Pat Farrell wrote:
Gregg's question was: " you need to know what the server's authentication requirements are"
which is not addressed by your quoted section. Authentication is in addition to the transport security, which is all that HTTPS, or HTTP+TLS provides.
You have to go back to your vendor and ask them. While you are talking to them, ask for a sample code fragment that you can use for testing. And ask for the specific port that they expect you to use. And ask them if they have a non-TLS testing version.
This all may be as simple as telling the Apache HttpClient to talk to "https://www.somevendor.com:1234"
But you need to get more information.
this is all they have given. Again I am a newbie at security any help is greatly appreciated.
1. Extract your private key and public key.
2. Extract the CA public key.
3. Install these three items per your software.
4. Do NOT install the public keys of all of the other secure nodes/apps
5. Do NOT install the public keys of all of the other secure nodes/apps
6. Do NOT install the public keys of all of the other secure nodes/apps
7. When you make a TLS connection with someone, they will offer their certificate that is signed by the CA. You need to determine if it is signed properly using the public key I have given you.
* If yes, continue with the connection.
* If no, hit the eject button.
Pat Farrell wrote:
You didn't answer @gregg's question. And you are still mixing up terms.
If you use https, then you are using SSL. Its mostly the same as TLS, but its not meaningful to talk about "https over TLS" as HTTPS is essentially TLS.
Using HTTPS is not usually enough for authentication. Usually the server site expects that you use HTTPS and do a login with some sort of userid and password, or using client-side certs.
I agree that you are right in separating the SOAP stuff from the SSL stuff. Its nearly impossible to debug a connection once its using SSL. So nice vendors offer an unencrypted connection for testing.
greg stark wrote:
Rodrigo Soto wrote:and what are the certificates for? I thought the whole purpose was to authenticate a user with valid certificates to have sensible information within the system. Am I wrong?
The whole purpose is to make secure connections, but the devil is in the details. Most SSL sites use certificates only to authenticate the server to the client, and use usernames and passwords to authenticate the client to the server. Since you are writing the client side, you need to know what the server's authentication requirements are. Does your server require client certificates in SSL?