[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store



Hi Scott,

I have found this code in the COMMSSLR4 source file (HTTPAPI):

c* If peAppId begins with a slash the assume it is the name of the keyring file
c if %subst(peAppId:1:1) = ‘/‘
c eval rc = gsk_attribute_set_buffer(
c wkEnvh: GSK_KEYRING_FILE:
c peAppId: %len(%trim(peAppId)))
c if rc <> GSK_OK
c callp SetError(HTTP_GSKKEYF: ‘Attempt to use ‘ + 
c %trim(peAppId) + ‘ cert store: ‘ + 
c ssl_error(rc))
c callp https_cleanup
c return -1
c endif
c endif

I have been looking for information about GSKit, and I found this:

https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_get_buffer.htm

In that website, is explained the use of gsk_attribute_get_buffer… 


GSK_KEYRING_FILE We can send with https_init(‘/XXXXX’)  the name of the keyring file, because it is developed in COMMSSLR4.

GSK_KEYRING_PWD Password for the certificate store.  NOT developed.
GSK_KEYRING_LABEL Certificate label in the certificate store.  NOT developed.
I think that if the COMMSSLR4 is changed including this last two options, I will be able to connect indicating the certificate I need, and the password of the certificate store.

For example this way:  (is only an example…).

c if %subst(peAppId:1:1) = ‘#‘
c eval rc = gsk_attribute_set_buffer(
c wkEnvh: GSK_KEYRING_PWD:
c %subst(peAppId:2:(%len(%trim(peAppId))-1): 
c %len(%trim(peAppId)-1)
c if rc <> GSK_OK
c callp SetError(’SOME ERROR')
c callp https_cleanup
c return -1
c endif
c endif

c if %subst(peAppId:1:1) = ‘@‘
c eval rc = gsk_attribute_set_buffer(
c wkEnvh: GSK_KEYRING_LABEL:
c %subst(peAppId:2:(%len(%trim(peAppId))-1): 
c %len(%trim(peAppId)-1)
c if rc <> GSK_OK
c callp SetError(’SOME ERROR')
c callp https_cleanup
c return -1
c endif
c endif


Is possible that it works well?

Christian.




El 6 mar 2017, a las 11:43, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:

Hi Christian,

Unfortunately, I have not used a certificate store besides *SYSTEM, so I do not know exactly what is involved.

It is important to understand that HTTPAPI does not provide it's own SSL/TLS code -- it uses the operating system's code.  So if the operating system is capable of what you're describing, it should work with HTTPAPI.  The tricky part is to find out how to do it with the operating system!

Internally, we use IBM-supplied Global Secure Toolkit ("gskit" for short.)

If you can tell me how to access your certificate using the gskit API, I'd be glad to explain how it can be used from HTTPAPI.  Or, if necessary, I can make modifications to HTTPAPI to make it possible.

-SK


On 3/4/2017 12:42 PM, larsenvalverde@xxxxxxxxx wrote:
Hello.

I’m using the WDSL2RPG and HTTPAPI to connect to a webservice, but I have a problem.  I need to use a digital certificate, and, for security reasons, it cannot be on *SYSTEM certificate store.

I know I can do this:

https_init(‘/ANOTHER_CERTIFICATE_STORE’:*ON:*ON:….)

But I don’t know how to tell httpapi  what certificate I need to use… and the password needed to use it.

Can anyone explain me how to do it, if it is possible?

Thanks in advance.

Christian.
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi


--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi

-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi