Login

Consultor Eletrônico



Kbase P72145: How to deploy one's own root certificate for HTTPS using Web
Autor   Progress Software Corporation - Progress
Acesso   Público
Publicação   3/15/2004
Status: Unverified

GOAL:

How to deploy one's own root certificate for HTTPS using WebClient IntelliStream

GOAL:

How to deploy SSL certificate files including the corresponding hash files to the WebClient\certs directory using IntelliStream

FIX:

In order to utilize the HTTPS protocol with the WebClient application, it
is necessary to have digital certificate signed by the certificate authority.
The Progress "Client-Side Security" and WebClient products automatically
install root certificates for certificate authorities such as RSA, Verisign or Thawte.
Using one's own CA root certificate requires additional steps in deployment
to ensure that 4GL client, or WebClient can establish a trust relationship
with server's certificate. The WebClient puts the CA root certificate
hash file into the <install-dir>\certs directory on the client machine.
Using the IntelliStream it is possible to automatically deploy one's own
CA root certificate during the application install, or upgrade.

The required steps for the new application install are:

1) In application root directory create the subdirectory that will contain
the CA root certificate hash file and name it for example "mycerts"
2) Copy the CA root certificate hash file into that directory
3) Start the Progress WebClient Application Assembler and open the
application's project file
4) In the 'Components' tab add new component named e.g. "certscab"
and define it as an 'At Startup' component
5) In the 'Options' tab check the 'IntelliStream 4GL Install Procedure'
6) Fill in the required fields where 'Install Startup Params' should at
least contain "-p appinstall.p" where appinstall.p is the name of the
procedure to be run at application installation which also needs to be
packaged in one of the "At Startup" components
7) The code that should be in the "appinstall.p" procedure is:


DEFINE VARIABLE cCertFile      AS CHARACTER  NO-UNDO.
DEFINE VARIABLE iErr-status    AS INTEGER    NO-UNDO.
DEFINE VARIABLE cMyCerts       AS CHARACTER  NO-UNDO.

/* Assign the directory name where the CA root for the                */
/* self-signed certificates is deployed in the WebClient application. */
/* It requires usage of the relative path to app inst. directory ".\" */
ASSIGN cMyCerts = ".\mycerts\".

/* Function getCertsPath reads the registry to get the WebClient      */
/* installation directory. It is required to substitute 9.1D with the */
/* in case the WebClient version is different than 9.1D               */
/* Once it has been obtained, the \certs is appended.                 */
FUNCTION getCertsPath RETURNS CHARACTER ().

 DEF VAR cCertsPath AS CHARACTER NO-UNDO.
 LOAD "SOFTWARE" BASE-KEY "HKEY_LOCAL_MACHINE".
     USE  "SOFTWARE".

     GET-KEY-VALUE SECTION "PSC\WebClient\9.1D"
                   KEY     "DestinationPath"
                   VALUE   cCertsPath.

     UNLOAD "SOFTWARE".
     cCertsPath = cCertsPath + "\certs" .
     RETURN (cCertsPath).
END FUNCTION.

/* Start of program */

/* Read all files that have been deployed with the WebClient installation, */
/* or upgrade, in the application subdirectory determined by the cMyCerts. */
INPUT FROM OS-DIR(cMyCerts) .
REPEAT :
   IMPORT cCertFile.
/* We care about the files having the ".0" extension, even though this     */
/* code will copy files that are also named like "<hash>.0.BAK", but that  */
/* shouldn't matter...                                                     */
   IF ENTRY(2,cCertFile,".") = "0" THEN
       OS-COPY VALUE(cMyCerts + cCertFile) VALUE(getCertsPath() + "\" + cCertFile) .
   iErr-status = OS-ERROR.
/* Handle any OS errors and provide the feedback. Usually it can happen    */
/* if the user doesn't have the permissions to write to the WebClient's    */
/* 'certs' directory...                                                    */
   IF iErr-status <> 0 THEN
       MESSAGE "OS error " iErr-status " occurred while copying " SKIP
       STRING(cMyCerts + cCertFile) " TO " + STRING(getCertsPath() + "~\" + cCertFile)
        VIEW-AS ALERT-BOX ERROR BUTTONS OK.
END.


8) Generate the WebClient appl.ication and deploy it.

On the WebClient application installation, the custom CA root certificate
hash file will be deployed in the WebClient's <install-dir>\certs directory
which acts as the digital certificate store.

However, if the WebClient application is already installed on the target
machines, then steps 5) and 6) should be modified as:
5) In the 'General' tab locate the name of the startup procedure (after -p)
6) Modify the startup procedure that it first runs the procedure "appinstall.p"
from the step 7), and make sure that it does it only once.