MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » March 2014

RE: SOAP, SSL and RPG



fixed

Thanks for the help.
Will try it out in the morning.

Rich


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Friday, March 07, 2014 12:29 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: SOAP, SSL and RPG

Rich,

Here's and IBM doc with our customization included.

IBM Software Technical Document
_______________________________________________________________
Document Information
Document Number: 592289479
Functional Area: Operating System
Subfunctional Area: Programming
Sub-Subfunctional Area: IWS Client
OS/400 Release: 5.4.5; 6.1; 6.1.1; 7.1; V5R4M0; V5R4M5; V6R1M0; V6R1M1;
V7R1M0
Product: OS/400 BASE (5722SS100)
400-03 EXTND BASE DR (5722SS1ED)
I5/OS (5761SS1ED)
EXT BAS DIR (5770SS1ED)
Product Release: 5.4, 6.1, 7.1
_______________________________________________________________

Document Title
Setting Up a Client to Consume a Web Service Over an SSL (HTTPS) Connection

Document Description
There are some additional steps that need to be performed when setting up a
client application to consume a Web service over a secure (https)
connection.

As with any secure connection, you need to ensure that the CA certificate
from the HTTPS server is in the *SYSTEM certificate store on the System i.
By default, many of the commonly used CA certificates are shipped with
Digital Certificate Manager (DCM). You can view the CA certificates that are
in the *SYSTEM store using DCM. If the CA certificate for the server that
you wish to connect to is not in the *SYSTEM store, you need to obtain a
copy of it from the server administrator (or extract it using browser tools
while connected to the secure site), and then import it into the certificate
store. You should refer to Rochester Support Center knowledgebase document
548824369, How to Import a CA Certificate into Digital Certificate Manager:
for more details on how to import a CA certificate.

Once you have imported the CA certificate, you need to edit the axiscpp.conf
file, which is in the following path:
/qibm/ProdData/OS/WebServices/V1/client/etc/axiscpp.conf

You can edit this file directly; however, it is strongly recommended that
you place a copy of the /etc directory from the above path into another path
on the System i. If you make a copy, you need to set the environment
variable AXISCPP_DEPLOY to point to the path containing the new /etc
directory. For example, if you copied the /etc directory from the above
location to /tmp, you would set the AXISCPP_DEPLOY envvar to /tmp. You can
use either *SYS or *JOB for the environment variable; however, *SYS will
cause the configuration file to be read for any job consuming a Web service.
If you edit the axiscpp.conf file in the original directory, be aware that
this file can be replaced when PTFs are loaded.

Here is a sample of how you would code the axiscpp.conf file:

************Beginning of data************** # The comment character is '#'
# Available directives are as follows
#
# ClientWSDDFilePath: The path to the client WSDD # SecureInfo: The GSKit
security information #

Channel_HTTP_SSL:/QIBM/ProdData/OS/WebServices/V1/client/lib/libhttp_channel
ssl.so
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB,default,GTE
CyberTrust Global Root,07,05,35,false

************End of Data********************

Note that the first parameter (parameters separated by commas) in the
SecureInfo statement is the path to the *SYSTEM certificate store in DCM,
and the third parameter is the name of the CA certificate that you imported
into DCM.

Pencor specifics below.

1 Path and contents of copied
From: /QIBM/ProdData/OS/WebServices/V1/client/etc/axiscpp.conf
To: /SSLRPGCLIENT/etc/axiscpp.conf

Channel_HTTP_SSL:/QIBM/ProdData/OS/WebServices/V1/client/lib/libhttp_channel
ssl.so
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB, , ,NONE,05,NONE



#ClientLogPath:/tmp/axis.log

2. Environment Var (*SYS) AXISCPP_DEPLOY QSYS/ADDENVVAR
ENVVAR(AXISCPP_DEPLOY)
VALUE('/SSLRPGCLIENT) LEVEL(*SYS)


3.Path of DCM SYSTEM certificate store
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB

4.IFS authority changes (RX) were needed for access to DCM system store via
the CM_GRP profile
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB
Added new user CM_GRP, RX for Server and DEFAULT.KDB

5. ICAPI environment changed from http to https
https://vmbrcicapitst02.pencor.com/ICAPI/ICAPI.asmx

Paul

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rich Marion
Sent: Friday, March 07, 2014 2:00 PM
To: midrange-l@xxxxxxxxxxxx
Subject: SOAP, SSL and RPG

All,

I have been tasked with consuming a web service via SSL utilizing RPG code.

The certificates they provided were install on the V7R1 box (not sure if
this was done correctly)

Nadir was kind enough to inform me where the subprocedure axiscStubSetSecure
was located. My RPG code compiles and runs, but I get an error messages
stating 428(?) no certificate available for processing.

I put the Certs on my PC and downloaded the latest free version of SOAPUI.
I receive a message from the remote host that "POST" is not allowed. So I
think the certs are not configured properly on the big box as my PC seems to
get past that point. (There may be an additional problem with the URL the
host computer provided)

All the web service RPG demos that I could find do not deal with consuming
an SSL web service that is not being self hosted, nor how to set SOAP Header
messages. (I hope I am using the correct terms)

Can you point me to some good documentation of SSL SOAP connections, how to
use the API's to create/modify the header message and certificate handling?

Thanks,
Rich Marion



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.




-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4335 / Virus Database: 3722/7165 - Release Date: 03/07/14







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact