Our EDI/IP product supports S/MIME for which we wrote our own certificate management process. I looked at DCM and the API's but they're really just for client certificate management and really not that useful at that. If all you're looking to get is a public key for a profile then it might work for you but the hashing and crypto services you'll have to provide yourself. If you're looking to get the server private key for signing then good luck. Unless newer versions now offer this, I found the only way to get this was to export it to a PBE file and decrypt the formatted output (PEM I believe). TrailBlazer Systems, Inc. http://www.as400ftp.com AS/400 Communications & E-Commerce Solutions Chaos, panic and disorder...my work here is done. > -----Original Message----- > From: Tom Litney [SMTP:Tom.Litney@net-reliance.com] > Sent: Thursday, November 23, 2000 12:48 AM > To: MIDRANGE-L@midrange.com > Subject: Use of certificates in the AS400 environment > > Hi Guru's, > > I'm a rookie in the AS400 environment so please be gentle with me. > I hope I'm not rehashing an old topic. I have checked the recent list > archives and couldn't find any information. If I am, I apologize in > advance and would appreciate any pointers to appropriate posts. > > I have read (and read between the lines) many IBM publications and > other articles regarding the use of digital certificates for > authentication and non-repudiation in the AS400 environment. I have > made several assumptions regarding the information that I encountered > and I'm hoping that you experts will straighten me out. What I have > been able to surmise is that the AS400 base code contains API's that > an application could use to provide cryptographic functionality. > That the Digital Certificate Manager is an application written by IBM > to make use of these API's in the browser environment but my > assumption is that another application, that is not browser based, > could make it's own use of the API's. Is this a valid assumption? > The application usage I'm envisioning would not be internet or > intranet (browser) based. I was hoping that by loading valid > certificates into a validation list object and making the application > "cryptographic API" aware, I could provide authenticated logons to an > application for users over a TCP/IP network. This would involve > transmitting user certificates to the application during session > initiation. Assuming that the application could check the validation > list object to ensure that the certs were valid; that only valid certs > (contain the valid CA signature and have not expired) were in the > validation list object; that a security administrator would provide > the CRL function by weaning the validation list object of revoked > certificates; and that I could prove that the holder of the cert was > in possession of the valid secret key. The underlying assumption is > that the CA and RA function would be performed offline somewhere by a > trusted source. So, if I haven't gone to far off the deep end so > far, I could use public key from the certificate in the validation > list object to verify the signed message hash value created by the > user to provide non-repudiation. > > Has anyone created their own PKI aware environment in the AS400? > How many folks are currently using the DCM to provide authentication > in the AS400? > Is the use of the DCM a requirement? Or can one "roll there own"? > > Ok have at me! I hope someone out there takes pity on me and throws > me a few clues. > > > Tom Litney > Director of Cryptographic Engineering > NetReliance, Inc > 3017 Douglas Blvd., Ste 300 > Roseville, CA 95661 > 916-788-7202 ext 8828 > cell - 916-802-3069 > > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.