[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ftpapi] Using HTTPAPI and non *SYSTEM certificate store
Christian,
I would check the bindings used to compile
the programs (WRKBNDDIR) and any reference to qualified service programs..
Paul
From:
Christian <larsenvalverde@xxxxxxxxx>
To:
FTPAPI/HTTPAPI mailing
list <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Date:
08/03/2017 10:44
Subject:
Re: [Ftpapi]
Using HTTPAPI and non *SYSTEM certificate store
Sent by:
ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Scott,
There is something wrong...
I have installed the beta version of HTTPAPI in another library called
LIBHTTP_B. Also when I compile the WSDL2RPG stubs I add that library
to my library list...
But when I use the WSDL2RPG stubs, in the log file I see:
HTTPAPI Ver 1.31 ......
And that is not ok. But I have used https_certStore....
What have I made wrong? I dont want to install the HTTPAPI in my LIBHTTP
library until the final 1.33 version is released....
> El 7 mar 2017, a las 21:57, Scott Klement <sk@xxxxxxxxxxxxxxxx>
escribió:
>
> Christian,
>
> https_certStore() sets some global variables that will be used later,
when https_init() runs. https_init() will be run automatically the
next time you use a URL that begins with 'https:' so it is not nececessary
to call it explicitly.
>
> I don't understand what you're saying about the debug log...
>
> -SK
>
>
>> On 3/7/2017 12:26 PM, larsenvalverde@xxxxxxxxx wrote:
>> Hi Scott.
>>
>> I have been testing it..
>>
>> When I use https_certStore(‘ xxx ‘: ‘xxx’ : ‘xxx’);
>>
>> it does not call to https_init, so nothing new happens.
>>
>> In the generated WSDL2RPG stub, i wrote this:
>>
>>
>> /…/
>> // Authenticate pre-emptively, if configured
>> if (%(var:portName+_Port_isAuthenticatePreemptively;75;'...')());
>> %(var:portName+_Port_authenticatePreemptively;75;'...')();
>> endif;
>>
>> https_certStore(‘/xxxx.kdb’ : ‘key’ : ‘NAME’ );
>> SOMEVAR = https_init(‘ ');
>> /…/
>>
>>
>> dou (not HttpResponse_isAuthenticationError(http_rc));
>> // Get document from server and handle http
redirects
>> // See also: WSDL2R88.HttpResponse_isRedirect()
>> dou (not HttpResponse_isRedirect(http_rc));
>> http_DebugLog_appendText(
>> '** ' + %char(%timestamp()) + ': Sending
request to server');
>>
>> http_rc =
>> http_url_post_raw2(
>> url
>> : hInpStream
>> : %paddr('WSDL2R85_MessageContext_InputStream_read')
>> : MessageContext_getSize(hMsgCtx)
>> : 0
>> : %paddr('HTTP_receiveResponse')
>> : getTimeout()
>> : getUserAgent()
>> : '');
>>
>> if (HttpResponse_isRedirect(http_rc));
>> url = "">
>> hInpStream = reOpenInputStream(hMsgCtx:
hInpStream);
>> endif;
>> enddo;
>> /…/
>>
>>
>> In my program, I always use
>>
>> xxx_Port_setHttpDebug(*ON:’/xxx.log’);
>>
>> because this way I can see the XML-document i’m sending, and
what i’m receiving.
>>
>> With this new HTTPAPI, using the new https_certStore()… I cannot
see all that information… I have to check it, but if you have any
idea about it..??
>>
>>
>>
>>
>>
>>> El 6 mar 2017, a las 22:14, Scott Klement <sk@xxxxxxxxxxxxxxxx>
escribió:
>>>
>>> Christian,
>>>
>>> I do not know if this will work, and I cannot test it on my
machine. Can you try this and see if it helps?
>>>
>>> First, download and install the BETA version of httpapi from
the following link (install it the same way you installed your previous
copy)
>>>
>>> http://www.scottklement.com/beta/
>>>
>>> Second, remove the call to https_init() from your generated
WSDL2RPG stub, and insert a call like this in it's place:
>>>
>>> http_certStore('/path/to/your_file.kdb': 'Password-Here':
'LabelHere');
>>>
>>> Recompile your program and see if this helps you.
>>>
>>> Please let me know what you find! I will not include
this in future HTTPAPI updates unless you tell me that it has worked for
you.
>>>
>>> -SK
>>>
>>>
>>>> On 3/6/2017 2:34 PM, Christian wrote:
>>>> Ok Scott it was only an idea...
>>>>
>>>> I will wait for the change of HTTPAPI ....
>>>>
>>>> Thank you.
>>>>
>>>> Christian
>>>>
>>>>> El 6 mar 2017, a las 21:24, Scott Klement <sk@xxxxxxxxxxxxxxxx>
escribió:
>>>>>
>>>>> Hi Christian,
>>>>>
>>>>> It's possible that those attributes are what you need
to use, but the way you've written the code doesn't make sense to me. There
is only one peAppId parameter, but you want to use it to set three different
things (the cert store path, label id and password.)
>>>>>
>>>>> It seems to me that you will need three different
fields for this. (The existing peAppId for the path, but new parameters
for the label and password.)
>>>>>
>>>>> I can add these into HTTPAPI so that you can try it
and see if it works.
