[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is a certificate required for SSL on IBM i (was: Re: Can HTTPAPI send a CSV and recieve a response?)



Hi,

Thanks for the comments and discussion.

Apparently the client requires a specific certificate to allow access.  They pointed me to their documentation, but it's all about doing it in Java using something called Bouncy Castle and I can't make heads or tails of it.  How do I make this work in the iSeries using HTTPAPI?

Below are the instructions they sent me.

Thanks for all the help,
Charlie


This chapter explains how to use the sample Java code from CyberSource to upload your
files to CyberSource.
Requirements
 J2SE 1.4 or higher
 Unlimited Strength Jurisdiction Policy files from Sun Microsystems® (US_export_
policy.jar and local_policy.jar), available at http://java.sun.com/j2se/1.4.2/
download.html#docs
 Bouncy Castle, which includes bcmail*.jar, bcpg*.jar, bcprov*.jar and
bctest*.jar, available at www.bouncycastle.org
 Click here to view CyberSource’s sample code package.
Using the Sample Code for Basic
Authentication
Step 1 Replace your Java installation’s existing security policy files with the new ones you
downloaded from Sun’s site:
a Locate your existing US_export_policy.jar and local_policy.jar files in the
$JAVA_HOME/jre/lib/security directory.
b Rename or move your existing files to another directory.
c Copy the new US_export_policy.jar and local_policy.jar that you
downloaded from Sun to the $JAVA_HOME/jre/lib/security directory.
Note
The sample code was developed and tested on a Solaris platform.
Offline Transaction File Submission Implementation Guide | February 2013 52
Chapter 3 Java Sample Code for Uploading Files
Step 2 Copy the Bouncy Castle *.jar files to the $JAVA_HOME/jre/lib/ext directory.
Step 3 Edit $JAVA_HOME/jre/lib/security/java.security and insert the security
provider right after the Sun provider. Make sure to increment the numbers of the other
providers in the list. The line to insert is this:
Security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProv
ider
Your list of security providers will now look similar to this:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProv
ider
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
Step 4 Import your CyberSource Simple Order API .p12 security key into Internet Explorer. See
Chapter 3, "Simple Order API Security Key," on page 52.
a Open an Internet Explorer Web browser, go to Tools > Internet Options...,and click
the Content tab.
b Click Certificates....
c Click Import... to open the Certificate Import Wizard and click Next to start the
Wizard.
d Browse to the location of your .p12 security key and click Next.
For the password for the private key, enter your CyberSource merchant ID. For
example, if your key is infodev.p12, enter infodev as the password.
e On this page, click the check box for Mark this key as exportable and then click
Next.
f Click Next on the Certificate Store page.
g Click Finish and you will see a confirmation that the import was successful.
Step 5 Create a key store file to contain your CyberSource Simple Order API .p12 security key:
a In a Web browser, go to one of the following URLs:
If you are in test mode and have not gone live with CyberSource:
https://batchtest.cybersource.com/upload/UploadBatchFile
If you have gone live with CyberSource:
https://batch.cybersource.com/upload/UploadBatchFile
b Go to File > Properties.
c Click Certificates.
d Click the Certification Path tab.
e Select Entrust.net Secure Server Certification Authority.
f Click View Certificate.
Offline Transaction File Submission Implementation Guide | February 2013 53
Chapter 3 Java Sample Code for Uploading Files
g Click the Details tab.
h Click Copy to File and then Next.
i Click Browse and navigate to where you want to save the file.
j Enter the name you want to use for the file, such as MyCert. Click Save and click
Next.
k Click Finish.
Your file, for example MyCert.cer, has been created in the location you specified.
l Go to $JAVA_HOME/bin/keytool and use the J2SE keytool program to create a
keystore file that contains this newly created certificate. You will need to provide a
pass phrase for the keystore. You MUST use the same password that you used in
Step d on page 52, which is part of Step 4 above. For example, if your p12 key is
infodev.p12, the pass phrase must be infodev.
To create the keystore, type the following command:
$JAVA_HOME/bin/keytool -import -file <path to certificate>/
<name of certificate file> -keystore <name of keystore
file>.jks -storepass <pass phrase of keystore>
For example:
$JAVA_HOME/bin/keytool -import -file /home/bluu/MyCert.cer -
keystore MyKeystore.jks -storepass myMerchantID
If successful, the output will be similar to this:
Owner: CN=batchtest.cybersource.com, OU=Operations,
O=Cybersource Corporation, L=Mountain View, ST=California, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority,
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp.
by ref. (limits liab.), O=Entrust.net, C=US
Serial number: 374e1b7b
Valid from: Thu Nov 18 17:15:34 PST 2004 until: Tue Jan 31
17:51:24 PST 2006
Certificate fingerprints:
MD5: BE:BF:B0:91:69:C4:7B:10:45:EC:D6:0F:16:AA:3D:77
SHA1: 07:F8:41:DC:B2:FC:F5:DA:FC:EE:09:7A:33:B8:29:15:31:18
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 6 Modify the SSLFileTransfer.props file with your settings. The file is part of the
CyberSource download package and looks similar to this:
# Upload host
host=batchtest.cybersource.com
# Upload port
port=<upload port>
Offline Transaction File Submission Implementation Guide | February 2013 54
Chapter 3 Java Sample Code for Uploading Files
# Username to log into the Business Center
bcUserName=<Business Center login name>
# Password to log into the Business Center
bcPassword=<Business Center login password>
# File to upload
uploadFile=<path to your file>/<file name>
# Path where to upload the file (provided by CyberSource)
path=/upload/UploadBatchFile
# Your CyberSource security key
key=<key location path>/<key file name>
# New key store you just created that contains the certificate
keyStore=<key store location>/<new key store name>
# pass phrase is the string you used in -storepass option when you
# created the key store file earlier
passPhrase=<pass phrase>
Step 7 Set the JAVA_HOME environment variable to where you installed J2SE. For example:
JAVA_HOME=/home/j2se
Step 8 Include $JAVA_HOME/bin in the PATH.
Step 9 Compile and run the sample:
a Change to the directory where you stored the CyberSource sample files.
