Setting Up a Client to Consume a Web Service Over an SSL (HTTPS) Connection

There are some additional steps that need to be performed when setting up a client application to consume a Web service over a secure (https) connection.

As with any secure connection, you need to ensure that the CA certificate from the HTTPS server is in the *SYSTEM certificate store on the System i. By default, many of the commonly used CA certificates are shipped with Digital Certificate Manager (DCM). You can view the CA certificates that are in the *SYSTEM store using DCM. If the CA certificate for the server that you wish to connect to is not in the *SYSTEM store, you need to obtain a copy of it from the server administrator (or extract it using browser tools while connected to the secure site), and then import it into the certificate store. You should refer to Rochester Support Center knowledgebase document 548824369, How to Import a CA Certificate into Digital Certificate Manager: for more details on how to import a CA certificate.

Once you have imported the CA certificate, you need to edit the axiscpp.conf file, which is in the following path:
/qibm/ProdData/OS/WebServices/V1/client/etc/axiscpp.conf

You can edit this file directly; however, it is strongly recommended that you place a copy of the /etc directory from the above path into another path on the System i. If you make a copy, you need to set the environment variable AXISCPP_DEPLOY to point to the path containing the new /etc directory. For example, if you copied the /etc directory from the above location to /tmp, you would set the AXISCPP_DEPLOY envvar to /tmp. You can use either *SYS or *JOB for the environment variable; however, *SYS will cause the configuration file to be read for any job consuming a Web service. If you edit the axiscpp.conf file in the original directory, be aware that this file can be replaced when PTFs are loaded.

Here is a sample of how you would code the axiscpp.conf file:

************Beginning of data**************
# The comment character is '#'
# Available directives are as follows
#
# ClientWSDDFilePath: The path to the client WSDD
# SecureInfo: The GSKit security information
#

Channel_HTTP_SSL:/QIBM/ProdData/OS/WebServices/V1/client/lib/libhttp_channelssl.so
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB,default,GTE CyberTrust Global Root,07,05,35,false

************End of Data********************

Note that the first parameter (parameters separated by commas) in the SecureInfo statement is the path to the *SYSTEM certificate store in DCM, and the third parameter is the name of the CA certificate that you imported into DCM.






System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.