Required Parameter Group for QSYRGAP:| 1 | Application ID | Input | Char(*) |
| 2 | Length of application ID | Input | Binary(4) |
| 3 | Application controls | Input | Char(*) |
| 4 | Error Code | I/O | Char(*) |
Default Public Authority: *EXCLUDE
Threadsafe: Yes
Required Parameter Group for QSYRGAP:| 1 | Application ID | Input | Char(*) |
| 2 | Length of application ID | Input | Binary(4) |
| 3 | Application controls | Input | Char(*) |
| 4 | Error Code | I/O | Char(*) |
#include <qsyrgap1.h>
void QsyRegisterAppForCertUse
(char *Application_ID,
int *Length_of_application_ID,
Qsy_App_Controls_T *Application_controls,
void *Error_code);
Service Program: QSYRGAP1
The Register Application For Certificate Use (OPM, QSYRGAP; ILE, QsyRegisterAppForCertUse) API registers an application with the registration facility. The application controls provide additional information needed to define the application.
You can update an application entry by reregistering the application (using the replace control key) with new values for the application control keys.
The application type control key is set the first time the application is registered and cannot be changed.
When an application is registered, the registration information is stored using the Registration Facility.
The application ID to register. IBM-supplied iSeries applicationss are named QIBM_ccc_name, where ccc is the component identifier. User-supplied application IDs should not preface their application ID with QIBM. User-supplied application IDs should start with the company name to eliminate most problems that involve unique names. Application IDs should use an underscore (_) to separate parts of the name (for example, QIBM_OS400_HOSTSERVER). Also, IDs for related applications should start with the same name (for example, QIBM_DIRSRV_SERVER and QIBM_DIRSRV_REPLICATION).
The first character of the application ID must be one of the following:
| A-Z | Uppercase A-Z |
The remaining characters in the application ID must be made up of the following characters:
| A-Z | Uppercase A-Z |
| 0-9 | Digits 0-9 |
| . | Period |
| _ | Underscore |
The length of the specified application ID. The length must be a value from 1 to 100. If the application type is 4 (object signing application), then the length must be a value from 1 to 30.
The application control fields for defining the application. Any field not specified will be given the default value. The information must be in the following format:
| Number of variable length records | BINARY(4) The total number of all of the variable length records. |
| Variable length records | The fields of the application controls to set. Refer to Format for Variable Length Record for more information. |
The structure in which to return error information. For the format of the structure, see Error code parameter.
The following table shows the layout of the variable length record. For a detailed description of each field, see Field Descriptions.
| Offset | Type | Field | |
|---|---|---|---|
| Dec | Hex | ||
| 0 | 0 | BINARY(4) | Length of variable length record |
| 4 | 4 | BINARY(4) | Application control key |
| 8 | 8 | BINARY(4) | Length of data |
| 12 | C | CHAR(*) | Data |
If the length of the data is longer than the key field's data length, the data is truncated at the right. No message is issued.
If the length of the data is shorter than the key field's data length and the key contains binary data, an error message is issued. If the key does not contain binary data, the field is padded with blanks.
It is not an error to specify a key more than once. If duplicate keys are specified, the last specified value for that key is used.
Each variable length record must be 4-byte aligned. If not, unpredictable results may occur.
Refer to Application Control Keys for more information about the valid values for these fields.
Data. The value to which a specific application control is to be set.
Length of data. The length of the application control value.
Length of variable length record. The length of the record, including this field.
The following table shows the valid application control keys for the application control key field of the variable length record. For a detailed description of each field, see Field Descriptions.
