Hello everyone, by a casual someone knows how to recover the value of the common name (CN) or other property of a USER certificate generated by DCM and used to log in the system ???
be it a PUI api, or javascript, ilerpg, free rpg, ... jquery ...
No java please (I do not want to go back to the psychiatrist).
Thanks to all
Common Name USER Digital certificate
-
- Profound User
- Posts: 39
- Joined: Mon Aug 21, 2017 11:48 am
- First Name: Jose
- Last Name: hernandez Guerra
- Company Name: CM de gestion y servicios S.L.
- Phone: 638489712
- Address 1: CL Jose Luis de Cassos 50
- City: Sevilla
- State / Province: Outside Canada/USA
- Zip / Postal Code: 41005
- Country: Spain
- Contact:
-
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: Common Name USER Digital certificate
To be honest, I've never done anything like this before. I've also never heard of a customer configuring Profound UI to do automatic sign-on using x.509 certificates. (aka "SSL certificates") So I have no way to try this, test it, etc.
From some quick searches in the IBM Knowledge Center, it appears that it'd be possible to get the info you're looking for?
First of all, I would check the REMOTE_USER environment variable. Apache normally sets this automatically, and I would've expected it to be set according to the certificate. So, its possible that you can just retrieve this and there's no need to actually parse the certificate to get it.
If that doesn't work, you should be able to get the entire certificate (in Base64 encoded DER format) from the HTTPS_CLIENT_CERT environment variable. You should be able to decode that certificate and parse it with the QSYPARSC API
https://www.ibm.com/support/knowledgece ... YPARSC.htm
Just to make sure you understand: Profound UI does not contain any TLS/SSL/X.509 code in it. We rely on the IBM HTTP Server (powered by Apache) to handle all of the TLS, SSL, EIM, Kerberos, LDAP, etc needs. So it's all IBM code, not ours, that makes this stuff work. We’re just a program that runs on their server.
Having said that, I hope that the variables and APIs that I found above are helpful.
From some quick searches in the IBM Knowledge Center, it appears that it'd be possible to get the info you're looking for?
First of all, I would check the REMOTE_USER environment variable. Apache normally sets this automatically, and I would've expected it to be set according to the certificate. So, its possible that you can just retrieve this and there's no need to actually parse the certificate to get it.
If that doesn't work, you should be able to get the entire certificate (in Base64 encoded DER format) from the HTTPS_CLIENT_CERT environment variable. You should be able to decode that certificate and parse it with the QSYPARSC API
https://www.ibm.com/support/knowledgece ... YPARSC.htm
Just to make sure you understand: Profound UI does not contain any TLS/SSL/X.509 code in it. We rely on the IBM HTTP Server (powered by Apache) to handle all of the TLS, SSL, EIM, Kerberos, LDAP, etc needs. So it's all IBM code, not ours, that makes this stuff work. We’re just a program that runs on their server.
Having said that, I hope that the variables and APIs that I found above are helpful.
-
- Profound User
- Posts: 39
- Joined: Mon Aug 21, 2017 11:48 am
- First Name: Jose
- Last Name: hernandez Guerra
- Company Name: CM de gestion y servicios S.L.
- Phone: 638489712
- Address 1: CL Jose Luis de Cassos 50
- City: Sevilla
- State / Province: Outside Canada/USA
- Zip / Postal Code: 41005
- Country: Spain
- Contact:
Re: Common Name USER Digital certificate
Hi, Scott, your approach has led us to solve what we wanted
but we would like to make some clarifications with the greatest respect.
It is true that Apache establishes its own environment variables independently of those established by IBM i.
In our case it is not REMOTE_USER but HTTP_CLIENT_CERT_COMMON_NAME.
The reason is that we wanted to contrast the user basic logon with a user certificate that really was for him.
IBM API provides to retrieve these variables
so you can create your own CGI to retrieve the variables set by APACHE.
It would be very interesting if PU (profoundui) could have something like var value = getEnvVarValue ("name")
Because of our case, it works
Thank you very much Scott
PS: see ENVVAR CGI of (CGIDEV2) or EXAMPLE24 of LIBHTTP (HTTPAPI)
but we would like to make some clarifications with the greatest respect.
It is true that Apache establishes its own environment variables independently of those established by IBM i.
In our case it is not REMOTE_USER but HTTP_CLIENT_CERT_COMMON_NAME.
The reason is that we wanted to contrast the user basic logon with a user certificate that really was for him.
IBM API provides to retrieve these variables
so you can create your own CGI to retrieve the variables set by APACHE.
It would be very interesting if PU (profoundui) could have something like var value = getEnvVarValue ("name")
Because of our case, it works
Thank you very much Scott
PS: see ENVVAR CGI of (CGIDEV2) or EXAMPLE24 of LIBHTTP (HTTPAPI)
-
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: Common Name USER Digital certificate
As I said, I've never done this before, so if HTTP_CLIENT_CERT_COMMON_NAME works better for you, then great! Glad you figured it out.
I don't understand what you're asking for Profound UI to do? These environment variables are already available in your server-side applications with the getenv() API or a similar tool. You can pass them to Rich Displays the same way you pass any other data to the display. What would you like Profound UI to do that it does not already do?
I don't understand what you're asking for Profound UI to do? These environment variables are already available in your server-side applications with the getenv() API or a similar tool. You can pass them to Rich Displays the same way you pass any other data to the display. What would you like Profound UI to do that it does not already do?
-
- Profound User
- Posts: 39
- Joined: Mon Aug 21, 2017 11:48 am
- First Name: Jose
- Last Name: hernandez Guerra
- Company Name: CM de gestion y servicios S.L.
- Phone: 638489712
- Address 1: CL Jose Luis de Cassos 50
- City: Sevilla
- State / Province: Outside Canada/USA
- Zip / Postal Code: 41005
- Country: Spain
- Contact:
Re: Common Name USER Digital certificate
Hello Scott, you are right getenv Api also solves what we wanted
Thank you
Thank you
Who is online
Users browsing this forum: No registered users and 3 guests