MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » September 2013

RE: MIDRANGE-L Digest, Vol 12, Issue 1771



fixed

Scott,

Thank you very much for your help. I have a question... please forgive my lack of knowledge on this, this is all very new to me.

When you say "create a NEW application ID" and "load the application certificate (as a client certificate) directly into that new profile" I don't know how to do this. Is this done in Certificate Manager? I may need to have our VP of Operations do this step as well, but I will need to tell him how.

The https_init part I think I can handle, of course, that's the easy part.

Thanks,
Charlie

----------------------------------------------------------------------
date: Fri, 06 Sep 2013 14:59:44 -0400
from: Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>
subject: Re: Certificate authentication through HTTPS

The error you posted explicitly means that it couldn't find a matching CA certificate, so the root/intermediate certs are almost certainly the problem.

You can't load CA certificates into a particular application (like FTP, Telnet, SMTP, etc). So I guess I don't understand your question about "how should he load them". He should load them as CA certificates, not application certificates. Load the root one first, then the intermediate.

Once he has those loaded, you should create a NEW application ID (do not use one of the existing ones) named for YOUR application. Maybe something like MYRON_HTTPS or something... Whatever you want to call it, but I strongly recommend starting it with your company name so that it does not conflict with other company's certs. Then load the application certificate (as a client certificate) directly into that new profile.

Then, use https_init('MYRON_HTTPS') in your RPG program that uses HTTPAPI so it knows which DCM profile to use.


On 9/6/2013 1:52 PM, Versfelt, Charles wrote:
Hi,

I need to send a CSV through HTTPS from the iSeries, I don't think this matters to my question but I plan to use HTTPAPI's http_url_post_stmf, I know that's a topic for a different newsgroup.

The client uses Certificate authentication. The certificate they provided was a .p12 extension. We have done certificate authentication from the iSeries in the past, but only with FTP. No one here has much experience with it. I have none.

We have two technical hurdles I hope someone can help with:

1.) Our Operations VP attempted to load the .p12 Certificate. He received an error in Work with CA certificates: An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled.

Both the client and IBM told us we need the Root and Intermediate certificates. The client provided them, and the VP loaded them. When he tried to load the .p12 Certificate, the same error reoccurred.

I don't know if the message reoccurrence is related to the second question. If the Root/Intermediate certificates were loaded incorrectly I imagine it could cause the problem to continue.

2) The Operations VP incorrectly assumed I was doing FTP and used that option to load the Certificates. When I told him I was transferring through HTTPS he told me that's not one of his options in Digital Certificate Manager. He gave me a print screen that included:
IBM Directory Server publishing
IBM Directory Server client
IBM I TCP/IP FTP Client
IBM I TCP/IP Telnet Client
SNDTWEET by Kisco
IBM I TCP/IP SMTP Client

How should he load the certificates for transferring from the iSeries via HTTPS?

Might loading those Root/Intermediate certificates with the correct method for HTTPS usage correct our initial problem of loading the .p12 file?

Any insight I can get on this is much appreciated!

Thanks,
Charlie V.
Myron

This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.com


This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.com






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact