[SOLVED] Web-service U9.7

Author: roger.wallin@abilita.fi (rogerw)

Hi, [DRIVER_SETTINGS] SOP  U2.0 usys$sop_params=ign=HP [SERVICES_EXEC] smsservice=$sop:smsservice  wsdl=https://services.mysite.com/SMSServer/SMSService.svc?wsdl  The above settings work in Uniface 9.6.04, but not in 9.7.01.02 (G104 0322_01). Activating the service gives status -155, so the signature should be ok. I'll investigate it more tomorrow, but if someone knows the error or a working pattern for this Uniface version.... Regards RogerW.

6 Comments

  1. Hi RogerW, This is a known problem (

    internally

    recognized as BUG#31150 - Importing/accessing WDSL via https:// fails on Windows) that has not been resolved yet. The workaround is to download the WSDL and access it locally. E.g. [SERVICES_EXEC] smsservice=$sop:smsservice  wsdl=c:/unifaceappdir/SMSService.wsdl  In case the mentioned workaround is not feasible for you then please log a call with support. Hope this helps. Regards, Daniel Iseli Uniface Support P.S. The mentioned problem is occurring since version 9.6.08 (patch MX07) and 9.7.01 + G101 Update (April 12, 2016): the info about BUG#31150 are now also available on the list of known issues available here on Uniface.info (see Reported Issues)


    Author: diseli (daniel.iseli@uniface.com)
  2. I know you are trying to ignore server verification, but that is a bad long term strategy so it would be better to do it properly. The latter versions of Uniface changed to use libcurl as the http client and that needs to have an up to date ca-bundle.crt in order to validate certificates. If the signing authority for the SSL cert used by the website is not known (and Uniface doesn't ship with a bundle so everything will fail), then the connection will be refused. See http://curl.haxx.se/docs/sslcerts.html and option 5 (get a better bundle) is probably the one to take. We had similar problems, and once we used the Firefox bundle then we were OK.


    Author: Andy Heydon (andy@heydon.org)
  3. Hi, Daniel, I got it working and as it's possible to steer and override the signature's "Url of the wsdl", then it's ok for me, especially as I can direct it to a network drive. Furthermore it still seem to work to use the $signatureproperties. For some reason I had to reimport the wsdl. I see no important change in the signature exported from U9.6.04 to U9.7 and the one reimported into U9.7 ?? [SERVICES_EXEC] smsservice=$sop:smsservice  wsdl=g:/unifaceappdir/SMSService.wsdl  Andy, I agree that it's highly debatable to postpone the security. However "usys$sop_params=ign=HP" made it possible to restrict the problem. However I have also got it working without "ign=HP", no problem as this is our own web-server. But removing "ign=HP" will probably make the installations a lot more difficult, as other own web-services are installed on different customer web-servers. I have to admit that I don't know all the pros and cons with different types of certificates. Regards RogerW.


    Author: rogerw (roger.wallin@abilita.fi)
  4. There are a limited number of certificate authorities, so once you have a good bundle then it should suffice for many/all sites. curl is just checking that whatever cert the remote site serves up has been signed by a known and valid issuing authority, and so it is generally not a problem when installing your product at customer sites. Unless of course self-signed certs are being used, because would have an unknown CA and hence be invalid and that is a case for using the ignore option. But self-signing is (should be) just a development stop gap.


    Author: Andy Heydon (andy@heydon.org)
  5. Hi Andy! Ok, then I understand your point. However all this being said and risking a lively debate, the most secure certificate would probaly be a well organized self-signed certificate. Regards RogerW. 


    Author: rogerw (roger.wallin@abilita.fi)
  6. Additional info: Note: When host and/or server verification is disabled, the connection is still encrypted, but not necessarily secure. Howto download and use Mozilla ca certificate: From "https://curl.haxx.se/docs/caextract.html" download "cacert.pem" using "Save target as...". Rename the file to "ca-bundle.crt" and copy it to Uniface usys-directory. Regards RogerW.


    Author: rogerw (roger.wallin@abilita.fi)