[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store

From: Christian <larsenvalverde@xxxxxxxxx>
To: FTPAPI/HTTPAPI mailing list <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Date: Mon, 6 Mar 2017 21:34:39 +0100

Ok Scott it was only an idea... 

I will wait for the change of HTTPAPI .... 

Thank you.

Christian

> El 6 mar 2017, a las 21:24, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:
> 
> Hi Christian,
> 
> It's possible that those attributes are what you need to use, but the way you've written the code doesn't make sense to me.  There is only one peAppId parameter, but you want to use it to set three different things (the cert store path, label id and password.)
> 
> It seems to me that you will need three different fields for this.   (The existing peAppId for the path, but new parameters for the label and password.)
> 
> I can add these into HTTPAPI so that you can try it and see if it works.
> 
> -SK
> 
> 
>> On 3/6/2017 1:00 PM, larsenvalverde@xxxxxxxxx wrote:
>> Hi Scott,
>> 
>> I have found this code in the COMMSSLR4 source file (HTTPAPI):
>> 
>> c* If peAppId begins with a slash the assume it is the name of the keyring file
>> cif%subst(peAppId:1:1) = ‘/‘
>> cevalrc = gsk_attribute_set_buffer(
>> cwkEnvh: GSK_KEYRING_FILE:
>> cpeAppId: %len(%trim(peAppId)))
>> cifrc <> GSK_OK
>> ccallpSetError(HTTP_GSKKEYF: ‘Attempt to use ‘ +
>> c%trim(peAppId) + ‘ cert store: ‘ +
>> cssl_error(rc))
>> ccallphttps_cleanup
>> creturn-1
>> cendif
>> cendif
>> 
>> I have been looking for information about GSKit, and I found this:
>> 
>> https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_get_buffer.htm
>> 
>> In that website, is explained the use of gsk_attribute_get_buffer…
>> 
>> 
>> GSK_KEYRING_FILEWe can send with https_init(‘/XXXXX’)  the name of the keyring file, because it is developed in COMMSSLR4.
>> 
>> GSK_KEYRING_PWDPassword for the certificate store.  NOT developed.
>> GSK_KEYRING_LABELCertificate label in the certificate store.  NOT developed.
>> I think that if the COMMSSLR4 is changed including this last two options, I will be able to connect indicating the certificate I need, and the password of the certificate store.
>> 
>> For example this way:  (is only an example…).
>> 
>> cif%subst(peAppId:1:1) = ‘#‘
>> cevalrc = gsk_attribute_set_buffer(
>> cwkEnvh: GSK_KEYRING_PWD:
>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>> c%len(%trim(peAppId)-1)
>> cifrc <> GSK_OK
>> ccallpSetError(’SOME ERROR')
>> ccallphttps_cleanup
>> creturn-1
>> cendif
>> cendif
>> 
>> cif%subst(peAppId:1:1) = ‘@‘
>> cevalrc = gsk_attribute_set_buffer(
>> cwkEnvh: GSK_KEYRING_LABEL:
>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>> c%len(%trim(peAppId)-1)
>> cifrc <> GSK_OK
>> ccallpSetError(’SOME ERROR')
>> ccallphttps_cleanup
>> creturn-1
>> cendif
>> cendif
>> 
>> 
>> Is possible that it works well?
>> 
>> Christian.
>> 
>> 
>> 
>> 
>>> El 6 mar 2017, a las 11:43, Scott Klement <sk@xxxxxxxxxxxxxxxx <mailto:sk@xxxxxxxxxxxxxxxx>> escribió:
>>> 
>>> Hi Christian,
>>> 
>>> Unfortunately, I have not used a certificate store besides *SYSTEM, so I do not know exactly what is involved.
>>> 
>>> It is important to understand that HTTPAPI does not provide it's own SSL/TLS code -- it uses the operating system's code.  So if the operating system is capable of what you're describing, it should work with HTTPAPI.  The tricky part is to find out how to do it with the operating system!
>>> 
>>> Internally, we use IBM-supplied Global Secure Toolkit ("gskit" for short.)
>>> 
>>> If you can tell me how to access your certificate using the gskit API, I'd be glad to explain how it can be used from HTTPAPI.  Or, if necessary, I can make modifications to HTTPAPI to make it possible.
>>> 
>>> -SK
>>> 
>>> 
>>>> On 3/4/2017 12:42 PM, larsenvalverde@xxxxxxxxx <mailto:larsenvalverde@xxxxxxxxx> wrote:
>>>> Hello.
>>>> 
>>>> I’m using the WDSL2RPG and HTTPAPI to connect to a webservice, but I have a problem.  I need to use a digital certificate, and, for security reasons, it cannot be on *SYSTEM certificate store.
>>>> 
>>>> I know I can do this:
>>>> 
>>>> https_init(‘/ANOTHER_CERTIFICATE_STORE’:*ON:*ON:….)
>>>> 
>>>> But I don’t know how to tell httpapi  what certificate I need to use… and the password needed to use it.
>>>> 
>>>> Can anyone explain me how to do it, if it is possible?
>>>> 
>>>> Thanks in advance.
>>>> 
>>>> Christian.
>>>> _______________________________________________
>>>> Ftpapi mailing list
>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>> 
>>> 
>>> -- 
>>> _______________________________________________
>>> Ftpapi mailing list
>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>> http://scottklement.com/mailman/listinfo/ftpapi
>> 
>> 
>> 
> 
> -- 
> _______________________________________________
> Ftpapi mailing list
> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> http://scottklement.com/mailman/listinfo/ftpapi
-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi

Follow-Ups:
- Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: Scott Klement

References:
- [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: larsenvalverde@xxxxxxxxx
- Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: Scott Klement
- Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: larsenvalverde@xxxxxxxxx
- Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: Scott Klement

Prev by Date: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Next by Date: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Previous by thread: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Next by thread: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Index(es):
- Date
- Thread