[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store

From: Christian <larsenvalverde@xxxxxxxxx>
To: FTPAPI/HTTPAPI mailing list <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Date: Wed, 8 Mar 2017 11:43:34 +0100
Ok Thomas it worked perfectly for me.

Thank you.


> El 8 mar 2017, a las 10:59, Thomas Raddatz <thomas.raddatz@xxxxxx> escribió:
> 
> Christian,
> 
> I assume that you answered question "At runtime, use *LIBL to find programs?" with NO (= default) when you installed WSDL2RPG. In this case the WSDL2RPG installer creates binding directory "WSDL2RPG" and adds the entries with their library names. When you do a "DSPSRVPGM WSDL2RPGRT" you will see, that it references service program HTTPAPIR4 in library LIBHTTP. Therefore changing the library list has no effect.
> 
> You need to recreate WSDL2RPG and answer that question with YES.
> 
> Thomas.
> 
> -----Ursprüngliche Nachricht-----
> Von: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] Im Auftrag von Christian
> Gesendet: Mittwoch, 8. März 2017 10:42
> An: FTPAPI/HTTPAPI mailing list
> Betreff: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
> 
> Scott,
> 
> There is something wrong...
> 
> I have installed the beta version of HTTPAPI in another library called LIBHTTP_B.  Also when I compile the WSDL2RPG stubs I add that library to my library list... 
> 
> But when I use the WSDL2RPG stubs, in the log file I see:
> 
> HTTPAPI Ver 1.31 ......
> 
> And that is not ok.  But I have used https_certStore....
> 
> What have I made wrong? I dont want to install the HTTPAPI in my LIBHTTP library until the final 1.33 version is released....
> 
>> El 7 mar 2017, a las 21:57, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:
>> 
>> Christian,
>> 
>> https_certStore() sets some global variables that will be used later, when https_init() runs.   https_init() will be run automatically the next time you use a URL that begins with 'https:' so it is not nececessary to call it explicitly.
>> 
>> I don't understand what you're saying about the debug log...
>> 
>> -SK
>> 
>> 
>>> On 3/7/2017 12:26 PM, larsenvalverde@xxxxxxxxx wrote:
>>> Hi Scott.
>>> 
>>> I have been testing it..
>>> 
>>> When I use https_certStore(‘ xxx ‘: ‘xxx’ : ‘xxx’);
>>> 
>>> it does not call to  https_init, so nothing new happens.
>>> 
>>> In the generated WSDL2RPG stub, i wrote this:
>>> 
>>> 
>>> /…/
>>> // Authenticate pre-emptively, if configured
>>>  if (%(var:portName+_Port_isAuthenticatePreemptively;75;'...')());
>>>     %(var:portName+_Port_authenticatePreemptively;75;'...')();
>>>  endif;
>>> 
>>>  https_certStore(‘/xxxx.kdb’ : ‘key’ : ‘NAME’ );
>>>  SOMEVAR = https_init(‘ ');
>>> /…/
>>> 
>>> 
>>>  dou (not HttpResponse_isAuthenticationError(http_rc));
>>>     // Get document from server and handle http redirects
>>>     // See also: WSDL2R88.HttpResponse_isRedirect()
>>>     dou (not HttpResponse_isRedirect(http_rc));
>>>        http_DebugLog_appendText(
>>>        '** ' + %char(%timestamp()) + ': Sending request to server');
>>> 
>>>        http_rc =
>>>           http_url_post_raw2(
>>>              url
>>>              : hInpStream
>>>              : %paddr('WSDL2R85_MessageContext_InputStream_read')
>>>              : MessageContext_getSize(hMsgCtx)
>>>              : 0
>>>              : %paddr('HTTP_receiveResponse')
>>>              : getTimeout()
>>>              : getUserAgent()
>>>              : '');
>>> 
>>>        if (HttpResponse_isRedirect(http_rc));
>>>           url = http_redir_loc();
>>>           hInpStream = reOpenInputStream(hMsgCtx: hInpStream);
>>>        endif;
>>>     enddo;
>>> /…/
>>> 
>>> 
>>> In my program, I always use
>>> 
>>> xxx_Port_setHttpDebug(*ON:’/xxx.log’);
>>> 
>>> because this way I can see the XML-document i’m sending, and what i’m receiving.
