Back to Contents

Configuring a Client to access an HTTPS Server

Configuration steps to access a server in HTTPS:

• Step 1:  Create the client's X.509 certificate and private key
• Step 2:  Create the client's Certificate Authority list
• Step 3:  Add the client's security configuration to FGLPROFILE
• Step 4:  Set the global certificate authority list in FGLPROFILE
• Step 5:  Add configuration entries for the server to FGLPROFILE

Step 1: Create the client's X.509 certificate and private key

• Create the Certificate Signing Request and private key:
   $ openssl req -new -out MyClient.csr
  Note: by default, openssl outputs the private key in the privkey.pem file.
  
  
• Remove the password from the RSA private key:
   $ openssl rsa -in privkey.pem -out MyClient.pem
  Note: the key is also renamed in MyClient.pem.
  
  
• Create the self-signed X.509 certificate valid for a period of 1 year:
   $ openssl x509 -in MyClient.csr -out MyClient.crt -req -signkey MyClient.pem -days 365
  

1. Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessary need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification,  you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.

Back to the top 

Step 2: Create the client's certificate authority list

• Retrieve the certificate of the HTTPS server:
  Type the server's URL in your Internet browser. When prompted, save the certificate to disk.
  
  
• Create the client's Certificate Authority List from the certificate that you saved to disk in the previous step:
   $ openssl x509 -in ServerCertificate.crt -text >> ClientCAList.pem
  

Back to the top

Step 3: Add the client's security configuration to FGLPROFILE

The client security entry defines the certificate and the associated private key used by the Genero Web Services client during a HTTPS communication. The security entry must be defined with an unique identifier (id1 for example).

security.id1.certificate = "MyClient.crt"
security.id1.privatekey  = "MyClient.pem"

Back to the top

Step 4: Set the global certificate authority list in FGLPROFILE

The global certificate authority list entry defines the file containing the certificate authority list used by the Genero Web Services client to validate all certificates coming from the different servers.

security.global.ca = "ClientCAList.pem"

Back to the top

Step 5: Add configuration entries for the server to FGLPROFILE

The Genero Web Services client needs a set of configuration entries that specify how to communicate with the server. The following entries must be defined with an unique identifier (such as myserver):

ws.myserver.url          = "https://www.MyServer.com/cgi-bin/fglccgi.exe/ws/r/MyWebService"
ws.myserver.security     = "id1"

1. The unique identifier myserver can be used in the 4GL client code in place of the actual URL.
2. The security entry value must match the unique identifier defined by the client security entry created in Step 3.

Back to the top