>>>>>
>>>>> -SK
>>>>>
>>>>>
>>>>>> On 3/6/2017 1:00 PM, larsenvalverde@xxxxxxxxx
wrote:
>>>>>> Hi Scott,
>>>>>>
>>>>>> I have found this code in the COMMSSLR4 source
file (HTTPAPI):
>>>>>>
>>>>>> c* If peAppId begins with a slash the assume it
is the name of the keyring file
>>>>>> cif%subst(peAppId:1:1) = ‘/‘
>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>> cwkEnvh: GSK_KEYRING_FILE:
>>>>>> cpeAppId: %len(%trim(peAppId)))
>>>>>> cifrc <> GSK_OK
>>>>>> ccallpSetError(HTTP_GSKKEYF: ‘Attempt to use
‘ +
>>>>>> c%trim(peAppId) + ‘ cert store: ‘ +
>>>>>> cssl_error(rc))
>>>>>> ccallphttps_cleanup
>>>>>> creturn-1
>>>>>> cendif
>>>>>> cendif
>>>>>>
>>>>>> I have been looking for information about GSKit,
and I found this:
>>>>>>
>>>>>> https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_get_buffer.htm
>>>>>>
>>>>>> In that website, is explained the use of gsk_attribute_get_buffer…
>>>>>>
>>>>>>
>>>>>> GSK_KEYRING_FILEWe can send with https_init(‘/XXXXX’)
the name of the keyring file, because it is developed in COMMSSLR4.
>>>>>>
>>>>>> GSK_KEYRING_PWDPassword for the certificate store.
NOT developed.
>>>>>> GSK_KEYRING_LABELCertificate label in the certificate
store. NOT developed.
>>>>>> I think that if the COMMSSLR4 is changed including
this last two options, I will be able to connect indicating the certificate
I need, and the password of the certificate store.
>>>>>>
>>>>>> For example this way: (is only an example…).
>>>>>>
>>>>>> cif%subst(peAppId:1:1) = ‘#‘
>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>> cwkEnvh: GSK_KEYRING_PWD:
>>>>>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>>>>>> c%len(%trim(peAppId)-1)
>>>>>> cifrc <> GSK_OK
>>>>>> ccallpSetError(’SOME ERROR')
>>>>>> ccallphttps_cleanup
>>>>>> creturn-1
>>>>>> cendif
>>>>>> cendif
>>>>>>
>>>>>> cif%subst(peAppId:1:1) = ‘@‘
>>>>>> cevalrc = gsk_attribute_set_buffer(
>>>>>> cwkEnvh: GSK_KEYRING_LABEL:
>>>>>> c%subst(peAppId:2:(%len(%trim(peAppId))-1):
>>>>>> c%len(%trim(peAppId)-1)
>>>>>> cifrc <> GSK_OK
>>>>>> ccallpSetError(’SOME ERROR')
>>>>>> ccallphttps_cleanup
>>>>>> creturn-1
>>>>>> cendif
>>>>>> cendif
>>>>>>
>>>>>>
>>>>>> Is possible that it works well?
>>>>>>
>>>>>> Christian.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> El 6 mar 2017, a las 11:43, Scott Klement
<sk@xxxxxxxxxxxxxxxx <mailto:sk@xxxxxxxxxxxxxxxx>>
escribió:
>>>>>>>
>>>>>>> Hi Christian,
>>>>>>>
>>>>>>> Unfortunately, I have not used a certificate
store besides *SYSTEM, so I do not know exactly what is involved.
>>>>>>>
>>>>>>> It is important to understand that HTTPAPI
does not provide it's own SSL/TLS code -- it uses the operating system's
code. So if the operating system is capable of what you're describing,
it should work with HTTPAPI. The tricky part is to find out how to
do it with the operating system!
>>>>>>>
>>>>>>> Internally, we use IBM-supplied Global Secure
Toolkit ("gskit" for short.)
>>>>>>>
>>>>>>> If you can tell me how to access your certificate
using the gskit API, I'd be glad to explain how it can be used from HTTPAPI.
Or, if necessary, I can make modifications to HTTPAPI to make it
possible.
>>>>>>>
>>>>>>> -SK
>>>>>>>
>>>>>>>
>>>>>>>> On 3/4/2017 12:42 PM, larsenvalverde@xxxxxxxxx
<mailto:larsenvalverde@xxxxxxxxx>
wrote:
>>>>>>>> Hello.
>>>>>>>>
>>>>>>>> I’m using the WDSL2RPG and HTTPAPI to
connect to a webservice, but I have a problem. I need to use a digital
certificate, and, for security reasons, it cannot be on *SYSTEM certificate
store.
>>>>>>>>
>>>>>>>> I know I can do this:
>>>>>>>>
>>>>>>>> https_init(‘/ANOTHER_CERTIFICATE_STORE’:*ON:*ON:….)
>>>>>>>>
>>>>>>>> But I don’t know how to tell httpapi
what certificate I need to use… and the password needed to use it.
>>>>>>>>
>>>>>>>> Can anyone explain me how to do it, if
it is possible?
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>>
>>>>>>>> Christian.
>>>>>>>> _______________________________________________
>>>>>>>> Ftpapi mailing list
>>>>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>>>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>>>>>>
>>>>>>> --
>>>>>>> _______________________________________________
>>>>>>> Ftpapi mailing list
>>>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx <mailto:Ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>>>>>
>>>>> --
>>>>> _______________________________________________
>>>>> Ftpapi mailing list
>>>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
>>>>> http://scottklement.com/mailman/listinfo/ftpapi
>>> --
>>> _______________________________________________
>>> Ftpapi mailing list
>>> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
>>> http://scottklement.com/mailman/listinfo/ftpapi
>
> --
> _______________________________________________
> Ftpapi mailing list
> Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> http://scottklement.com/mailman/listinfo/ftpapi
--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi
--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi