[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Client Certificates
I've just told you how it's handled. Please read my steps again.
Ron wrote:
> I have used the method you showed below when I want to verify the server I
> am connecting to.
> I need to verify their Server Certificate.
> To do this I have been following the process you have stated below.
>
> But now if I want to send a client certificate to the Server so they know I
> am who I say I am.
>
> How is that handled?
>
> Thanks
>
> Ron
>
>
> -----Original Message-----
> From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
> Sent: Friday, October 30, 2009 4:46 PM
> To: HTTPAPI and FTPAPI Projects
> Subject: Re: Client Certificates
>
> Hi Ron,
>
>> In HTTPAPI I see where to put in the application tied to the server
>> certificate https_init('SERVERCERT');
>> But I do not see the place to add in the client application that we want
> to
>> use for the client certificate
>
> The SSL code isn't a part of HTTPAPI. It's part of OS/400. I think it's
> critical to realize this, because you seem to be looking for an option
> in HTTPAPI to set a certificate. That's not how it works. You have to
> tell OS/400 to set a certificate.
>
> OS/400 has a tool called the Digital Certificate Manager (DCM) where you
> can manage applications, assign the SSL settings appropriate for that
> application, and so on and so forth.
>
> So, the first issue is to set up your application in the DCM. Setting
> it up makes it possible to assign settings to it, including assigning a
> certificate to it. This is a critical step.
>
> They keep changing the interface for the DCM, so I'll tell you the steps
> on my V5R4 system, and hopefully you can extrapolate what they should be
> on another release...
>
> Keep in mind that this is part of IBM i (OS/400) and not part of
> HTTPAPI, I provide instructions to help you out, but there may very well
> be better ones in the Information Center?
> -----------------------------------------------------------------------
> a) If necessary, start the *ADMIN instance of the HTTP server.
>
> b) Log in to the *ADMIN instance of the HTTP server
>
> c) Click "Digital Certificate Manager"
>
> d) Click "Select Certificate Store"
>
> e) Choose the *SYSTEM certificate store, and click "continue"
>
> f) enter the *SYSTEM certificate store password, and click "continue"
>
> g) In the pane on the left, expand "Manage Applications"
>
> h) Choose "Add Application"
>
> i) Choose "Client", then "continue"
>
> j) You should now be on the screen where you can setup an application.
> Here are details of this step:
>
> Application ID:
>
> IBM recommends that it start with something to identify the company
> (they use QIBM, and ask that you do not use that!) followed by the name
> of the software package, followed by the name of the component. What you
> name it is up to you. I might put something like this:
>
> KLEMENTS_GIFTBOX_UPSTRACK
>
> That would be a name I'd use for the UPSTRACK component of the Giftbox
> software provided by Klement's Sausage. Yours might be something like:
>
> LINOMA_CRYPTOCOMPLETE_SENDTOWEB
>
> This is just to give you the idea. It can be anything you like, up to
> 100 characters. You can click the help button (upper-right) to see
> IBM's help file that explains what characters are allowed in this field.
> It should be one word (no spaces) and can be up to 100 characters long.
>
> Exit program info:
>
> I always take the default, because I don't use an exit program when my
> cerificates are changed. So just take the default here, unless you want
> to use this feature. (HTTPAPI doesn't care)
>
> Application user profile:
>
> I've never used this feature... just take the default.
>
>
> Define the CA trust list:
>
> This is up to you. Do you want to specifically list which CA's you
> trust? Or take the same defaults as all other SSL apps on the system?
> I generally choose "No", so it uses the general-purpose CA trust list.
>
> Certificate revocation processing: Yes
>
> I don't use CRLs, but it doesn't hurt to choose "Yes" here, anyway.
>
>
> Application description:
>
> Click the radio button on the left, next to "Application Description".
> Type a human-readable description of your application here. This is
> what will show up when the user is viewing the applications in the DCM.
> Something like "Klement's Sausage UPS Tracking Application". Whatever
> makes sense for your users to see.
>
>
> k) click "Add" and it should add the new application to the DCM.
>
> l) It'll tell you that it has added it successfsully... click "OK"
>
> m) You can now use the "Manage Applications" interface to view, update,
> etc the application.
>
> n) Click "Update Certificate Assignment"
>
> o) Click "Client"
>
> p) Your program should now be listed as one of the client programs on
> the system. Select the radio button next to it, then the "Update Cert
> Assignment" button at the bottom.
>
> q) It should list the certificates available. Select the one you want
> to use as your client certificate, and then click "Assign New Certificate".
>
> r) At the top of the screen, it says "cerificate was assigned to
> application"
> -----------------------------------------------------------------
>
> So now you've created a profile of sorts in the DCM, and it tells the
> SSL settings for a particular application. Any program that identifies
> itself to the DCM as "KLEMENTS_GIFTBOX_UPSTRACK" (or whatever you put
> for the application id) will use the settings provided to the DCM,
> above. This is how you tell it that you want a certificate, and which
> certificate to use.
>
> Back in HTTPAPI, prior to using SSL for the first time in your program,
> do this:
>
> callp https_init('KLEMENTS_GIFTBOX_UPSTRACK');
>
> (again -- or whatever ID you've assigned) This tells HTTPAPI how to
> identify itself to the Digital Certificate Manager -- and therefore,
> HTTPAPI is requesting that the DCM uses the settings you provided in the
> application configuration in the DCM. (Including the client certificate)
>
> If you have multiple client certificates that need to be assigned
> separately for separate applications, then create a second, third, (or
> whatever) application profile in the DCM for those other certificates.
> Tell HTTPAPI to use those alternate profiles.
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
>
> __________ NOD32 4559 (20091030) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------