[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTPAPI - Web service using 2 certificates

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: HTTPAPI - Web service using 2 certificates
Date: Fri, 11 Mar 2011 20:20:04 -0600

Hi Chris,

What you need to do is assign your program a profile in the Digital 
Certificate Manager (DCM), and in that DCM profile, tell it to use 
client certificates.

This is from memory...  I'm sick and haven't been to work in a couple of 
days, so I can't look up the specifics:

1) go to the DCM configuration
2) Select the *SYSTEM certificate store
3) Click "manage applications"
4) Click "add application"
5) For HTTPAPI should be a client application, but prior to v5r3 (I 
think) there was only one type of application. So you may not be asked.
6) There should be a spot for an application ID.  This can be any 
string, but IBM recommends your company name, application and program 
id, separated by underscores, so, for example:

      ACME_WEBSERVICES_ZMU010RG

7) I don't remember the other options on this screen... but there should 
be a place for a description (descriptive name of your application) and 
a place to define the cert trust list (I'd say "no", so it'll trust all 
installed CAs)

8) Now click "update certificate assignment".  Find your newly added 
application, and assign your client-side certificate to it.  Again, I 
don't have the steps in front of me, but assuming you've already loaded 
the certificate into the DCM, it should be a pretty user-friendly process.

9) Now you've set it up in the DCM, you need to tell HTTPAPI to use it. 
  That is done by adding the following line of code (should be at/near 
the start of your program.)

      callp https_init('ACME_WEBSERVICES_ZMU010RG')

(Or whatever string you picked for the application id).  Recompile your 
program. (You don't have to recompile HTTPAPI, just your program that 
calls it.) If your program has already been called within the job prior 
to this change, a fresh signoff/signon will help ensure that it picks up 
the change.

I know this isn't a perfect description, but I hope it's good enough to 
get you going.

Good luck!

On 3/10/2011 9:11 PM, Chris Woodhead wrote:
>
>     Hi All,
>
>
>     I will need to consume a Web Service that uses SSL and a server side
>     cert AND a client side cert.  The reason stated for this is so that
>     non-repudiation can be done for the send and the receive of the
>     service.
>
>
>     I know that HTTPAPI can work when there is a server side cert doing
>     this function (we do that now).  Can it do it with a client cert AND a
>     server cert?  If so how is it done?  Many thanks.
>
>
>     (Forum is at [1]http://www.scottklement.com/mailman/listinfo/ftpapi ).
>
>
>     Best regards,
>
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- RE: HTTPAPI - Web service using 2 certificates
  - From: Chris Woodhead

Prev by Date: RE: HTTPAPI - Web service using 2 certificates
Next by Date: NTLM authentication
Previous by thread: RE: HTTPAPI - Web service using 2 certificates
Next by thread: NTLM authentication
Index(es):
- Date
- Thread