Mutual TLS for HTTPAPI. RPGLE Rest API

[wood_9@hotmail.com]

Hi Scott,
Apologies if this has been answered but does HTTPAPI support Mutual TLS within RPGLE?
i came across an example of how to load the certificate similar to the below but unsure if this is valid.

// Load certificates first
rc = http_setSSLCertificateFile(clientCertFile);


Many thanks in advance,

Elliot

[Scott Klement]

Hello,

I assume by "mutual TLS" you mean that you wish to use TLS with client-side certificates?

To do so, you should call https_init() with an application ID prior to performing any requests. You should configure that application ID in the IBM i digital certificate manager for client-side certificates.

If you need to force a particular certificate store for some reason, you should use http_certStore().

I've never heard of http_setSSLCertificateFile -- not sure where this came from, but it is not a part of HTTPAPI, so doesn't make sense in this context. It is probably part of a completely different software package.

[wood_9@hotmail.com]

Many thanks for the reply!

Yes i did mean using TLS with client-side certificates as we are trying to connect from the IBMi to a Rest API but using TLS with client-side certificate.

So as i understand we first upload the certificate in IBM i digital certificate manager then retrieve this using the certificate application id within https_init().

[Scott Klement]

Yes, that's the right idea.

In the Digital Certificate Manager, you upload it as a client certificate. (uploading any necessary CA certificates first).

Then you create an application profile and assign the client certificate to it, and set any options that you wish within that profile. You give the profile an ID like ACME_CLIENT_CERT (pick any name you like... I'm using ACME here because I don't know your company name).

Then in the RPG program you start with https_init('ACME_CLIENT_CERT') this tells it to use the application profile that you configured in the digital certificate manager.