Re: Questions about the HTTP Server and Keystore authority requirements for HTTPAPI

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Hi Charles,

--IBM HTTP server for iSeries (57xx-DG1)

Only required for installing/configuring SSL certificates. HTTPAPI uses 
the SSL support that's built-in to the OS, and IBM designed the OS's SSL 
support to use the HTTP *ADMIN instance for configuration.

--Granting ordinary users permission to run SSL applications

The SSL key databases (certificate stores) contain the private keys as 
well as SSL certificates. Normally, a certificate file is publicly 
available, but a key is not.  It's perfectly acceptable (and normal) to 
send your certificate(s) to other sites, they can use them to check that 
you are who you claim to be, and when they send encrypted data to you, 
only you can read it (because you have the key, and nobody else does.)

The risk in granting access to them is that the user who has been 
granted such access could potentially download the key file, and install 
it somewhere else to "impersonate" you.

Adopted authority *never* works on IFS objects.

But, you don't *have* to give all users (*PUBLIC) access to the SSL key 
files, you only have to grant that access to whomever will be running 
HTTPAPI in SSL mode. Only these users need access to the key database.

If that's unacceptable, you could potentially design your application as 
a background job (communicating with the users via data queue) and run 
that background job with a user profile created specifically for this 
purpose.  If you follow what I'm suggesting, you'll understand that only 
that user profile would need to be granted access to the key files.

Alternately, you could use "profile-swapping" (such as the profile 
handle or profile token APIs) to swap to a user profile that has access 
to the key databases.

But, ultimately, in order to do SSL, the system must have authority to 
these files, because they contain the certificates, CA certificates, and 
keys that are needed for the SSL cryptography.


On 4/16/2012 9:34 AM, Charles Wilt wrote:
> All,
>
> Looking to make use of HTTPAPI...management is asking some questions
> about the requirements, specifically the need for
> --IBM HTTP server for iSeries (57xx-DG1)
> --Granting ordinary users permission to run SSL applications
>
> Taking these one at a time...
>
> --IBM HTTP server for iSeries (57xx-DG1)
> I believe this license program needs to be loaded, but I don't
> actually have to have the HTTP (admin?) server running except as
> needed to make changes to the certificate store via the digital
> certificate manager..
>
> Can anyone confirm?
>
> --Granting ordinary users permission to run SSL applications
> Management gets nervous when I ask them to change the security on an
> IBM supplied object. :)
> I don't understand why this wasn't *PUBLIC *USE to begin with...
> Does anybody have any information or better yet links to IBM
> documentation describing why this change is a "good" idea with little
> or no risk?
>
> As an alternative, I assume I could use adopted authority in my
> HTTPAPI apps that need HTTPS; can anyone confirm?
>
> Thanks!
> Charles
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------