[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Client Certificates

Hi Ron,

> In HTTPAPI I see where to put in the application tied to the server
> certificate   https_init('SERVERCERT');
> But I do not see the place to add in the client application that we want to
> use for the client certificate

The SSL code isn't a part of HTTPAPI.  It's part of OS/400. I think it's 
critical to realize this, because you seem to be looking for an option 
in HTTPAPI to set a certificate.  That's not how it works.  You have to 
tell OS/400 to set a certificate.

OS/400 has a tool called the Digital Certificate Manager (DCM) where you 
can manage applications, assign the SSL settings appropriate for that 
application, and so on and so forth.

So, the first issue is to set up your application in the DCM.  Setting 
it up makes it possible to assign settings to it, including assigning a 
certificate to it.  This is a critical step.

They keep changing the interface for the DCM, so I'll tell you the steps 
on my V5R4 system, and hopefully you can extrapolate what they should be 
on another release...

Keep in mind that this is part of IBM i (OS/400) and not part of 
HTTPAPI, I provide instructions to help you out, but there may very well 
be better ones in the Information Center?
a) If necessary, start the *ADMIN instance of the HTTP server.

b) Log in to the *ADMIN instance of the HTTP server

c) Click "Digital Certificate Manager"

d) Click "Select Certificate Store"

e) Choose the *SYSTEM certificate store, and click "continue"

f) enter the *SYSTEM certificate store password, and click "continue"

g) In the pane on the left, expand "Manage Applications"

h) Choose "Add Application"

i) Choose "Client", then "continue"

j) You should now be on the screen where you can setup an application. 
Here are details of this step:

Application ID:

IBM recommends that it start with something to identify the company 
(they use QIBM, and ask that you do not use that!)  followed by the name 
of the software package, followed by the name of the component. What you 
name it is up to you.  I might put something like this:


That would be a name I'd use for the UPSTRACK component of the Giftbox 
software provided by Klement's Sausage.  Yours might be something like:


This is just to give you the idea.  It can be anything you like, up to 
100 characters.  You can click the help button (upper-right) to see 
IBM's help file that explains what characters are allowed in this field. 
  It should be one word (no spaces) and can be up to 100 characters long.

Exit program info:

I always take the default, because I don't use an exit program when my 
cerificates are changed. So just take the default here, unless you want 
to use this feature.  (HTTPAPI doesn't care)

Application user profile:

I've never used this feature... just take the default.

Define the CA trust list:

This is up to you.  Do you want to specifically list which CA's you 
trust?  Or take the same defaults as all other SSL apps on the system? 
I generally choose "No", so it uses the general-purpose CA trust list.

Certificate revocation processing: Yes

I don't use CRLs, but it doesn't hurt to choose "Yes" here, anyway.

Application description:

Click the radio button on the left, next to "Application Description". 
Type a human-readable description of your application here.  This is 
what will show up when the user is viewing the applications in the DCM. 
  Something like "Klement's Sausage UPS Tracking Application".  Whatever 
makes sense for your users to see.

k) click "Add" and it should add the new application to the DCM.

l) It'll tell you that it has added it successfsully... click "OK"

m) You can now use the "Manage Applications" interface to view, update, 
etc the application.

n) Click "Update Certificate Assignment"

o) Click "Client"

p) Your program should now be listed as one of the client programs on 
the system.  Select the radio button next to it, then the "Update Cert
Assignment" button at the bottom.

q) It should list the certificates available.  Select the one you want 
to use as your client certificate, and then click "Assign New Certificate".

r) At the top of the screen, it says "cerificate was assigned to 

So now you've created a profile of sorts in the DCM, and it tells the 
SSL settings for a particular application.  Any program that identifies 
itself to the DCM as "KLEMENTS_GIFTBOX_UPSTRACK" (or whatever you put 
for the application id) will use the settings provided to the DCM, 
above.  This is how you tell it that you want a certificate, and which 
certificate to use.

Back in HTTPAPI, prior to using SSL for the first time in your program, 
do this:

       callp https_init('KLEMENTS_GIFTBOX_UPSTRACK');

(again -- or whatever ID you've assigned)  This tells HTTPAPI how to 
identify itself to the Digital Certificate Manager -- and therefore, 
HTTPAPI is requesting that the DCM uses the settings you provided in the 
application configuration in the DCM.  (Including the client certificate)

If you have multiple client certificates that need to be assigned 
separately for separate applications, then create a second, third, (or 
whatever) application profile in the DCM for those other certificates. 
Tell HTTPAPI to use those alternate profiles.
This is the FTPAPI mailing list.  To unsubscribe, please go to: