CallHTTPWithSSL

From Pickwiki
Jump to navigationJump to search

Priceless example!

Managed to connect to https://www-927.ibm.com/software/data/u2/support/u2techconnect/ by also changing...

      X.DEPTH = 1 ;* Changed from 0 to 1 to allow signed by CA
      X.SERVER.OR.CLIENT = 2 ;* CLIENT
      X.RTN.CODE = set[[AuthenticationDepth]](X.CONTEXT, X.DEPTH, X.SERVER.OR.CLIENT)

and using the 'Equifax Secure Certificate Authority' certificate instead of one generated by java keytool. I looked in the protocol log to discover that the equifax certificate was required:

01/20/2004 18:14:51 SSL Certificate Verification:              
depth: 0                                                       
subject: [[/C]]=CA[[/O]]=IBM[[/CN]]=www-927.ibm.com                        
issuer: [[/C]]=US[[/O]]=Equifax[[/OU]]=Equifax Secure Certificate Authority

I'm on xp, so used start > run mmc file > add/remove snap in > certificates certificates > trusted root cas > equifax action > all tasks > export

to get an equifax.cer certificate file instead of wendy's wsmoak_tomcat.cer, but i imagine these are available on the web somewhere - would be a lot easier if IBM included all the standard root CA files somewhere.

-- Simon Lewington ud@simonl.free-online.co.uk



Fixed! IBM said to use

      X.USED.AS="2" ;* Used as an issuer certificate
      X.FORMAT="2" ;* DER format

in the code below. (Both of those used to be "1" when I started this.)

I re-read the manual, and I still don't know enough about SSL to have figured that out.

-- Wendy Smoak wsmoak@asu.edu


Ian, yes, there's a reason. This is a simple test but eventually I need to POST over HTTPS to a third party. I can already do it over HTTP, but when I change to HTTPS, it breaks. So I switched to simple test code to see if I could find the problem.

-- Wendy


Wendy, is there are reason to do it from Basic? (other than for fun :-) cURL can download https

you could do

EXECUTE "!curl -k -o .[[/MYDIR/FNAME]] https://www.example.com"
OPEN 'MYDIR' TO MYDIR ELSE STOP 201,'MYDIR'
READ R FROM MYDIR, 'FNAME' ELSE STOP 'https get did not work'


Does anyone know where the documentation for createSecureRequest() is? It's not in the UniBasic Extensions manual...

Sample UniBasic code:

* WENDY SMOAK

      EQUATE CRLF TO CHAR(013):CHAR(010)

      X.LOG.FILE = 'XWDS.HTTP.LOG'
      X.LOG.ACTION = 'ON'
      X.LOG.LEVEL = '10'
      X.RTN.CODE = protocolLogging(X.LOG.FILE, X.LOG.ACTION, X.LOG.LEVEL)
      CRT 'protocolLogging: ':X.RTN.CODE
               
      X.RTN.CODE = createSecurityContext(X.CONTEXT, '')
      CRT 'createSecurityContext: ':X.RTN.CODE

      X.CERT.PATH="wsmoak_tomcat.cer"
      ;* changed next 2 lines from 1 to 2 per IBM
      X.USED.AS="2" ;* Used as an issuer certificate
      X.FORMAT="2" ;* DER format
      X.ALGORITHM="1" ;* RSA key
      X.RTN.CODE = addCertificate(X.CERT.PATH, X.USED.AS, X.FORMAT, X.ALGORITHM, X.CONTEXT)
      CRT 'addCertificate: ':X.RTN.CODE

      X.DEPTH = 0
      X.SERVER.OR.CLIENT = 2 ;* CLIENT
      X.RTN.CODE = setAuthenticationDepth(X.CONTEXT, X.DEPTH, X.SERVER.OR.CLIENT)
      CRT 'setAuthenticationDepth: ':X.RTN.CODE

      X.RTN.CODE = showSecurityContext(X.CONTEXT,X.CONFIG.INFO)
      CRT 'showSecurityContext: ':X.RTN.CODE
      SWAP @AM WITH CRLF IN X.CONFIG.INFO
      CRT X.CONFIG.INFO

      URL="https://your.server.here/index.html"
      HTTP.METHOD="POST"
      X.RTN.CODE = createSecureRequest(URL,HTTP.METHOD,X.HANDLE,X.CONTEXT)
      CRT 'createSecureRequest: ':X.RTN.CODE

      X.RTN.CODE = submitRequest(X.HANDLE,'','',X.RESPONSE.HEADERS,X.RESPONSE.DATA,X.HTTP.STATUS)
      CRT 'submitRequest: ':X.RTN.CODE

      CRT 'X.RESPONSE.HEADERS = ':X.RESPONSE.HEADERS
      CRT 'X.RESPONSE.DATA = ':X.RESPONSE.DATA
      CRT 'X.HTTP.STATUS = ':X.HTTP.STATUS
      
      X.LOG.ACTION = 'OFF'
      X.RTN.CODE = protocolLogging(X.LOG.FILE, X.LOG.ACTION, X.LOG.LEVEL)
      CRT 'protocolLogging: ':X.RTN.CODE                                         


Certificate

The Certificate I'm using was generated and exported with 'keytool', which is a utility that is distributed with Sun's JDK, of which I'm using version 1.4.1_02.

http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html

The web server I'm using is Tomcat 4.1.24, and I followed these directions to enable SSL: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

The original .keystore file was generated with:

> keytool -genkey -alias tomcat -keyalg RSA

And then the .cer file was exported with:

> keytool -export -alias tomcat -file wsmoak_tomcat.cer