how to connect to a WEBSERVICE from progress using ssl and certificates??????????????

[mimi_mircea]

Hi
I am trying to connect to a webservice with ssl, using a client certificate.
the code is as follows:
DEFINE VARIABLE hWebService AS HANDLE.
CREATE SERVER hWebService.
hWebService:CONNECT("-WSDL 'https://site.com/nr.WebService/file.asmx?WSDL' ") NO-ERROR.
IF NOT hWebService:CONNECTED() THEN
DO:
DEFINE VARIABLE errmsg AS CHARACTER NO-UNDO INIT "SERVER NOT CONNECTED~n".
DEFINE VARIABLE i AS INTEGER NO-UNDO.
DO i = 1 TO ERROR-STATUS:NUM-MESSAGES:
errmsg = errmsg + ERROR-STATUS:GET-MESSAGE(i) + '~n'.
END.
MESSAGE errmsg VIEW-AS ALERT-BOX ERROR.
STOP.
END.
MESSAGE 'connected' VIEW-AS ALERT-BOX.
/*RUN TemperaturePortType SET hPortType ON SERVER hWebService NO-ERROR.*/
RUN servMethod ON SERVER hWebService () NO-ERROR.
IF ERROR-STATUS:ERROR THEN
MESSAGE 'Error: ' + ERROR-STATUS:GET-MESSAGE(1) VIEW-AS ALERT-BOX.
ELSE
MESSAGE 'Result: ' + RETURN-VALUE VIEW-AS ALERT-BOX.
/*MESSAGE "Failed to create hPortType" VIEW-AS ALERT-BOX. */
/**********************/
/*WAIT-FOR CLOSE OF CURRENT-WINDOW.*/
/*DELETE PROCEDURE hPortType.*/
hWebServiceISCONNECT().
DELETE OBJECT hWebService.
ok... the problem isn't with the code... but with some kind of bizare configuration... because when i try to run this code (in OpenEdge 10.1B) i get the following error message:
Server Not Connected
Secure Socket Layer failure. error code - 54: unable to get local issuer certificate: for 80abdb33.0 in c:\progress\openedge\certs... bla bla
the thing is that i imported my certificate into \certs with certutil - import mycertificate.pem... and i've got a number like 5e8f339e ... and the file is 5e8f339e.0 in \certs
but how to tell progress to compile my program using that certificate and not 80abdb33.0
I've searched everywhere... please help!!!!!

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I got that error message too..
have you solved the problem?
how can I solve that error?
thanks.

 

[RealHeavyDude]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

The Progress OpenEdge installation has it's own certificate store. In order to validate the server certificate you need to have the pendant root certificate installed in the certificate store of OpenEdge.

The OpenEdge Getting Started: Core Business Services document of the PDF documentation contains everything you need to know.

The SSL client certificate is not supported by OpenEdge. You need use something like STunnel if the WebService you're calling requires the client to present it's certificate.

Heavy Regards, RealHeavyDude.

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

The Progress OpenEdge installation has it's own certificate store. In order to validate the server certificate you need to have the pendant root certificate installed in the certificate store of OpenEdge.

The OpenEdge Getting Started: Core Business Services document of the PDF documentation contains everything you need to know.

The SSL client certificate is not supported by OpenEdge. You need use something like STunnel if the WebService you're calling requires the client to present it's certificate.

Heavy Regards, RealHeavyDude.

can you give me some example using Stunnel in Progress?
thank you in advance

 

[RealHeavyDude]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

You must set up and configure STunnel, which is just a service to add SSL to an otherwise plain TCP or HTTP connection. Therefore, I can't give you an "example with Progress". I am afraid you need to work to the documentation of STunnel ( www.stunnel.org ) to find out how to set it up and configure it so that it accesses the client certificate ( which for example could reside on a smart card that the user uses to logon to the machine ).

Are your sure that the web service requires the client certificate during the SSL handshake - or is it just that your OpenEdge installation misses the root certificate from the server in it's certificate store?

The reason I am asking this because the SSL client certificate is usually only used when strong authentication is required to access sensitive date in an secure ( paranoid ) environment. Usually plain SSL which just uses the server certificate is used and that is supported in OpenEdge.

