|
yes CA shows in DCM. HTTPPOSTCLOBVERBOSE any idea which ssl
implementation its using?
On Mon, Oct 15, 2018 at 5:17 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:
No. The IBM i has multiple TLS/SSL implementations...https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzain/rzaintls.htm
wrote:
- ILE Apps --> System SSL/TLS
- Java Apps --> IBMJSSE2 (IBMJSSEProvider2)
- PASE Apps --> OpenSSL
HTTPAPI (LIBHTTP) uses the System SSL/TLS and the DCM.
A java app on the i can also be configured to use DCM...(but doesn't have
to be?)
Do you have the CA showing in your DCM?
Charles
On Mon, Oct 15, 2018 at 9:53 AM Mohammad Tanveer <surgum@xxxxxxxxx>
(signed
JVM hack will not be acceptable to Security Admins. Does it mean that
LIBHTTP APIs are doing something like DisableSSL?
On Mon, Oct 15, 2018 at 10:47 AM Magne Kofoed <magne.kofoed@xxxxxxxxx>
wrote:
Hi!solve
here is what I got from IBM and Scott Forstie when I asked him how to
httppostclob and ssl problem.
I tried the "JVM Hack" and it works.
"For SSL to work, the client JVM needs to have a certificate for the
Certificate Authority that issued the certificate on the server.
Here are some notes on SSL and HTTP functions."
§Using https causes SSL to be used
§Relies on SSL support provided by the JVM
§Potential Difficulties
–Certificates
•Must be signed by a trusted certificate authority
–Protocol Version
§Java verifies that certificate provided by the server is valid
authorityby
trusted authority)
§Browsers will identify this problem.
Solutions.
§Get a server certificate issued by a recognized certificate
HostnameVerifier {(or
§Or add the certificate for the issuing authority to the trust store
the certificate from the server)slide)
–Get certificate – You can get this from some web browsers (see next
–applied,
–Add it to the trust store of the JVM in use
• keytool -import -trustcacerts -keystore
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/security/cacerts
-storepass changeit -noprompt -alias z1235p1 -file /tmp/z1235p1.crt
•
–Warning: The cacerts file may be overwritten when Java ptfs are
so this step may need to be repeated often.external
§Use a Java stored procedure to tell the JVM not do to checking
JVM Hack...
§Compile the Java program below and place in
/QIBM/UserData/OS400/sqllib/function
§create procedure disableSSL() language java parameter style java
name 'DisableSSL.go‘
§Before calling any HTTP functions in the job
–CALL disableSSL()
§Code..
import javax.net.ssl.*;
import java.security.cert.*;
public class DisableSSL implements X509TrustManager,
checkClientTrusted(java.security.cert.X509Certificate[]public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0]; }
public void
checkServerTrusted(java.security.cert.X509Certificate[]certs,
String authType) { }
public void
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());certs,
String authType) { }
public boolean verify(String string, SSLSession ssls) {
return true;
}
public static void go() throws Exception {
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, new TrustManager[] { new DisableSSL() },
new java.security.SecureRandom());
when IHttpsURLConnection.setDefaultHostnameVerifier( new DisableSSL());surgum@xxxxxxxxx
}
}
Den man. 15. okt. 2018 kl. 16:51 skrev Mohammad Tanveer <
:
When using HTTPPOSTCLOBVERBOSE I am getting certificate errors
thetried
same url using LIBHTTP I am not getting any such errors.HTTPPOSTCLOBVERBOSE
Wondering why? Is there anything different I have to do when using
HTTPPOSTCLOBVERBOSE
Message . . . . : Procedure or user-defined function
in
SYSTOOLS returned a warning SQLSTATE.
Cause . . . . . : An SQLSTATE of the form 01xxx was returned by
SYSTOOLS
procedure or user-defined function HTTPPOSTCLOBVERBOSE in
internal(withjava.security.cert.CertPathBuilderException:
com.ibm.jsse2.util.h:
specific name HTTPP00015), along with message text
PKIX path building failed:
PKIXCertPathBuilderImpl could not build a valid CertPath.;
affiliatecertificatecause
is: ■■java.security.cert.CertPathValidatorException: The
affiliateCertificateissued
by CN=dm-DC-DIGCERT1-CA, DC=dm, DC=com is not trusted; internal
cause is: ■■java.security.cert.CertPathValidatorException:
(RPG400-L)
chaining error.
This is how I am executing HTTPPOSTCLOBVerbose?
exec sql
SELECT ifnull(varchar(responseMsg,5000),''),
ifnull(varchar(responseHttpHeader,512),'')
INTO :responseMsg, :responseHdr
FROM table( SYSTOOLS.HTTPPOSTCLOBVerbose(
:gURL,
:gHeader,
:gRequest) ) as InternalServices;
--
This is the RPG programming on the IBM i (AS/400 and iSeries)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
(RPG400-L)link: http://amzn.to/2dEadiD--
This is the RPG programming on the IBM i (AS/400 and iSeries)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
(RPG400-L)link: http://amzn.to/2dEadiD--
This is the RPG programming on the IBM i (AS/400 and iSeries)
--mailing list--
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