b Type the following:
javac SSLFileTransfer.java
java SSLFileTransfer <path to props file>/SSLFileTransfer.props
If the upload is successful, the output should look similar to this:
HTTP/1.1 200 OK
Date: Wed, 26 Jan 2005 17:26:31 GMT
Server: Apache Coyote/1.0
Content-Type: text/plain
Content-Length: 0
Offline Transaction File Submission Implementation Guide | February 2013 55
Chapter 3 Java Sample Code for Uploading Files
X-Cache: MISS from <your host>
Connection: close
UPLOAD FILE SUCCESSFUL
Certificate Authentication
Certificate authentication allows you to upload a batch file using a certificate rather than a
username and password as used with basic authentication.
To use certificate authentication, follow the steps below:
Step 1 Replace your Java installation’s existing security policy files with the new ones you
downloaded from Sun’s site:
a Locate your existing US_export_policy.jar and local_policy.jar files in the
$JAVA_HOME/jre/lib/security directory.
b Rename or move your existing files to another directory.
c Copy the new US_export_policy.jar and local_policy.jar that you
downloaded from Sun to the $JAVA_HOME/jre/lib/security directory.
Step 2 Copy the Bouncy Castle *.jar files to the $JAVA_HOME/jre/lib/ext directory.
Step 3 Edit $JAVA_HOME/jre/lib/security/java.security and insert the security
provider right after the Sun provider. Make sure to increment the numbers of the other
providers in the list. The line to insert is this:
Security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProv
ider
Your list of security providers will now look similar to this:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProv
ider
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
Step 4 Import your CyberSource Simple Order API .p12 security key into Internet Explorer. See
Chapter 3, "Simple Order API Security Key," on page 52.
a Open an Internet Explorer Web browser, go to Tools > Internet Options...,and click
the Content tab.
b Click Certificates....
c Locate your .p12 certificate here, or click Import... to open the Certificate Import
Wizard and click Next to start the Wizard.
Offline Transaction File Submission Implementation Guide | February 2013 56
Chapter 3 Java Sample Code for Uploading Files
d Browse to the location of your p12 security key and click Export.
Continue through the Wizard, and do not export the private key.
e When prompted for format, select Base-64 encoded X.509 (.CER).
f Browse and select a file name for where to export the file.
g Reference this certificate as your "public" certificate for CertAuthentication Batch
Upload.
Step 5 Create a key store file to contain your CyberSource Simple Order API .p12 security key:
a In a Web browser, go to one of the following URLs:
If you are in test mode and have not gone live with CyberSource:
https://batchtest.cybersource.com/upload/UploadBatchFile
If you have gone live with CyberSource:
https://batch.cybersource.com/upload/UploadBatchFile
b Go to File > Properties.
c Click Certificates.
d Click the Certification Path tab.
e Select Entrust.net Secure Server Certification Authority.
f Click View Certificate.
g Click the Details tab.
h Click Copy to File and then Next.
i Click Browse and navigate to where you want to save the file.
j Enter the name you want to use for the file, such as MyCert. Click Save and click
Next.
k Click Finish.
Your file, for example MyCert.cer, has been created in the location you specified.
l Go to $JAVA_HOME/bin/keytool and use the J2SE keytool program to create a
keystore file that contains this newly created certificate. You will need to provide a
pass phrase for the keystore. You MUST use the same password that you used in
Step d on page 52, which is part of Step 4 above. For example, if your p12 key is
infodev.p12, the pass phrase must be infodev.
To create the keystore, type the following command:
$JAVA_HOME/bin/keytool -import -file <path to certificate>/
<name of certificate file> -keystore <name of keystore
file>.jks -storepass <pass phrase of keystore>
For example:
$JAVA_HOME/bin/keytool -import -file /home/bluu/MyCert.cer -
keystore MyKeystore.jks -storepass myMerchantID
If successful, the output will be similar to this:
Owner: CN=batchtest.cybersource.com, OU=Operations,
O=Cybersource Corporation, L=Mountain View, ST=California, C=US
Offline Transaction File Submission Implementation Guide | February 2013 57
Chapter 3 Java Sample Code for Uploading Files
Issuer: CN=Entrust.net Secure Server Certification Authority,
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp.
by ref. (limits liab.), O=Entrust.net, C=US
Serial number: 374e1b7b
Valid from: Thu Nov 18 17:15:34 PST 2004 until: Tue Jan 31
17:51:24 PST 2006
Certificate fingerprints:
MD5: BE:BF:B0:91:69:C4:7B:10:45:EC:D6:0F:16:AA:3D:77
SHA1: 07:F8:41:DC:B2:FC:F5:DA:FC:EE:09:7A:33:B8:29:15:31:18
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 6 Modify the CybsCertAuthorizationSample.props file with your settings. Include
your public certificate for CertAuthentication Batch Upload. This file is part of the
CyberSource download package and looks similar to this:
# Upload host
host=batchtest.cybersource.com
# Upload port
port:always = 443
# File to upload
uploadFile=<path to your file>/<file name>
# Path where to upload it to (provided by CyberSource)
path=/upload/UploadBatchFile
# Your CyberSource security key
key=<key location path>/<key file name>
# Your certificate exported from the security key above
certFile=<MyCert/MyCert.cer>
# New key store you just created that contains the certificate
keyStore=<key store location>/<new key store name>
# Pass phrase is the string you used in -storepass option when you
# created the key store file earlier
passPhrase=<your pass phrase>
Step 7 Set the JAVA_HOME environment variable to where you installed J2SE. For example:
JAVA_HOME=/home/j2se
Step 8 In CLASSPATH, include commons-httpclient.jar. Download at http://hc.apache.org/
downloads.cgi. In CLASSPATH, include commons-codec.jar. Downhload at http://
commons.apache.org/codec/download_codec.cgi.
Step 9 Include $JAVA_HOME/bin in the PATH.
Offline Transaction File Submission Implementation Guide | February 2013 58
Chapter 3 Java Sample Code for Uploading Files
Step 10 Compile and run the sample:
a Change to the directory where you stored the CyberSource sample files.
b Type the following:
javac CybsCertAuthorizationSample.java
java CybsCertAuthorization <path to props file>/
CybsCertAuthorizationSample.props
If the upload is successful, the output should look similar to this:
HTTP/1.1 200 OK
UPLOAD FILE SUCCESSFUL