Heavy Regards, RealHeavyDude.

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

You must set up and configure STunnel, which is just a service to add SSL to an otherwise plain TCP or HTTP connection. Therefore, I can't give you an "example with Progress". I am afraid you need to work to the documentation of STunnel ( www.stunnel.org ) to find out how to set it up and configure it so that it accesses the client certificate ( which for example could reside on a smart card that the user uses to logon to the machine ).

Are your sure that the web service requires the client certificate during the SSL handshake - or is it just that your OpenEdge installation misses the root certificate from the server in it's certificate store?

The reason I am asking this because the SSL client certificate is usually only used when strong authentication is required to access sensitive date in an secure ( paranoid ) environment. Usually plain SSL which just uses the server certificate is used and that is supported in OpenEdge.

Heavy Regards, RealHeavyDude.

actually I can connect to another WSDL besides the troubled one.
The WebServices has already gave me the username and password, is it helps to pass the SSL?

 

[RealHeavyDude]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I'll take it that you are not familiar with the concept of SSL ( secure socket layer ) and PKI ( public key infrastructure ). User name and password won't help here.

What's the exact error message you get?

During the standard SSL handshake the server uses his certificate that contains the private key to encrypt a string which needs to be decrypted by the client. For that the client needs the root certificate which contains the public key that enables the client to decrypt the string. Both certificates, the server certificate and the root certificate must match and must be signed by a certificate authority ( like Verisign or Thawte ). That way it is ensured that server is the one he pretends to be and the client is connected to server he expects to be connected too.

So far, so good. But for that to work the client needs to have the root certificate in his certificate store otherwise the SSL handshake will fail. How to get the root certificate depends on the web service provider. For some it's publicly available or you can download it from their server, others send it to you via email on request ...

I strongly suggest you to read the documentation which I recommended to you in an earlier post so that you understand what you need to do.

Heavy Regards, RealHeavyDude.

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I began to understand about it..
I've tried download the certification from IE and FF, then I regis/put those certification via proenv.
Is the file I downloaded server certification or root certification?
Because I found another error ->

SSL failure. error code - 55: CONNECT HostName: (staging.siteminder.com.au) doesn't macth Certificate: (*.siteminder.com.au) (9318)

Do you have another solutions to help me?
Thanks

 

[RealHeavyDude]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

Please do not post the same question in different threads ...

RealHeavyDude.

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I'm sorry.. but thank you for your replied..

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I have also used the other way provided by Firefox and received the certificate in different format (I have tried both PEM and DER formats) then converted it using progress proenv>certutil and mkhashfile utilities to generate the necessary certificate *.0 file stored in progress certificate store.
Surprisingly the SLL handshake with that WSDL still fails. this time Progress error message
#9318 occured, something telling me that it does not match certificate *.siteminder.com.au
I have then communicated with siteminder development team, and this is the answer we got:
The error message is definitely something that progress software needs to help you out with.
There will be a switch that will allow the name of the certificate in question to be different from the exact url. A certificate with *.siteminder.com.au is definitely valid and very useful for testing purposes.
If strict SSL check is switched on in Progress I can see how that problem would occur and the solution is to relax the security checks for testing urls.

Have you an idea how to relax the security checks as mentioned above, if there is? For you info, i have tried the nohostverify option in the CONNECT statement too, what happend is the program was waiting pretty long for something then stopped with error message 11748.
Many thank in advance for your further help and advise.

 

[RealHeavyDude]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

The host name you use in the connect method must match the host name for which the SSL server certificate was issued - that's the whole idea of having a server certificate proving the server's identity to the client ...

Anyway, I have seen it very often and it is bad practice, IMHO of course, that the server certificate was issued to the machine's physical name whereas the WSDL contained a host name which can be resolved by public DNS servers on the internet.

There is a -nohostverify option you can use, but, again IMHO, it compromises the concept of SSL and, IMHO, it is also bad practice to have a different setup in testing and productive environments ...

HTH, RealHeavyDude.

 

[redsuitee]

Re: how to connect to a WEBSERVICE from progress using ssl and certificates??????????

I have succeded to connect to my partner's WebService, even tough they also made some modifications on their side.
Thanks for your assistance RealHeavyDude, I really appreciate it..