Use of TLS/SSL/HTTPS for Searching (Oracle based software)

Hi,

I will only ever need to search the Companies House data. I currently use the XMLGateway and this works fine with HTTP (no SSL). I see that I will have to use TLS with the new API and that will give me problems since I use a shared Oracle server and so don’t have direct control over the Oracle Wallet.
I notice that the call to get the basic company data doesn’t require authorisation, so why does it need to be done over TLS? Also the data is free so why do we need such security for the Search?
If I need to use TLS then I will need the data on Companies House certificate, can you give me that or tell me how to get it?

Thanks,
Chris

Authentication is mandatory for every API endpoint, including search (try the API explorer provided on any API method page, you will see that you first have to register for an API key before you can use the API).

Without using TLS, your access credentials would be sent in the clear, which is obviously not acceptable.

You shouldn’t need a certificate for HTTP over TLS, if you did, then a user would need to install a certificate before visiting any secure website. Certificates are signed by a standard root authority, which is what clients check and trust, and ours is one which your Oracle server should already know about (assuming it is up to date). Of course, that assumes Oracle’s use of TLS and certificate management is standard, and is in line with that implemented by all browser and TLS enabled HTTP client libraries. I don’t have any personal experience of Oracle’s implementation though.

If you go to https://beta.companieshouse.gov.uk and click on the padlock in the address bar (works at least in Chrome or Safari), you will be able to see all the necessary certificate information, most importantly the root certificate authority.

Does that clarify things? Come back if you need…

Chris

Hi,

Thanks for that.
The documentation at https://developer.companieshouse.gov.uk/api/docs/search/companies/companysearch.html says:

Authentication
Not required.

I know that I don’t need my own certificate, but Oracle needs to know what your certificate is. It then needs to be put into an Oracle wallet, which I as a user on a shared server do not have direct access to.
I don’t get the reasoning behind enforcing SSL on data that is free and that you want to encourage people to use.

Regards,
Chris

Ah. Yes. It’s really badly worded (clearly!)

The API does support OAuth2 access token authorisation, which is what our website itself uses for the only filing available on the new platform, the change of registered office address. This API is not available publically, as it is an alpha spike implementation. The OAuth2 authentication is also currently alpha.

The (bad) documentation you refer to is a hang-over from when we thought OAuth2 authentication would be available in the (current) beta release: the API’s you refer to do not need OAuth2 authentication. However, if you’re not using OAuth2, then you must use an API key.

Like I said, really confusing. Sorry.

We are re-writing the developer information and will be releasing the Swagger specifications, as discussed in:

Hi,

Sorry to open up an old thread but did not want 2 threads with the same issue.
I am trying to connect to the APIs using IBM’s application but keep getting a SSL library error. I tried the link above(beta.companieshouse.gov.uk) and downloaded the cert but I have a feeling the link may have changed along with the CA certs.
Can you either place the certs directly as downloadable in the forum or point me to the right one?

Regards,
Sushil

This was a pain for me and I still don’t get the reasoning as to why it’s necessary for Search.
In my case I looked at the padlock to get the certificate information as discussed above and passed that information to our Oracle hosting provider. Oracle requires that information to be in what they call a ‘wallet’. Our hosting company put it into the wallet but that didn’t work. In the end they created a ‘personal’ wallet for us and we referenced that in our code - and that worked.

thanks phillips_chris. The problem is if I just type in https://api.companieshouse.gov.uk, I get a blank page which is enough to get the certs from. I extract those 3 certs(Root, Inter and Cert), add them in my trust store and my ssl handshake still fails.

Would you know what certs were imported in the wallet or is that outside your application as I am sure they would have provided a set of certs to perform handshake between your app and Oracle.

Hi,

That bit was outside my control, I just asked the company to get the certificates and put them in the wallet.

Regards,
Chris