[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Consuming a web service that requires certificate-based authentication



Scott,

> Just to verify:  You are giving HTTPAPI an application ID via https_init(), and you have created/configured that appid in the digital certificate
> manager to include a client-side certificate to be used for authentication.  Correct?
Yes.  The local-side cert details that appear in the logs are definitely from the new cert that I created for this app.

> I don't understand the comment about "the answer seemed to be that
> HTTPAPI didn't support it. "   Doesn't support what?  Client-side
> certificates?  HTTPAPI has always supported that.  (It doesn't require any programming to support this -- it's just a configuration in the Digital
> Certificate Manager.)
The thread that I found on the archive that looked as if it might possibly relate to the same subject is http://scottklement.com/archives/ftpapi/201104/msg00044.html.

The only difference between the request that worked and the one that didn't was that authentication had been switched on on the server, so obviously the server is responding differently.  Unfortunately the PC developers don't seem to have any understanding of what is actually going on under the covers, all they know is that they change a setting in a config file to say that they want to authenticate using certificates.

I haven'tbeen able to find any GSKit-related APARs or PTFs that sound like the same thing, so it looks like running traces to see what's different is the next step.  I'll keep you posted if I make any progress.

Nick

_______________________________
Nick Townsend
Technical Architect
Endsleigh Insurance Services Limited
Telephone: +44 (0)1242 866426

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: 02 May 2013 17:24
To: HTTPAPI and FTPAPI Projects
Subject: Re: Consuming a web service that requires certificate-based authentication

Nick,

Just to verify:  You are giving HTTPAPI an application ID via https_init(), and you have created/configured that appid in the digital certificate manager to include a client-side certificate to be used for authentication.  Correct?

If so, I believe that the "peer not recognized" is a bug in the IBM
GSKit code, it's not something you or I can fix.   From your log, it's
clear that you are_are_ successfully connecting to the HTTP server, and
successfully negotiating SSL (handshake).   So the GSKit has already
determined that the connection is okay.   Then, part way through, it's
determining that the SSL message is corrupt...   410 =
GSK_ERROR_BAD_MESSAGE.    As if what the server is sending is an invalid
message.

I would try googling GSK_ERROR_BAD_MESSAGE and see if you can find a PTF.  If not, I'd say the problem is on IBM's end in this case.  If it were occurring during the connection start  (handshake) then I could see this possibly being a misconfiguration of some sort... but, it's not.

I don't understand the comment about "the answer seemed to be that
HTTPAPI didn't support it. "   Doesn't support what?  Client-side
certificates?  HTTPAPI has always supported that.  (It doesn't require any programming to support this -- it's just a configuration in the Digital Certificate Manager.)

On 5/1/2013 11:50 AM, Nick Townsend wrote:
>     Hi,
>
>
>     I am using HTTPAPI to consume a .net web service written by our PC
>     developers.  I've done this before without any problems, but they now
>     want to use certificate-based authentication rather than basic HTTP
>     authentication which we have used before.  I generated a new cert to
>     use for testing and provided the PC guys with it together with our
>     internal CA cert, both of which they say they have loaded at their
>     end.  When I fire the web service with authentication switched off it
>     works fine, but when authentication is on everything appears OK in the
>     log until the response comes back from the web service, when GSKit
>     throws a 410 error.  I've attached the logs with authentication on and
>     off, and the code of the test rig that I'm using.
>
>     I've searched the archive and some time ago someone did ask about using
>     certificates for authentication, but the answer seemed to be that
>     HTTPAPI didn't support it.  I Googled a bit and the Wikipedia entry for
>     TLS has descriptions of the "Simple TLS handshake" and the
>     "Client-authenticated TLS handshake" which suggest that there are extra
>     exchanges that take place during the setup of an authenticated
>     conversation, but if that was the problem here I would have expected
>     the error to occur before things got as far as the sending of the
>     request.
>
>
>     I assume that GSKit must provide a way of doing whatever is required to
>     authenticate using certificates, but looking at the API documentation
>     has left me completely baffled. Can anyone see what I'm doing wrong or
>     point me in the right direction to get this working?
>
>
>     Thanks,
>
>
>     Nick
>
>
>
>     _______________________________
>
>     Nick Townsend
>
>     Technical Architect
>
>     Endsleigh Insurance Services Limited
>
>     Telephone: +44 (0)1242 866426
>
>
> __________________________________________________________________
>
>     Information contained in this email is intended for the use of the
>     addressee only, and is confidential and may be the subject of legal
>     professional privilege. Any dissemination, distribution, copying or use
>     of this communication without prior permission of the addressee is
>     strictly prohibited. If you have received this email in error please
>     notify the Help Desk at Endsleigh on 01242 866866.
>     The contents of an attachment to this email may contain software
>     viruses, which could damage your computer system. While Endsleigh has
>     taken every reasonable precaution to minimise this risk, we cannot
>     accept liability for any damage, which you sustain as a result of
>     software viruses. You should carry out your own virus checks before
>     opening the attachment.
>     http://www.endsleigh.co.uk
>     Endsleigh Insurance Services Limited is authorised and regulated by the
>     Financial Services Authority. This can be checked on the FSA Register
>     by visiting its website at www.fsa.gov.uk/register/
>     Company number: 856706
>     Registered in England at Shurdington Road, Cheltenham Spa,
>     Gloucestershire GL51 4UE
>
>
>
> ----------------------------------------------------------------------
> - This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------

Information contained in this email is intended for the use of the addressee only, and is confidential and may be the subject of legal professional privilege. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. If you have received this email in error please notify the Help Desk at Endsleigh on 01242 866866.
The contents of an attachment to this email may contain software viruses, which could damage your computer system. While Endsleigh has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment.

http://www.endsleigh.co.uk
Endsleigh Insurance Services Limited is authorised and regulated by the Financial Services Authority.  This can be checked on the FSA Register by visiting its website at www.fsa.gov.uk/register/
Company number: 856706
Registered in England at Shurdington Road, Cheltenham Spa, Gloucestershire GL51 4UE

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------