× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. September 2018

Re: HTTPAPI & revoked SSL cert

On Tue, Sep 18, 2018 at 5:24 PM Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:

HTTPAPIR4 is a service program that runs in a job. In my case, that's a
CGI job associated with an Apache server and running in QHTTPSVR. When you
bounce the Apache server, all of the CGI jobs running in QHTTPSVR are
ended. When the Apache server comes back up, it will get new jobs that
will have clean state.

The app flow goes roughly like this:
MYCGIPGM -> MYSRVPGM -> HTTPAPI -> Internet

My speculation is that the remote vendor is doing something like swapping
a cert, and my CGI job still has something in memory that's referencing the
old cert.


Ok, have you contacted the vendor to ask? Have you looked at the cert to
see when it was issued and if it is new?

I don't think your vendor is constantly switching SSL certificates unless
they're having issues on their end. Normally you just renew it and install
a new one.

And, if you are on V7R1 or earlier, and they're using a cert with a cipher
that isn't supported, again, you will have issues.

Now, here's an interesting theory... I've written a lot of apps that make
requests to Microsoft Web Services. When they updated their SSL
certificate, it took a few days for that change to propogate to all their
servers on their farm. So randomly you'd get one server with an old SSL
cert, or a new one with a new cert. In other words, you'd chase your tail
unless you had strict SSL turned off and it didn't care about the new or
old CAs in use.

If your vendor has a server farm, this could very well be the case. But
it's almost impossible to prove without a lot of legwork.

Here's an interesting detail of that account:
https://www.fieldexit.com/forum/display?threadid=392


-----Original Message-----
From: Bradley Stone [mailto:bvstone@xxxxxxxxx]
Sent: Tuesday, September 18, 2018 2:37 PM
To: RPG programming on the IBM i / System i <rpg400-l@xxxxxxxxxxxx>
Subject: Re: HTTPAPI & revoked SSL cert

.



On Tue, Sep 18, 2018 at 12:13 PM Justin Taylor <JUSTIN@xxxxxxxxxxxxx>
wrote:

I'm sure that bouncing Apache helps by ending all the existing server
jobs. My current theory is that there's something in state, and the
remote service changes something which makes my state invalid.


No, HTTPAPI is a client. Not tied to Apache Web server in any way. Scott
can clarify, but if it's anything like GETURI, the only thing in common
would be they use DCM. And bouncing it shouldn't do anything for the
client side of things



"Most likely the endpoint server updated their SSL certificate, or it
expired." I'm pretty much convinced this is the issue. I submit
hundreds of requests a day, generally without incident. Yesterday,
everything was fine until right at 9am. We caught the problem in just
a few minutes, bounced Apache and everything was back to normal.


Is the process tied to an Apache server job? In other words, you get a
request in to one of your Apache servers, and then use HTTPAPI in the
process to make requests to another server?

If so, the problem isn't with HTTPAPI, most likely more with your Apache
server.

If the CA or Cert was expired, it would always fail. It would also be
pretty simple to verify if that was the issue.



Right now, I'm working on a method to auto-recover.


Unless there's something left out of the picture here, I'll reiterate that
the Apache server shouldn't have anything to do with HTTPAPI.

--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD



Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #5 <https://www.bvstools.com/mailtool.html>: Easy setup!
No confusing or obscure setup instructions, directory entries, SMTP users,
aliases or host tables. All you need is TCPIP, a connection to the internet
and you're done!

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.