How do you add client certs to XPRIM_HttpRequest

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
PatrickF
Posts: 30
Joined: Thu Nov 26, 2015 1:31 pm

How do you add client certs to XPRIM_HttpRequest

Post by PatrickF »

I am working on a V15 EPC150050 VL web app deployed to a Windows 2019 Server. The web page makes a HTTP request to an oData format API which requires Basic Authentication AND 2 way SSL verification via client certificates. In two-way SSL, both client and server validate the identity of each other. Usually, in server-to-server communication two-way SSL is being used.
However the response from the API indicates that it didn't receive any client certificates. Testing from a Chrome browser and PostMan gave a good response. telling me that the cert chain is configured correctly in Trusted Root in Certificate Manager.
We moved onto troubleshooting with Wireshark and looking for evidence of the handshake steps. Wireshark doesnt have any entries after HelloServerDone, which is the step where the client application shares it's certificates, and awaits the client to respond with it's trusted client cert.
Client Cert Handshake Steps.png
Client Cert Handshake Steps.png (37.81 KiB) Viewed 206131 times
There are .Net core examples https://stackoverflow.com/questions/400 ... ttpclient reproduced below

Code: Select all

// using System.Net.Http;
// using System.Security.Authentication;
// using System.Security.Cryptography.X509Certificates;

var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2("cert.crt"));
var client = new HttpClient(handler);
var result = client.GetAsync("https://apitest.startssl.com").GetAwaiter().GetResult();
The LANSA Base RP XPRIM_HTTPRequest and X_PRIMHTTPRequestOptions have support for BearerAuthentication, Basic Authentication and a SetMiscProperty name value pairs, but nothing supporting adding a certificate path for the Client Cert to be sent back .

My questions are :
1) Has anyone had a similar issue and what was the workaround ? Using the LANSA/Integrator HTTP Service isn't preferred because all development done so far has been using VL
2) is there a way of defaulting the client cert at IIS level if VL has no methods to add an X509 certificate to a two way SSL certificate exchange. See ClientCertificationOption in .Net documentation https://learn.microsoft.com/en-us/dotne ... ew=net-7.0
Top
Post Reply

Return to “Questions & Answers”