>>> 
>>> With this new HTTPAPI, using the new https_certStore()… I cannot see all that information…  I have to check it, but if you have any idea about it..??
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> El 6 mar 2017, a las 22:14, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:
>>>> 
>>>> Christian,
>>>> 
>>>> I do not know if this will work, and I cannot test it on my machine.  Can you try this and see if it helps?
>>>> 
>>>> First, download and install the BETA version of httpapi from the following link (install it the same way you installed your previous copy)
>>>> 
>>>> http://www.scottklement.com/beta/
>>>> 
>>>> Second, remove the call to https_init() from your generated WSDL2RPG stub, and insert a call like this in it's place:
>>>> 
>>>> http_certStore('/path/to/your_file.kdb': 'Password-Here': 'LabelHere');
>>>> 
>>>> Recompile your program and see if this helps you.
>>>> 
>>>> Please let me know what you find!  I will not include this in future HTTPAPI updates unless you tell me that it has worked for you.
>>>> 
>>>> -SK
>>>> 
>>>> 
>>>>> On 3/6/2017 2:34 PM, Christian wrote:
>>>>> Ok Scott it was only an idea...
>>>>> 
>>>>> I will wait for the change of HTTPAPI ....
>>>>> 
>>>>> Thank you.
>>>>> 
>>>>> Christian
>>>>> 
>>>>>> El 6 mar 2017, a las 21:24, Scott Klement <sk@xxxxxxxxxxxxxxxx> escribió:
>>>>>> 
>>>>>> Hi Christian,
>>>>>> 
>>>>>> It's possible that those attributes are what you need to use, but the way you've written the code doesn't make sense to me.  There is only one peAppId parameter, but you want to use it to set three different things (the cert store path, label id and password.)
>>>>>> 
>>>>>> It seems to me that you will need three different fields for this.   (The existing peAppId for the path, but new parameters for the label and password.)
>>>>>> 
>>>>>> I can add these into HTTPAPI so that you can try it and see if it works.
>>>>>> 
>>>>>> -SK
>>>>>> 
>>>>>> 
>>>>>>> On 3/6/2017 1:00 PM, larsenvalverde@xxxxxxxxx wrote:
>>>>>>> Hi Scott,
>>>>>>> 
>>>>>>> I have found this code in the COMMSSLR4 source file (HTTPAPI):
>>>>>>> 
>>>>>>> c* If peAppId begins with a slash the assume it is the name of the keyring file
>>>>>>> cif%subst(peAppId:1:1) = ‘/‘
>>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>>> cwkEnvh: GSK_KEYRING_FILE:
>>>>>>> cpeAppId: %len(%trim(peAppId)))
>>>>>>> cifrc <> GSK_OK
>>>>>>> ccallpSetError(HTTP_GSKKEYF: ‘Attempt to use ‘ +
>>>>>>> c%trim(peAppId) + ‘ cert store: ‘ +
>>>>>>> cssl_error(rc))
>>>>>>> ccallphttps_cleanup
>>>>>>> creturn-1
>>>>>>> cendif
>>>>>>> cendif
>>>>>>> 
>>>>>>> I have been looking for information about GSKit, and I found this:
>>>>>>> 
>>>>>>> https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_get_buffer.htm
>>>>>>> 
>>>>>>> In that website, is explained the use of gsk_attribute_get_buffer…
>>>>>>> 
>>>>>>> 
>>>>>>> GSK_KEYRING_FILEWe can send with https_init(‘/XXXXX’)  the name of the keyring file, because it is developed in COMMSSLR4.
>>>>>>> 
>>>>>>> GSK_KEYRING_PWDPassword for the certificate store.  NOT developed.
>>>>>>> GSK_KEYRING_LABELCertificate label in the certificate store.  NOT developed.
>>>>>>> I think that if the COMMSSLR4 is changed including this last two options, I will be able to connect indicating the certificate I need, and the password of the certificate store.
>>>>>>> 
>>>>>>> For example this way:  (is only an example…).
