HTTPS Verification for Web Services

By default, when the WSDL file of a web service specifies the HTTPS protocol, the SOAP connector performs both host and network server verification as part of setting up a secure connection. Client verification is optional. For more information, see Web Services and Certificate Verification.

You can turn off host or server verification for the SOAP connector using the ign connector option, or per component in the [SERVICES_EXEC] section.

Note:  When host and/or server verification is disabled, the connection is still encrypted, but not necessarily secure.

Uniface uses the open source libcurl library (curl.haxx.se/libcurl/ ) to implement HTTPS transport and to verify digital certificates.

Certificate Store for Host and Server Verification

For host verification and server verification, the Uniface client process must have local store of certificates called ca-bundle.crt located the usys directory. It contains public keys of root Certificate Authorities such as VeriSign, Digicert, and so on in PEM format. Certificates are simply appended, one after the other in the ca-bundle.crt file.

When you connect to a server over HTTPS, the client Uniface process uses libcurl to check that the presented server certificate has been signed by a Certificate Authority in its own bundle of root certificates.

You can obtain a certificate bundle from a trusted source (for example https://curl.se/docs/caextract.html) or generate your own bundle using a variety of tools. Rename the bundle to ca-bundle.crt, and place it in the usys folder (or redirect it in the assignment file).

You can add web server certificates by opening the web site in a browser, viewing the certificate, and exporting it in PEM format.

Once you have put ca-bundle.crt in place, you can amend it to apply updates or add your own certificate authority (for self-signed certificates).

Note:  Certificates may expire over time, so periodic updates to ca-bundle.crt may be required.

Certificate Store for Client Verification

For client verification, the server asks the client to send a personal key, which may be obtained when you purchase access to a web service. The personal key should be stored in the personal.crt file in PEM format. This file must contain both the private key and the certificates in the certificate path that the key uses. The file may be located anywhere on the local file system, but should be made accessible to Uniface by setting its location in the [FILES] section of the assignment file. For example:

[FILES]
personal.crt       C:\MyDocs\personal.crt

Note:  Uniface supports call-out to web services that require client verification, but it cannot directly import a WSDL file from a site that needs a private key. Instead, you must download the WSDL file to the local file system, and import it from there.