[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] Setting up Mutual TLS


I assume you're referring to setting up a client-side certificate in HTTPAPI.  If you're referring to another application, please use a different forum (Web400 over on midrange.com, Code400.com, or IBM Community would be good candidates).  We try to keep this mailing list on the topic of FTPAPI, HTTPAPI or WSDL2RPG.

Since Mutual TLS involves two sides of the connection (both server and client) I'm assuming you already have a server configured, and want to know how to make HTTPAPI handle the client side of the mTLS connection.  I'll also assume that you've already added the certificate to the IBM i.

The steps are like this:

1. Log into the IBM Digital Certificate Manager.  This is done from the "Internet Configurations" menu of IBM Navigator for i)

2. Select the *SYSTEM certificate store.  You will need to know/enter the password.  If the *SYSTEM store hasn't yet been created, you can create it by clicking "Create Certificate Store", then select it.

3) On the menu on the left, click "Add application"
 -- choose Client, since HTTPAPI is a client application.

4) Set Application ID to something like YOURCOMPANY_YOURAPPLICATION
 -- check "Application Description" and set it to something like "My application that does X"
 -- maybe also define CA trust list, if you only want to trust certain certificates
 -- maybe set other TLS parameters (versions, ciphers, etc)
 -- click "Add"

5) Choose "Update certificate assignment"
 -- again, select "client"
 -- select the application you created above
 -- select the certificate you wish HTTPAPI to present to the server.
 -- click Update Certificate Assignment

6) In your RPG program that calls HTTPAPI
 -- before doing any TLS, call https_init().  Pass the application ID ('YOURCOMPANY_YOURAPPLICAION') in the first parameter
 -- assigning the application ID this way tells HTTPAPI to use the profile you created in the DCM

Scott Klement
On 12/17/2020 8:31 AM, Gary Saunders wrote:

Does anybody know where I can find a simple guide to setting up mutual TLS for our system i to do posts to another server in a local network ?


Thanks in advance.


Ftpapi mailing list