× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2013

Re: Certificate authentication through HTTPS

You place a Certificate Authority (CA) in the *SYSTEM store. They can be
put in a store you make, but think of the *SYSTEM store as the default
catch all for CAs (like saying *LIBL when working with an object instead of
using a specific library).

CAs are what tell your system to "trust" certificates used by machines you
communicate with.

Think of it this way...

When you connect via SSL/TLS with a partner, the SSL "handshake" is done.
Your system sees their certificate and who has signed it (The CAs). If
you don't "trust" those CAs, the SSL handshake will fail.

So, by importing the CAs used in the server certificate into the *SYSTEM
store, you're telling the system to "trust" those particular CAs.

Who would you ask if you actually need a client certificate? That should
be in the specs from your trading partner. You could also ask someone on
the other side specifically "Do I need a client side certificate, or did
you sent me that certificate so I can export the CAs from it?"

I hope this helps. Without access to DCM it could be trouble. Maybe
you'll get lucky and the CAs that are placed in the *SYSTEM store when it's
created will be all you need. :)

Brad
www.bvstools.com


On Tue, Sep 10, 2013 at 10:42 AM, Versfelt, Charles <CVERSFELT@xxxxxxxxx>wrote:

Hi Brad,

Thanks for your reply... I don't know if I need to use a client
certificate or a CA stored in the *SYSTEM store. I wouldn't even know who
could answer the question. I only know that the verification is done via a
certificate, which I have never done. I'm not even accessing Digital
Certificate Manager myself. I don't believe I have authority to it. I'm
just doing the RPG side and I am passing information back and forth to the
VP of Operations. I can't see the Certificate Manager except screen shots
sent me by the VP of Operations and I'm trying to instruct him how I need
this set up. From his screen shots, that is what he's using. The people
whose site I am sending the CSV file to (and from whom I'll also need to
receive a reply file) don't know anything about the iSeries... they only
know about using the certificate in Internet Explorer... so I doubt they
can answer that question.

If this is a "*SYSTEM store" certificate, does that mean the mere fact
that it's loaded means I can use it? Or is there something that needs to
be done in Certificate Manager to make it a "*System Store" certificate,
assuming this is what I need?
If this is what I need, also, does that mean it won't need to point to an
application, and if so, how do I refer to it in my RPG program?
Or do I even need to?

Thanks so much,
Charlie.

Charles,

If you truely are using a client certificate you do this all in the Digital
Certificate Mananger (DCM). You can get there through the ADMIN HTTP
server (port 2001). Look around in there and it will make more sense.

Import the client certificate, then apply an application ID to it. Then on
your HTTP call you need to be sure to use the same application ID so that
it knows which client certificate to use.

But, I will say this. I would double check if you really need to use a
client certificate or if you're just making an HTTPS call that only
requires the CAs be installed in the *SYSTEM store.

I've worked with thousands of clients with projects like this (using our
GETURI product) and only 1 that I know of in 15 years used a client
certificate (and it didn't work because the SSL APIs had a bug because it
had never been truely tested... of course they did offer a PTF once we
worked through it).

SSL is confusing, yes, but rarely do I see client certificates in use.

Brad
www.bvstools.com

This email message has been delivered safely and archived online by
Mimecast. For more information please visit http://www.mimecast.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.