• Subject: RE: Use of certificates in the AS400 environment
  • From: Tim McCarthy <timm@xxxxxxxxxxxx>
  • Date: Mon, 27 Nov 2000 10:50:39 -0500

Our EDI/IP product supports S/MIME for which we wrote our own
certificate management process. I looked at DCM and the API's but
they're really just for client certificate management and really not
that useful at that. If all you're looking to get is a public key for a
profile then it might work for you but the hashing and crypto services
you'll have to provide yourself. If you're looking to get the server
private key for signing then good luck. Unless newer versions now offer
this, I found the only way to get this was to export it to a PBE file
and decrypt the formatted output (PEM I believe).

TrailBlazer Systems, Inc.
AS/400 Communications & E-Commerce Solutions

Chaos, panic and disorder...my work here is done.

> -----Original Message-----
> From: Tom Litney [SMTP:Tom.Litney@net-reliance.com]
> Sent: Thursday, November 23, 2000 12:48 AM
> To:   MIDRANGE-L@midrange.com
> Subject:      Use of certificates in the AS400 environment
> Hi Guru's,
>   I'm a rookie in the AS400 environment so please be gentle with me.
> I hope I'm not rehashing an old topic.  I have checked the recent list
> archives and couldn't find any information.  If I am, I apologize in
> advance and would appreciate any pointers to appropriate posts.   
>  I have read (and read between the lines) many IBM publications and
> other articles regarding the use of digital certificates for
> authentication and non-repudiation in the AS400 environment.   I have
> made several assumptions regarding the information that I encountered
> and I'm hoping that you experts will straighten me out.  What I have
> been able to surmise is that the AS400 base code contains API's that
> an application could use to provide cryptographic functionality.
> That the Digital Certificate Manager is an application written by IBM
> to make use of these API's in the browser environment but my
> assumption is that another application, that is not browser based,
> could make it's own use of the API's.  Is this a valid assumption?
> The application usage I'm envisioning would not be internet or
> intranet (browser) based.  I was hoping that by loading valid
> certificates into a validation list object and making the application
> "cryptographic API" aware, I could provide authenticated logons to an
> application for users over a TCP/IP network.  This would involve
> transmitting user certificates to the application during session
> initiation.  Assuming that the application could check the validation
> list object to ensure that the certs were valid; that only valid certs
> (contain the valid CA signature and have not expired) were in the
> validation list object; that a security administrator would provide
> the CRL function by weaning the validation list object of revoked
> certificates;  and that I could prove that the holder of the cert was
> in possession of the valid secret key.   The underlying assumption is
> that the CA and RA function would be performed offline somewhere by a
> trusted source.    So, if I haven't gone to far off the deep end so
> far, I could use public key from the certificate in the validation
> list object to verify the signed message hash value created by the
> user to provide non-repudiation.
> Has anyone created their own PKI aware environment in the AS400?
> How many folks are currently using the DCM to provide authentication
> in the AS400?
> Is the use of the DCM a requirement? Or can one "roll there own"?
> Ok have at me!  I hope someone out there takes pity on me and throws
> me a few clues.   
> Tom Litney
> Director of Cryptographic Engineering
> NetReliance, Inc
> 3017 Douglas Blvd., Ste 300
> Roseville, CA  95661
> 916-788-7202 ext 8828
> cell - 916-802-3069
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.