| Key | Type | Field |
|---|---|---|
| 1 | CHAR(20) | Qualified exit program name |
| 2 | CHAR(50) | Application description |
| 3 | CHAR(27) | Qualified message file name and message identifier for application description |
| 4 | CHAR(1) | Limit CA certificates trusted |
| 5 | CHAR(1) | Replace |
| 6 | CHAR(1) | Threadsafe |
| 7 | CHAR(1) | Multithreaded job action |
| 8 | CHAR(1) | Application type |
| 9 | CHAR(10) | Application user profile |
| 10 | CHAR(1) | Client authentication supported |
| 11 | CHAR(1) | Client authentication required |
| 12 | CHAR(1) | Perform certificate revocation processing |
Application type. The type of application. This control is set when the application is registered and cannot be changed. The default value is 1. Valid values for this key are:
| 1 | Server application. A server application provides a service for another process on the system, host, or network. |
| 2 | Client application. A client application requests a service from another process on the system, host, or network. |
| 4 | Object signing application. This application is used when signing objects. The application ID for this application can be specified on the Sign Object (QYDOSGNO) API. When an object signing application is registered, a corresponding function is registered with the same ID (see Register Function (QSYRGFN, QsyRegisterFunction) API). A user must have access to the corresponding function to sign objects using this application ID. By default, only users with *ALLOBJ special authority will have access to the corresponding function. |
Application user profile. The user profile associated with the application. This is the user profile under which the application runs. If a user profile name is specified, then the specified user profile is given access to the QIBM_QSY_SYSTEM_CERT_STORE function (see Register Function (QSYRGFN, QsyRegisterFunction) API). This function gives the specified user profile access to the *SYSTEM certificate store without having to be authorized to the actual object, but only when using the certificate associated with the application to establish a secure session. The default value is *NONE. The following special value may be specified:
| *NONE | No user profile will be associated with the application. This value must be specified if the application type is 4 (object signing application). |
Client authentication required. Whether client authentication is required. The default value is 0.
| 0 | No client authentication is done. This value must be specified if the client authentication supported value is 0. |
| 1 | Client authentication is required. The client is authenticated as part of the SSL handshake protocol processing. During the SSL handshake processing, the server requests a certificate from the client. The certificate must be valid and must be signed by a Certificate Authority (CA) that the server recognizes and trusts. If the client does not have a valid certificate, then the server ends the SSL handshake and does not establish an SSL session between the client and server. |
Client authentication supported. Whether the application supports client authentication. The default value is 0.
| 0 | The application does not support client authentication. If this value is specified, the client authentication required value must be 0. This value must be specified if the application type is 2 (client application) or 4 (object signing application). |
| 1 | The application supports client authentication. |
Limit CA certificates trusted. Whether the application trusts all of the CA certificates that are trusted in the *SYSTEM certificate store or a subset of the CA certificates. A client application uses the list of trusted CA certificates to validate the peer certificate that is sent to the application. A server application that supports client authentication uses the list of trusted CA certificates to validate the certificate that is sent from the client. The default value is 1.
| 0 | The application trusts all the CA certificates that are trusted in the *SYSTEM certificate store. This value must be specified if the application type is 4 (object signing application). This value is recommended for server applications that do not support client authentication. |
| 1 | The application trusts a subset of the list of CA certificates that are trusted in the *SYSTEM certificate store. If this value is specified, the system administrator must specify which of the CA certificates that are trusted in the *SYSTEM certificate store also are trusted by the application. Otherwise, the application will not trust any of the CA certificates. Using Digital Certificate Manager (DCM), the system administrator can add and remove CA certificates from the list of trusted CA certificates for the application. The application must be a client application or a server application that supports client authentication to be able to use DCM to manage the list of CA certificates that the application trusts. |
Multithreaded job action. The action to take in a multithreaded job. This key has no direct relationship with the threadsafe key; however, the value for the threadsafe key can be used to determine the multithreaded job action. The default value is 0. Valid values for this key are:
| 0 | Use the QMLTTHDACN system value to determine the action to take. |
| 1 | Run the exit program in a multithreaded job. |
| 2 | Run the exit program in a multithreaded job and send informational message CPI3C80. |
| 3 | Do not run the exit program in a multithreaded job and send informational message CPI3C80. |
If you do use the threadsafe value to determine the value for the multithreaded job action, consider the following recommendations:
Perform certificate revocation processing. Whether certificate revocation processing is performed when the certificate associated with the application is validated. The default value is 0.
| 0 | Certificate revocation processing is not performed when the certificate associated with the application is validated. If the certificate has been revoked, it will still be considered valid. |
| 1 | Certificate revocation processing is performed when the certificate associated with the application is validated. If the certificate has been revoked, it will not be valid. |
Qualified exit program name. The exit program name and library for the application. The first 10 characters contain the exit program name; the next 10 characters contain the library name in which the exit program resides. The exit program does not need to exist at registration time. A specific library name must be specified. The special values *LIBL and *CURLIB are not supported. The default value is program QSY_NOPGM in library QSY_NOLIB.
