Common Name USER Digital certificate

[Jose Manuel]

Hello everyone, by a casual someone knows how to recover the value of the common name (CN) or other property of a USER certificate generated by DCM and used to log in the system ???
be it a PUI api, or javascript, ilerpg, free rpg, ... jquery ...
No java please (I do not want to go back to the psychiatrist).
Thanks to all

[Scott Klement]

To be honest, I've never done anything like this before. I've also never heard of a customer configuring Profound UI to do automatic sign-on using x.509 certificates. (aka "SSL certificates") So I have no way to try this, test it, etc.

From some quick searches in the IBM Knowledge Center, it appears that it'd be possible to get the info you're looking for?

First of all, I would check the REMOTE_USER environment variable. Apache normally sets this automatically, and I would've expected it to be set according to the certificate. So, its possible that you can just retrieve this and there's no need to actually parse the certificate to get it.

If that doesn't work, you should be able to get the entire certificate (in Base64 encoded DER format) from the HTTPS_CLIENT_CERT environment variable. You should be able to decode that certificate and parse it with the QSYPARSC API
https://www.ibm.com/support/knowledgece ... YPARSC.htm

Just to make sure you understand: Profound UI does not contain any TLS/SSL/X.509 code in it. We rely on the IBM HTTP Server (powered by Apache) to handle all of the TLS, SSL, EIM, Kerberos, LDAP, etc needs. So it's all IBM code, not ours, that makes this stuff work. We’re just a program that runs on their server.

Having said that, I hope that the variables and APIs that I found above are helpful.

[Jose Manuel]

Hi, Scott, your approach has led us to solve what we wanted
but we would like to make some clarifications with the greatest respect.
It is true that Apache establishes its own environment variables independently of those established by IBM i.
In our case it is not REMOTE_USER but HTTP_CLIENT_CERT_COMMON_NAME.
The reason is that we wanted to contrast the user basic logon with a user certificate that really was for him.
IBM API provides to retrieve these variables
so you can create your own CGI to retrieve the variables set by APACHE.
It would be very interesting if PU (profoundui) could have something like var value = getEnvVarValue ("name")
Because of our case, it works

Thank you very much Scott

PS: see ENVVAR CGI of (CGIDEV2) or EXAMPLE24 of LIBHTTP (HTTPAPI)

[Scott Klement]

As I said, I've never done this before, so if HTTP_CLIENT_CERT_COMMON_NAME works better for you, then great! Glad you figured it out.

I don't understand what you're asking for Profound UI to do? These environment variables are already available in your server-side applications with the getenv() API or a similar tool. You can pass them to Rich Displays the same way you pass any other data to the display. What would you like Profound UI to do that it does not already do?

[Jose Manuel]

Hello Scott, you are right getenv Api also solves what we wanted

Thank you