[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store



Christian,

I do not know if this will work, and I cannot test it on my machine. Can you try this and see if it helps?

First, download and install the BETA version of httpapi from the following link (install it the same way you installed your previous copy)

http://www.scottklement.com/beta/

Second, remove the call to https_init() from your generated WSDL2RPG stub, and insert a call like this in it's place:

http_certStore('/path/to/your_file.kdb': 'Password-Here': 'LabelHere');

Recompile your program and see if this helps you.

Please let me know what you find! I will not include this in future HTTPAPI updates unless you tell me that it has worked for you.

-SK


On 3/6/2017 2:34 PM, Christian wrote:
Ok Scott it was only an idea...

I will wait for the change of HTTPAPI ....

Thank you.

Christian

El 6 mar 2017, a las 21:24, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:

Hi Christian,

It's possible that those attributes are what you need to use, but the way you've written the code doesn't make sense to me.  There is only one peAppId parameter, but you want to use it to set three different things (the cert store path, label id and password.)

It seems to me that you will need three different fields for this.   (The existing peAppId for the path, but new parameters for the label and password.)

I can add these into HTTPAPI so that you can try it and see if it works.

-SK


On 3/6/2017 1:00 PM, larsenvalverde@xxxxxxxxx wrote:
Hi Scott,

I have found this code in the COMMSSLR4 source file (HTTPAPI):

c* If peAppId begins with a slash the assume it is the name of the keyring file
cif%subst(peAppId:1:1) = ‘/‘
cevalrc = gsk_attribute_set_buffer(
cwkEnvh: GSK_KEYRING_FILE:
cpeAppId: %len(%trim(peAppId)))
cifrc <> GSK_OK
ccallpSetError(HTTP_GSKKEYF: ‘Attempt to use ‘ +
c%trim(peAppId) + ‘ cert store: ‘ +
cssl_error(rc))
ccallphttps_cleanup
creturn-1
cendif
cendif

I have been looking for information about GSKit, and I found this:

https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_get_buffer.htm

In that website, is explained the use of gsk_attribute_get_buffer…


GSK_KEYRING_FILEWe can send with https_init(‘/XXXXX’)  the name of the keyring file, because it is developed in COMMSSLR4.

GSK_KEYRING_PWDPassword for the certificate store.  NOT developed.
GSK_KEYRING_LABELCertificate label in the certificate store.  NOT developed.
I think that if the COMMSSLR4 is changed including this last two options, I will be able to connect indicating the certificate I need, and the password of the certificate store.

For example this way:  (is only an example…).

cif%subst(peAppId:1:1) = ‘#‘
cevalrc = gsk_attribute_set_buffer(
cwkEnvh: GSK_KEYRING_PWD:
c%subst(peAppId:2:(%len(%trim(peAppId))-1):
c%len(%trim(peAppId)-1)
cifrc <> GSK_OK
ccallpSetError(’SOME ERROR')
ccallphttps_cleanup
creturn-1
cendif
cendif

cif%subst(peAppId:1:1) = ‘@‘
cevalrc = gsk_attribute_set_buffer(
cwkEnvh: GSK_KEYRING_LABEL:
c%subst(peAppId:2:(%len(%trim(peAppId))-1):
c%len(%trim(peAppId)-1)
cifrc <> GSK_OK
ccallpSetError(’SOME ERROR')
ccallphttps_cleanup
creturn-1
cendif
cendif


Is possible that it works well?

Christian.




El 6 mar 2017, a las 11:43, Scott Klement <sk@xxxxxxxxxxxxxxxx <mailto:sk@xxxxxxxxxxxxxxxx>> escribió:

Hi Christian,

Unfortunately, I have not used a certificate store besides *SYSTEM, so I do not know exactly what is involved.

It is important to understand that HTTPAPI does not provide it's own SSL/TLS code -- it uses the operating system's code.  So if the operating system is capable of what you're describing, it should work with HTTPAPI.  The tricky part is to find out how to do it with the operating system!

Internally, we use IBM-supplied Global Secure Toolkit ("gskit" for short.)

If you can tell me how to access your certificate using the gskit API, I'd be glad to explain how it can be used from HTTPAPI.  Or, if necessary, I can make modifications to HTTPAPI to make it possible.

-SK


On 3/4/2017 12:42 PM, larsenvalverde@xxxxxxxxx <mailto:larsenvalverde@xxxxxxxxx> wrote:
Hello.

I’m using the WDSL2RPG and HTTPAPI to connect to a webservice, but I have a problem.  I need to use a digital certificate, and, for security reasons, it cannot be on *SYSTEM certificate store.

I know I can do this:

https_init(‘/ANOTHER_CERTIFICATE_STORE’:*ON:*ON:….)

But I don’t know how to tell httpapi  what certificate I need to use… and the password needed to use it.

Can anyone explain me how to do it, if it is possible?

Thanks in advance.

Christian.
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
http://scottklement.com/mailman/listinfo/ftpapi

--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
http://scottklement.com/mailman/listinfo/ftpapi


--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi

--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi