NASA Logo, National Aeronautics and Space Administration

HTTPS SPDF Web Services

Introduction

The SPDF web services are required to comply with U.S. government standards for secure communcations with federal web sites.  While this should not require any special software (beyond an up-to-date browser) for access to simple HTML pages, it may require additional preparations for non-browser based access to the SPDF web services.  Typically, this will involve changing any URLs beginning with "http:" to "https:" and installing updated Certificate Authority (CA) certificates in older programming run-time environments or disabling the verification of the certificate.  Run-time environments released/update after the summer of 2016 may already have the necessary certificates so it is best to test your environment before making any changes.

Note
The rest of this page contains several links to certificates that your browser is likely to already possess.  Simply clicking the certificate link may result in your browser attempting to install the certificate in your browser.  You may have to use the "save link as" feature of your browser or use other software (for example, curl or wget) to download the certificate.

The required CA certificates are available from:
If you encounter problems or have questions about the SPDF web services, e-mail spdf-support.

Instructions for common web service clients

Below are instructions to enable common programming run-time environments to interact with the SPDF web services over HTTPS.  The environments covered include the following:
This does not cover all possible run-time environments used to implement web service clients.  But these instructions maybe helpful for other environments as well.

cURL Client

Older versions of cURL may need a newer certificate bundle.  To overcome this problem, do one of the following:

wget Client

Older versions of wget are know to have problems evaluating the multi-domain certficate used for our sites.  If you you encounter the error

ERROR: certificate common name 'cdaweb.sci.gsfc.nasa.gov' doesn't match requested host name 'cdaweb.gsfc.nasa.gov'

you should upgrade your wget.  Version 1.12 and newer are known to work.  In this particular example, you could also change your wget command to target cdaweb.sci.gsfc.nasa.gov but that won't work for cases involving our other sites.

Wget may also not have a new enough certificate bundle.  To overcome this problem, do one of the following:
  1. Obtain and use a newer certficate bundle as described below:
    1. Obtained a new certificate bundle as described in cURL above.
    2. Use the new certificate bundle like this
      • wget --ca-certificate=ca-bundle.crt -O - https://sscweb.gsfc.nasa.gov/WS/sscr/2/application.wadl | xmllint --format -
  2. Alternatively, you can disable verification of the certificate like this

Java Client

Java versions after 1.7.0_111, and 1.8.0_102 should not require any special preparations.  For earlier versions of Java, do the following
  1. Download this CA certificate file https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.
  2. $ cd JAVA_HOME/jre
  3. $ bin/keytool -import -trustcacerts -file lets-encrypt-x3-cross-signed.pem -keystore lib/security/cacerts
  4. Now, any Java application that are run with this installation of Java should be able to use the web services over HTTPS.
If your Java client code runs in an application server, you may, depending upon the specific application server, have to update the applications server's trusted CA keystore.  The location of the keystore will vary depending upon the application server.

To debug a TLS issue, you might try setting the following system property

IDL Client

Exelis Interactive Data Language (IDL) versions after 8.5.0 should not require any special preparations.  These instructions describe how to prepare older versions of IDL to access the SPDF web services.

There are multiple ways for an IDL client to make web services calls.  Two common ways are with the IDLnetURL object and through the IDL-Java bridge.  Instructions for each of these cases are describe separately below.

IDLnetURL IDL Client

For an IDL application that use IDLnetURL to access the web services, do one of the following:

IDL Java Bridge Client

For an IDL application that use the Java bridge to access the web services, do the following:
  1. Download this CA certificate file https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
  2. $ cd <IDL_DIR>/idlde/bin.<platform>/jre
  3. $ bin/keytool -import -trustcacerts -file lets-encrypt-x3-cross-signed.pem -keystore lib/security/cacerts
  4. Now, any IDL applications that use this installation of IDL and the Java bridge should be able to use these web services over HTTPS.

Perl

For a Perl application, the location of the default trusted CA file varies on different platforms so the following simply overrides the default with an updated file.  The following are general instructions that will work in most configurations.
  1. Create or download the ca-bundle.crt file as described in cURL above.
  2. Set the PERL_LWP_SSL_CA_FILE  environment variable to the ca-bundle.crt file before running your Perl program.

Questions/Comments

Questions or comments concerning these Web services should be sent to SPDF Feedback.

NASA Logo - nasa.gov