× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



No. The IBM i has multiple TLS/SSL implementations...
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzain/rzaintls.htm

- ILE Apps --> System SSL/TLS
- Java Apps --> IBMJSSE2 (IBMJSSEProvider2)
- PASE Apps --> OpenSSL

HTTPAPI (LIBHTTP) uses the System SSL/TLS and the DCM.

A java app on the i can also be configured to use DCM...(but doesn't have
to be?)

Do you have the CA showing in your DCM?

Charles


On Mon, Oct 15, 2018 at 9:53 AM Mohammad Tanveer <surgum@xxxxxxxxx> wrote:

JVM hack will not be acceptable to Security Admins. Does it mean that
LIBHTTP APIs are doing something like DisableSSL?

On Mon, Oct 15, 2018 at 10:47 AM Magne Kofoed <magne.kofoed@xxxxxxxxx>
wrote:

Hi!

here is what I got from IBM and Scott Forstie when I asked him how to
solve
httppostclob and ssl problem.
I tried the "JVM Hack" and it works.

"For SSL to work, the client JVM needs to have a certificate for the
Certificate Authority that issued the certificate on the server.

Here are some notes on SSL and HTTP functions."

§Using https causes SSL to be used

§Relies on SSL support provided by the JVM
§Potential Difficulties

–Certificates

•Must be signed by a trusted certificate authority

–Protocol Version


§Java verifies that certificate provided by the server is valid (signed
by
trusted authority)

§Browsers will identify this problem.




Solutions.
§Get a server certificate issued by a recognized certificate authority

§Or add the certificate for the issuing authority to the trust store (or
the certificate from the server)

–Get certificate – You can get this from some web browsers (see next
slide)

–Add it to the trust store of the JVM in use

• keytool -import -trustcacerts -keystore
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/security/cacerts
-storepass changeit -noprompt -alias z1235p1 -file /tmp/z1235p1.crt


–Warning: The cacerts file may be overwritten when Java ptfs are
applied,
so this step may need to be repeated often.

§Use a Java stored procedure to tell the JVM not do to checking


JVM Hack...
§Compile the Java program below and place in
/QIBM/UserData/OS400/sqllib/function

§create procedure disableSSL() language java parameter style java
external
name 'DisableSSL.go‘
§Before calling any HTTP functions in the job

–CALL disableSSL()

§Code..

import javax.net.ssl.*;
import java.security.cert.*;
public class DisableSSL implements X509TrustManager, HostnameVerifier {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0]; }
public void checkClientTrusted(java.security.cert.X509Certificate[]
certs,
String authType) { }
public void checkServerTrusted(java.security.cert.X509Certificate[]
certs,
String authType) { }
public boolean verify(String string, SSLSession ssls) {
return true;
}


public static void go() throws Exception {
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, new TrustManager[] { new DisableSSL() },
new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier( new DisableSSL());
}
}



Den man. 15. okt. 2018 kl. 16:51 skrev Mohammad Tanveer <
surgum@xxxxxxxxx
:

When using HTTPPOSTCLOBVERBOSE I am getting certificate errors when I
tried
same url using LIBHTTP I am not getting any such errors.

Wondering why? Is there anything different I have to do when using
HTTPPOSTCLOBVERBOSE

Message . . . . : Procedure or user-defined function
HTTPPOSTCLOBVERBOSE
in
SYSTOOLS returned a warning SQLSTATE.

Cause . . . . . : An SQLSTATE of the form 01xxx was returned by the

procedure or user-defined function HTTPPOSTCLOBVERBOSE in SYSTOOLS
(with

specific name HTTPP00015), along with message text
com.ibm.jsse2.util.h:

PKIX path building failed:
java.security.cert.CertPathBuilderException:

PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
cause
is: ■■java.security.cert.CertPathValidatorException: The certificate
issued
by CN=dm-DC-DIGCERT1-CA, DC=dm, DC=com is not trusted; internal
cause is: ■■java.security.cert.CertPathValidatorException:
Certificate

chaining error.


This is how I am executing HTTPPOSTCLOBVerbose?

exec sql
SELECT ifnull(varchar(responseMsg,5000),''),
ifnull(varchar(responseHttpHeader,512),'')
INTO :responseMsg, :responseHdr
FROM table( SYSTOOLS.HTTPPOSTCLOBVerbose(
:gURL,
:gHeader,
:gRequest) ) as InternalServices;
--
This is the RPG programming on the IBM i (AS/400 and iSeries)
(RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.