1.  Home
  2. MIDRANGE-L
  3. November 2025

Re: Using TLS1.2 with IBMi custom agent software

Note that if you do have some custom protocol in use, you could still
download HTTPAPI and use the source as a guide for how to implement SSL/TLS.

Possibly you could refactor your client to use the routines in the
COMMSSLR4/COMMTCPR4 members directly.

Charles

On Wed, Nov 26, 2025 at 2:23 PM Charles Wilt <charles.wilt@xxxxxxxxx> wrote:

I would assume that since your client is using sockets directly...it's
using some custom protocol..

If that's the case, then HTTPAPI or GETURI aren't really an option unless
the server is re-writen to use standard HTTP as a protocol.

On the other hand, it's possible that the client/server is actually using
HTTP, if that case you could simply re-write the client to use HTTPAPI or
GETURL.
Would be a bit strange for this to be the case, as HTTPAPI or GETURI would
have made this much easier from the get go.
Unless the client/server app pre-dates those two tool sets.

HTH,
Charles




On Wed, Nov 26, 2025 at 2:07 PM <smith5646midrange@xxxxxxxxx> wrote:

By rewriting the server, I meant if they wanted to change the IBMi client
to do HTTPAPI or GETURI. I assumed that I couldn't use HTTPAPI or GETURI
on the IBMi client while the server is still trying to communicate the
current way...or was that a bad assumption?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Brad Stone
Sent: Wednesday, November 26, 2025 2:35 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

No, the server has nothing to do with the client on your IBM i. You said
the server runs on a Windows system. They would have their own changes to
make if they don't already allow SSL/TLS.

Yes, those are the basic socket APIs in your client application. There's
a whole other set and some other functions to use GSKit for TLS.

https://www.ibm.com/docs/en/i/7.4.0?topic=sockets-global-security-kit-gskit-apis

You can also go deeper with the GSKit APIs and catch and ignore errors if
the CA that signs the server's certificate if it's not in the *SYSTEM store
on the IBM i (which is built into GETURI and I think HTTPAPI as well).

On Wed, Nov 26, 2025 at 1:13 PM <smith5646midrange@xxxxxxxxx> wrote:

To rewrite the client to use HTTPAPI or GETURI, I'm assuming they
would need to rewrite the server (is that a valid assumption?) which
I'm sure they will not do because it communicates with other clients
that would also have to be rewritten.

The current logic is using procedures like

opnskt pr 10i 0 extproc('socket')
bind pr 10i 0 extproc('bind')
connect pr 10i 0 extproc('connect')
listen pr 10i 0 extproc('listen')
accept pr 10i 0 extproc('accept')
send pr 10i 0 extproc('send')

Since it is currently using the above procedures, is changing it to
use
TLS1.2 via the IBMi APIs going to be really painful and time consuming
(and thus expensive) and I should try to talk them out of it?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Brad Stone
Sent: Wednesday, November 26, 2025 1:28 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

Yes. Your client application needs to use socket APIs for any
communication. It does already, correct? If not, how is it
communicating? HTTPAPI? GETURI? SQL? Something else?

If SSL is required, then you need to use the SSL versions of those
socket APIs instead of the basic ones... and yes, the GSKit APIs..
IBM has basically said they aren't updating the older SSL APIs any more.

It would probably be easier to rewrite the client app to use HTTPAPI
or GETURI as it's a little complicated.

On Wed, Nov 26, 2025 at 12:20 PM <smith5646midrange@xxxxxxxxx> wrote:

They are currently not using any encryption at all. It is clear
text only. They want to add TLS1.2 encryption.

You said "The SSL APIs used in the agent should handle all that".
Since there are currently no SSL APIs in the program, it sounds like
the piece that I have been missing in my search is that I need to
add some SSL API logic to the program. Is that a correct deduction?

I never thought about the TLS logic being API stuff (duh).
Searching for "IBMi TLS API", I see stuff about GSKit. Is that the
direction that I need to go for TLS1.2?


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf
Of Brad Stone
Sent: Wednesday, November 26, 2025 12:59 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

So you're not using TLS if there's no encryption. If you're saying
they are wanting to use TLS, my answer still stands.

On Wed, Nov 26, 2025 at 11:17 AM <smith5646midrange@xxxxxxxxx> wrote:

Wow, I missed a key piece of info in that. Currently there is no
encryption. They are talking clear text.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf
Of Brad Stone
Sent: Wednesday, November 26, 2025 12:15 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

The SSL APIs used in the agent should handle all that. If you
have TLS set up properly and your QSSL* system values set up right
and are on V7R3 or above, the only thing you may need to do is
import the CA chain used by the certificate on the server.

On Wed, Nov 26, 2025 at 11:10 AM <smith5646midrange@xxxxxxxxx>
wrote:

I have a client that has a custom server / agent software package.
The server runs on windows. The agent runs on the IBMi and some
other platforms. They want to add TLS1.2 protocol to the
communication and I have to do the IBMi side. I'm apparently
not googling with the right keywords because I'm not finding any
details on how to implement it. Are there code changes that
need to be made? It is just a different port and the encryption
/ decryption
automatically happens?
I'm lost. Can someone point me in the right direction for what
changes have to be made to the IBMi agent for TLS1.2? I'll take
web links, keywords for google searches, of anything else that
get me heading in the right direction. I am open to doing a
teams meeting if that would be easier. Just send me an offline
request with times that you are available.



Thanks in advance.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or
change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.