That documentation is very old and should not be followed. You should be
able to use the standard Java mechanism of putting any required CA
certificates into your local keystore.
To use SSL for JDBC, just add "secure=true" as a JDBC connection property.
Here is an example, run in QSH, using the JDBC client that is now included
with jt400.jar as well as using a custom keystore (/home/cacerts) that
contains the CA certificate for the self-signed certificate used by the
server.
java -Djavax.net.ssl.trustStore=/home/cacerts
-cp /qibm/proddata/http/public/jt400/lib/jt400.jar
com.ibm.as400.access.jdbcClient.Main 'jdbc:as400://localhost;secure=true'
USERID PASSWORD
If you don't have the CA certificate in your keystore, you will get a
chaining error as shown below.
$ java -cp /qibm/proddata/http/public/jt400/lib/jt400.jar
com.ibm.as400.access.jdbcClient.Main 'jdbc:as400://localhost;secure=true'
USERID PASSWORD
Unable to connect to jdbc:as400://localhost;secure=true using USERID
java.sql.SQLException: The application requester cannot establish the
connection. (com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could
not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by CN=lp01ut18, O=IBM, ST=MINNESOTA, C=US is not trusted; internal cause
is:
java.security.cert.CertPathValidatorException: Certificate chaining
error)
...
Hope that helps...
John Eberhard
From: James Lampert <jamesl@xxxxxxxxxxxxxxxxx>
To: Java Programming on and around the iSeries / AS400
<java400-l@xxxxxxxxxxxx>,
Date: 10/10/2012 11:21 AM
Subject: Does anybody have experience setting up the client end of
secured JDBC access?
Sent by: java400-l-bounces@xxxxxxxxxxxx
One of our contract developers has looked over the process of
establishing a secured JDBC connection, and he had this to say:
Firstly, I have to say, IBM solution for SSL connection is a freak, it
require using bunch of zip/jar and use them to generated a class which
relative to server certification, then use that class to do
communication.
in this process, it requires:
1. Server certification (not keystore)
2. Bunch of zip/jar which only contained within server (I do not have any
places I can download them)
Because the process is not look very complicated, I decided to send you
the introducation so you can try it by yourself if you want (it is much
easier for you to get those packages anyway)
. . .
The official introduction for how to use SSL connection is in here.
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzahh%2Fsslcert.htm
I'm about to follow his link, and read up on it, but if anybody here has
experience with the process, I'd like any insights you can give.
Basically, we need a generalized solution, that will work on customer
servers, preferably without having to rebuild the whole damned client
anew for every customer.
--
JHHL
--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/java400-l.
midrange.com
