× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2024

RE: TLS/SSL Certificate update for IBM i ODBC

Thank you to everyone that assisted with this issue.

After a few more days of testing, I believe I have gotten to a good solution.

While the recommendation provided by Richard Schoen initially worked, the next day it stopped working. I kept trying different methods to get a consistent solution. I did use this link, which was in Richard's document - https://www.ibm.com/support/pages/importing-certificates-use-ibm-i-access-client-solutions-windows-application-package-acs-winap

I was using the "Push to Windows" method that is in IBM i Access Client Solutions (Tools / Key Management) as it saved me the step of having to manually validate my certs using gsk8capicmd.exe (gsk8capicmd.exe -cert -modify -trust enable). Using the Push to Windows method added the information to the key database file located in C:\Users\Public\Documents\IBM\Client Access\cwbssldf.kdb and marked it as trusted for me.

Two additional items made a difference. Since I was using Microsoft Word Mail Merge, if the ODBC connection failed, updating the key management database was not enough. MS Word was caching the cert info. I had to close all other Word/Excel documents and then retry the ODBC connection. Second, I found out that my AD environment had an Active Directory Group Policy that would automatically push the key database file cwbssldf.kbd to all PCs. So, each time I fixed the file, it would get replaced again at the next push. Now the Group Policy has the correct file and the ODBC connection is working.



-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Richard Schoen
Sent: Friday, March 1, 2024 10:20 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: TLS/SSL Certificate update for IBM i ODBC

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________

Check this link out. I have run into this issue before.

https://github.com/richardschoen/howtostuff/blob/master/ibmi_acs_odbcssl_windows_issue_.md

Regards,
Richard Schoen
Web: http://www.richardschoen.net
Email: richard@xxxxxxxxxxxxxxxxx

-----Original Message-----

On Fri, Mar 1, 2024 at 8:50?AM Sizer, Joseph via MIDRANGE-L < midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

Each year I use Digital Certificate Manager (DCM) to import my new SSL
cert. My root and CA cert are still good. I then assign the new SSL
cert to the applications that require them based on what last year's
cert was assigned to. I then verify that telnet, IBM i HTTP servers,
etc. are all using the new SSL cert.

This year, a client PC that uses a System DSN 64-bit ODBC connection
to the IBM I for a Microsoft Word mail merge, generated an error that
defined the SSL cert as not being trusted. I am using ODBC driver IBM
I Access ODBC Driver version 13.64.27.00 and ACS version 1.1.9.4.

The error message generated when testing the connection is:
Data link error: Test connection failed because of an error in
initializing provider. IBM System I Access ODBC Driver Communication
link failure. Comm rc-25414 - CWBCO1050 - The IBM I server
application certificate is not trusted.

Changing the ODBC driver configuration to Non-SSL allows the mail
merge to work (Configure / Connection Options / Security - Do not user
Secured Sockets Layer (SSL)

Telnet (ACS) does not require any update at the PC client level. Is
anyone aware of a requirement where a PC client ODBC connect must run
an update for a new SSL cert? I would like to switch the connection
back to SSL.

Thanks.


Joe Sizer
IBM I Power Systems Administrator
Pencor Digital Services
--
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.