This exit program is called when a certificate is assigned to the application, an assigned certificate is changed, or an assigned certificate is removed. It is called when a Certificate Authority (CA) certificate is added to or removed from the list of trusted CA certificates for the application. It also is called when an attempt is made to deregister the application. The exit program can determine whether or not the application can be deregistered. This exit program also is called when the information for a registered application is updated. Refer to Digital Certificate Management exit programs for detailed information about the information that is passed to the exit program for each of the possible calls to the program.If the exit program is the default value, then it will not be called.
Qualified message file name and message identifier for application description. A message file and message identifier that contains the application description. When this key is specified, the application description key must not be specified. The message file and message identifier do not have to exist at the time of registration. The default value is blanks. Refer to Qualified Message File Format for the format of this field.
Replace. Whether to replace an existing registered application. The default value is 0.
| 0 | Do not replace an existing registered application. If this value is specified and the application is already registered, the request will fail. |
| 1 | Replace an existing registered application. If this value is specified and the application is not already registered, the application will be registered. If the application is already registered, only the application control keys that are specified on this call are replaced. Any other application control keys that were previously specified will keep their values. |
| 2 | Replace an existing registered application, but do not
replace application control keys that are controlled by a system administrator. If this
value is specified and the application is not already registered, the application
will be registered. If the application is already registered, only the application
control keys that are specified on this call are replaced. Any other application
control keys that were previously specified will keep their values. Application
control keys that are controlled by a system administrator are not replaced, even
if they are specified on this call. These application control keys include:
This value should be used by install exit programs to ensure that values set by the system adminstrator are not replaced by the install exit program. |
Threadsafe. Whether the exit program entry is threadsafe. This key has no direct relationship with the multithreaded job action key. It is intended for documentation purposes only. The default value is 1. Valid values for this key are:
| 0 | The exit program entry is not threadsafe. |
| 1 | The threadsafe status of the exit program entry is not known. |
| 2 | The exit program entry is threadsafe. |
The following table shows the layout of the qualified message file name and message identifier for the application description field. For a detailed description of each field, see Field Descriptions.
| Offset | Type | Field | |
|---|---|---|---|
| Dec | Hex | ||
| 0 | 0 | CHAR(10) | Message file name |
| 10 | A | CHAR(10) | Message file library name |
| 20 | 14 | CHAR(7) | Message identifier |
Message file library name. The library name in which the message file resides. The special value *CURLIB is not supported. The possible values are:
| *LIBL | Search the library list for the message file. This value uses the first message file in the library list that contains the message identifier. |
| library name | The name of the message library in which the message file resides. |
Message file name. The name of the message file that contains the application description.
Message identifier. The message identifier for the application description.
| Message ID | Error Message Text |
|---|---|
| CPFA0AA E | Error occurred while attempting to obtain space. |
| CPF2225 E | Not able to allocate internal system object. |
| CPF222E E | &1 special authority is required. |
| CPF220E E | Application &1 not registered. |
| CPF220F E | Application &1 already registered. |
| CPF229E E | Application ID &1 not valid. |
| CPF3C3C E | Value for parameter &1 not valid. |
| CPF3C4D E | Length &1 for key &2 not valid. |
| CPF3C81 E | Value for key &1 not valid. |
| CPF3C82 E | Key &1 not valid for API &2. |
| CPF3C83 E | Key &1 not allowed with value specified for key &2. |
| CPF3C84 E | Key &1 required with value specified for key &2. |
| CPF3C88 E | Number of variable length records &1 is not valid. |
| CPF3C90 E | Literal value cannot be changed. |
| CPF3CD9 E | Requested function cannot be performed at this time. |
| CPF3CDA E | Registration facility repository not available for use. |
| CPF3CF1 E | Error code parameter not valid. |
| CPF3CF2 E | Error(s) occurred during running of &1 API. |
| CPF8100 E | All CPF81xx messages could be returned. xx is from 01 to FF. |
| CPF9810 E | Library &1 not found. |
| CPF9811 E | Program &1 in library &2 not found. |
| CPF9872 E | Program or service program &1 in library &2 ended. Reason code &3. |
| Top | Security APIs | APIs by category |