>>>>>>> 
>>>>>>> cif%subst(peAppId:1:1) = ‘#‘
>>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>>> cwkEnvh: GSK_KEYRING_PWD:
>>>>>>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>>>>>>> c%len(%trim(peAppId)-1)
>>>>>>> cifrc <> GSK_OK
>>>>>>> ccallpSetError(’SOME ERROR')
>>>>>>> ccallphttps_cleanup
>>>>>>> creturn-1
>>>>>>> cendif
>>>>>>> cendif
>>>>>>> 
>>>>>>> cif%subst(peAppId:1:1) = ‘@‘
>>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>>> cwkEnvh: GSK_KEYRING_LABEL:
>>>>>>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>>>>>>> c%len(%trim(peAppId)-1)
>>>>>>> cifrc <> GSK_OK
>>>>>>> ccallpSetError(’SOME ERROR')
>>>>>>> ccallphttps_cleanup
>>>>>>> creturn-1
>>>>>>> cendif
>>>>>>> cendif
>>>>>>> 
>>>>>>> 
>>>>>>> Is possible that it works well?
>>>>>>> 
>>>>>>> Christian.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> El 6 mar 2017, a las 11:43, Scott Klement <sk@xxxxxxxxxxxxxxxx <mailto:sk@xxxxxxxxxxxxxxxx>> escribió:
>>>>>>>> 
>>>>>>>> Hi Christian,
>>>>>>>> 
>>>>>>>> Unfortunately, I have not used a certificate store besides *SYSTEM, so I do not know exactly what is involved.
>>>>>>>> 
>>>>>>>> It is important to understand that HTTPAPI does not provide it's own SSL/TLS code -- it uses the operating system's code.  So if the operating system is capable of what you're describing, it should work with HTTPAPI.  The tricky part is to find out how to do it with the operating system!
>>>>>>>> 
>>>>>>>> Internally, we use IBM-supplied Global Secure Toolkit ("gskit" for short.)
>>>>>>>> 
>>>>>>>> If you can tell me how to access your certificate using the gskit API, I'd be glad to explain how it can be used from HTTPAPI.  Or, if necessary, I can make modifications to HTTPAPI to make it possible.
>>>>>>>> 
>>>>>>>> -SK
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On 3/4/2017 12:42 PM, larsenvalverde@xxxxxxxxx <mailto:larsenvalverde@xxxxxxxxx> wrote:
>>>>>>>>> Hello.
>>>>>>>>> 
>>>>>>>>> I’m using the WDSL2RPG and HTTPAPI to connect to a webservice, but I have a problem.  I need to use a digital certificate, and, for security reasons, it cannot be on *SYSTEM certificate store.
>>>>>>>>> 
>>>>>>>>> I know I can do this:
>>>>>>>>> 
>>>>>>>>> https_init(‘/ANOTHER_CERTIFICATE_STORE’:*ON:*ON:….)
>>>>>>>>> 
>>>>>>>>> But I don’t know how to tell httpapi  what certificate I need to use… and the password needed to use it.
>>>>>>>>> 
>>>>>>>>> Can anyone explain me how to do it, if it is possible?
>>>>>>>>> 
>>>>>>>>> Thanks in advance.
>>>>>>>>> 
>>>>>>>>> Christian.
>>>>>>>>> _______________________________________________
>>>>>>>>> Ftpapi mailing list
>>>>>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>>>>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> _______________________________________________
>>>>>>>> Ftpapi mailing list
>>>>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>>>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>>>>> 
>>>>>> -- 
>>>>>> _______________________________________________
>>>>>> Ftpapi mailing list
>>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
>>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>> -- 
>>>> _______________________________________________
>>>> Ftpapi mailing list
>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
>>>> http://scottklement.com/mailman/listinfo/ftpapi
>> 
>> -- 
>> _______________________________________________
>> Ftpapi mailing list
>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
>> http://scottklement.com/mailman/listinfo/ftpapi
> -- 
> _______________________________________________
> Ftpapi mailing list
> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> http://scottklement.com/mailman/listinfo/ftpapi
> --
> IMPORTANT NOTICE:
> This email is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender.
> -- 
> _______________________________________________
> Ftpapi mailing list
> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> http://scottklement.com/mailman/listinfo/ftpapi
-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi
References:
- Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
  - From: Thomas Raddatz
Prev by Date: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Next by Date: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Previous by thread: Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Next by thread: [Ftpapi] HTTPAPI http_setAuth Problem
Index(es):
- Date
- Thread