× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. October 2003

RE: Sockets and client certificate


> I guess you've never had a B2B relationship with a partner that mandates
> something better than Basic Authentication.

HTTPAPI supports both Basic Authentication and Digest Authentication.  And
they can be used with or without SSL.   I believe that it also supports
a client-side certificate... but I haven't tested that.

> The partner would usually issue you with a client certificate to permit
> you to access their server. We had to develop web applications for a
> customer who is a national bank where they would not even permit their
> browser clients access without a trusted client certificate. I suspect
> it will become more common in this age of identity fraud.

I've done this with telnet, but not with HTTP.

>
> For SSL connections that do not require a client certificate we have
> created RPGLE that binds to the SSL versions of the TCP sockets
> procedures. The entire code is not too verbose without even bothering to
> strip prototypes and methods into a service program. Although the SSL
> socket APIs prior to V5 required a reference to the certificate store
> containing the digital certificate used to encrypt the session, since
> then only the Application ID assigned by the DCM is necessary, just like
> in the IBM GSKit (which does seem verbose).
>

HTTPAPI uses GSKit.

> Not having seen any example of using a client cert in RPGLE it seemed as
> clear as mud how this might be achieved (even in the GSKit). However, I
> notice that there is a reference to a local certificate in a data
> structure which has been set to *null, maybe that's what I've missed.
>
> The thing about embedding a cert in the header seemed a reasonable
> assumption since that's how authentication appears to be prescribed by
> RFCs, which for me appear to make digital cert stuff look too hard
> compared with Basic Authentication.
>

The RFCs define BASIC and DIGEST authentication.  They do not talk about
certificates.  I'm assuming, therefore, that you're talking about SSL
certificates


> If you figure you can prove how do it with GSKit then that would be nice
> to know. We can always stick with the java classes that achieve this
> but, like you, I have a penchant for knowing how to do it in RPGLE.

As I said in the previous message, I believe my HTTPAPI already DOES do
this, all you have to do is assign it a cert in Digital Certificate
Manager.

Please download it and try it and see if it does what you want to do.  If
it does, you're free to use it, rather than writing your own HTTP
routines.   It's open source, so it costs you nothing.  If for some
obscure reason you don't want to use it, feel free to read the code and
learn how it works.

That's part of the beauty of open source -- you can learn from other
people's code.

http://www.scottklement.com/httpapi/

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.