-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amit Sharma
Sent: Saturday, August 24, 2013 4:27 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Is a certificate required for SSL on IBM i (was: Re: Can HTTPAPI send a CSV and recieve a response?)

I am using timeshare , so the AS400 should be recent and with certifcate manager installed and authority I should be able to consume web service. Thank you scott for the education, Thanks

> Date: Fri, 23 Aug 2013 16:00:32 -0500
> From: sk@xxxxxxxxxxxxxxxx
> To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Is a certificate required for SSL on IBM i (was: Re: Can HTTPAPI     send a CSV and recieve a response?)
>
> HTTPAPI uses the SSL support built in to the operating system.   As I
> understand it, back in some very old releases (V4R5, maybe? Nothing
> recent.)  There was a problem where you had to install a client
> certificate to use SSL.  But, IBM fixed that ages ago... so unless
> you're really out-of-date, that shouldn't be needed.
>
> You do need to have the digital certificate manager installed, and the
> *SYSTEM certificate store must be created in the digital certificate
> manager.  But, you don't need to install any additional certificates
> (unless the server requires a client-side certificate -- but that's
> rare.)
>
>
> On 8/23/2013 2:58 PM, Amit Sharma wrote:
> >     I am using HTTPAPI to consume SOAP web service through https:\\,
> >     is it must to have digital certificate on AS400, or we may consume
> >     service through https with accesses to certificate database.
> >
> >
>
> ----------------------------------------------------------------------
> - This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> ----------------------------------------------------------------------
> -

This email message has been delivered safely and archived online by Mimecast.  For more information please visit http://www.mimecast.com
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------