Hi,

a client asked me to connect his app to a few government hosted databases. The databases use XML as data exchange format, but each has to be accessed a little differently and government heavily reccommends using Java/JSSE/Axis tools to access them ... The communication layer in one branch is SOAP, in another it is HTTPS-Post. Nearly all access has to happen using client side security certificates, and testing can only happen at a certain location during working day daylight hours, when the pc is called back from another government net through ISDN. The OS I have to support are W2KSp4 and XP. If there are clear reasons these tasks are easier done in vfp9, the already planned port might be accelerated, but the code should be runnable under vfp8Sp1 and vfp9.

So far I’ve installed a clean W2KSp4 machine updated to IE6SP1, installed a ISDN card with the correct drivers, installed one of the client side security certificates and verified the setup by accessing one site via usual IE browsing. Since this works I am reasonably sure the setup is ok.

Trying to access this site communicate via

oXH=createobject("msxml2.xmlhttp")
...
oXH.Send()

resulted in an errormessage telling me security certification was missing.

After Googling with a few different set of keywords I believe I have identified at least a few of the problem areas: For client side certificate support usually Msxml2.ServerXMLHTTP.4.0 is reccommended instead of the XMLHTTP object I was peviously using. Specifically, MSDN mentions ServerXMLHTTP includes SSL certificate support in MSXML 3.0 Service Pack 1.

Since I plan to use it under from a user account, some of the problems reported from running this object under system/server account should not happen in my case.

On MSDN I found some other texts suggesting to use WinHTTP5.1, also already installed on W2K, which is even less familiar to me.

If going through WinInet MSDN suggests in "How To Select Client Certificate in WinInet" to display a manual selection box. At least it seems that the result could be saved and reused in later calls through InternetQueryOption / InternetSetOption and "manually" requeried only in case of error.

Worst case would probably automating an invisible WebBrowser, but that is something I’ld rather not do in this case.

On the SOAP front it seems that I can set the certificate through the Soap3.0
Connectorproperty("SSLClientCertificateName") = [CURRENT_USER | LOCAL_MACHINE\[store-name\]]cert-name

Unclear (only surmised from ServerXMLHTTP/XMLHTTP differences) is if any specific setting in
ClientProperty("ServerHTTPRequest") has to be set to true if SSLClientCertificateName is used. Also reading .wsdl files via HTTPS has been mentioned as problematic: I've not checked if this is needed in my case.

So, quite a few promising leads: at least promising quite a bit of testing to find a nice working solution and probably a few pitfalls just waiting for me...

Has anybody tried a few of these options ? Any reccommondations NOT to try specific avenues ?
Or even tested code [s]he is able to share ? Especially for the client side certificate HTTPS-Post scenario ?

tia

thomas