have loaded at their
end. When I fire the web service with authentication switched off it
works fine, but when authentication is on everything appears OK in the
log until the response comes back from the web service, when GSKit
throws a 410 error. I've attached the logs with authentication on and
off, and the code of the test rig that I'm using.
I've searched the archive and some time ago someone did ask about using
certificates for authentication, but the answer seemed to be that
HTTPAPI didn't support it. I Googled a bit and the Wikipedia entry for
TLS has descriptions of the "Simple TLS handshake" and the
"Client-authenticated TLS handshake" which suggest that there are extra
exchanges that take place during the setup of an authenticated
conversation, but if that was the problem here I would have expected
the error to occur before things got as far as the sending of the
request.
I assume that GSKit must provide a way of doing whatever is required to
authenticate using certificates, but looking at the API documentation
has left me completely baffled. Can anyone see what I'm doing wrong or
point me in the right direction to get this working?
Thanks,
Nick
_______________________________
Nick Townsend
Technical Architect
Endsleigh Insurance Services Limited
Telephone: +44 (0)1242 866426
__________________________________________________________________
Information contained in this email is intended for the use of the
addressee only, and is confidential and may be the subject of legal
professional privilege. Any dissemination, distribution, copying or use
of this communication without prior permission of the addressee is
strictly prohibited. If you have received this email in error please
notify the Help Desk at Endsleigh on 01242 866866.
The contents of an attachment to this email may contain software
viruses, which could damage your computer system. While Endsleigh has
taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage, which you sustain as a result of
software viruses. You should carry out your own virus checks before
opening the attachment.
[1]http://www.endsleigh.co.uk
Endsleigh Insurance Services Limited is authorised and regulated by the
Financial Services Authority. This can be checked on the FSA Register
by visiting its website at [2]www.fsa.gov.uk/register/
Company number: 856706
Registered in England at Shurdington Road, Cheltenham Spa,
Gloucestershire GL51 4UE
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
[3]http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
References
1. http://www.endsleigh.co.uk/
2. http://www.fsa.gov.uk/register/
3. http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------