Managed to connect to https://www-927.ibm.com/software/data/u2/support/u2techconnect/ by also changing...
X.DEPTH = 1 ;* Changed from 0 to 1 to allow signed by CA X.SERVER.OR.CLIENT = 2 ;* CLIENT X.RTN.CODE = set[[AuthenticationDepth]](X.CONTEXT, X.DEPTH, X.SERVER.OR.CLIENT)
and using the 'Equifax Secure Certificate Authority' certificate instead of one generated by java keytool. I looked in the protocol log to discover that the equifax certificate was required:
01/20/2004 18:14:51 SSL Certificate Verification: depth: 0 subject: [[/C]]=CA[[/O]]=IBM[[/CN]]=www-927.ibm.com issuer: [[/C]]=US[[/O]]=Equifax[[/OU]]=Equifax Secure Certificate Authority
I'm on xp, so used start > run mmc file > add/remove snap in > certificates certificates > trusted root cas > equifax action > all tasks > export
to get an equifax.cer certificate file instead of wendy's wsmoak_tomcat.cer, but i imagine these are available on the web somewhere - would be a lot easier if IBM included all the standard root CA files somewhere.
-- Simon Lewington email@example.com
Fixed! IBM said to use
X.USED.AS="2" ;* Used as an issuer certificate X.FORMAT="2" ;* DER format
in the code below. (Both of those used to be "1" when I started this.)
I re-read the manual, and I still don't know enough about SSL to have figured that out.
-- Wendy Smoak firstname.lastname@example.org
Ian, yes, there's a reason. This is a simple test but eventually I need to POST over HTTPS to a third party. I can already do it over HTTP, but when I change to HTTPS, it breaks. So I switched to simple test code to see if I could find the problem.
Wendy, is there are reason to do it from Basic? (other than for fun :-) cURL can download https
you could do
EXECUTE "!curl -k -o .[[/MYDIR/FNAME]] https://www.example.com" OPEN 'MYDIR' TO MYDIR ELSE STOP 201,'MYDIR' READ R FROM MYDIR, 'FNAME' ELSE STOP 'https get did not work'
Does anyone know where the documentation for createSecureRequest() is? It's not in the UniBasic Extensions manual...
Sample UniBasic code:
* WENDY SMOAK EQUATE CRLF TO CHAR(013):CHAR(010) X.LOG.FILE = 'XWDS.HTTP.LOG' X.LOG.ACTION = 'ON' X.LOG.LEVEL = '10' X.RTN.CODE = protocolLogging(X.LOG.FILE, X.LOG.ACTION, X.LOG.LEVEL) CRT 'protocolLogging: ':X.RTN.CODE X.RTN.CODE = createSecurityContext(X.CONTEXT, '') CRT 'createSecurityContext: ':X.RTN.CODE X.CERT.PATH="wsmoak_tomcat.cer" ;* changed next 2 lines from 1 to 2 per IBM X.USED.AS="2" ;* Used as an issuer certificate X.FORMAT="2" ;* DER format X.ALGORITHM="1" ;* RSA key X.RTN.CODE = addCertificate(X.CERT.PATH, X.USED.AS, X.FORMAT, X.ALGORITHM, X.CONTEXT) CRT 'addCertificate: ':X.RTN.CODE X.DEPTH = 0 X.SERVER.OR.CLIENT = 2 ;* CLIENT X.RTN.CODE = setAuthenticationDepth(X.CONTEXT, X.DEPTH, X.SERVER.OR.CLIENT) CRT 'setAuthenticationDepth: ':X.RTN.CODE X.RTN.CODE = showSecurityContext(X.CONTEXT,X.CONFIG.INFO) CRT 'showSecurityContext: ':X.RTN.CODE SWAP @AM WITH CRLF IN X.CONFIG.INFO CRT X.CONFIG.INFO URL="https://your.server.here/index.html" HTTP.METHOD="POST" X.RTN.CODE = createSecureRequest(URL,HTTP.METHOD,X.HANDLE,X.CONTEXT) CRT 'createSecureRequest: ':X.RTN.CODE X.RTN.CODE = submitRequest(X.HANDLE,'','',X.RESPONSE.HEADERS,X.RESPONSE.DATA,X.HTTP.STATUS) CRT 'submitRequest: ':X.RTN.CODE CRT 'X.RESPONSE.HEADERS = ':X.RESPONSE.HEADERS CRT 'X.RESPONSE.DATA = ':X.RESPONSE.DATA CRT 'X.HTTP.STATUS = ':X.HTTP.STATUS X.LOG.ACTION = 'OFF' X.RTN.CODE = protocolLogging(X.LOG.FILE, X.LOG.ACTION, X.LOG.LEVEL) CRT 'protocolLogging: ':X.RTN.CODE
The Certificate I'm using was generated and exported with 'keytool', which is a utility that is distributed with Sun's JDK, of which I'm using version 1.4.1_02.
The web server I'm using is Tomcat 4.1.24, and I followed these directions to enable SSL: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
The original .keystore file was generated with:
> keytool -genkey -alias tomcat -keyalg RSA
And then the .cer file was exported with:
> keytool -export -alias tomcat -file wsmoak_tomcat.cer