Re: SSL Certificate error when accessing API from IBM i

[Charles Wilt <charles.wilt@xxxxxxxxx>]

There's at least 3 separate TLS implementations on the IBM i...
Each with its own keystore.
https://www.ibm.com/docs/en/i/7.4?topic=security-tls-implementations


   - System TLS
   <https://www.ibm.com/docs/en/ssw_ibm_i_74/rzain/rzainsystemssl.htm>

   ILE applications use System TLS. Certificate management is performed
   with the Digital Certificate Manager (DCM) and the certificate store
   type is Certificate Management Services (CMS) with a file extension of
   *.KDB. Java applications can use System TLS, however it is not typical.
   The most obscure case, would be a Java application that uses System
TLS while
   also using a Java Keystore.
   - IBMJSSE2 (IBMJSSEProvider2)

   This Java Secure Socket Extension (JSSE) provider contains a pure Java
   implementation of the TLS protocols and is available on multiple
   platforms. This implementation is known as the
   com.ibm.jsse2.IBMJSSEProvider2 in the java.security provider list. Most
   Java applications on the system use this JSSE since it is the default
   provider for all JDK versions. The certificates are typically found in a
   Java keystore file (JKS) and are managed by using the Java keytool command
   or IBM Key Management (iKeyman) utility.

   OpenSSL
   -

   OpenSSL is an Open Source toolkit that implements TLS protocols and a
   full-strength general-purpose cryptography library. It is only available in
   the IBM Portable Application Solutions Environment for i (PASE for i).
   The certificates are typically found in PEM files and are managed with
   OpenSSL commands.

HTH,
Charles

On Wed, Feb 5, 2025 at 3:39 PM Nick Stoltzfus via WEB400 <
web400@xxxxxxxxxxxxxxxxxx> wrote:

>  Importing the certificate into the Java keystore resolved the issue.  I
> supppose that means the application that was making the connection to the
> API is using the keystore rather than the DCM.
> This is the Qshell command we used.keytool -import -file
> /QIBM/UserData/ICSS/Cert/Upload/2025.cer -alias CertAuth -keystore
>
> /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts
> -storepass changeit -noprompt
> Thanks so much for your help, Alan!
>     On Tuesday, February 4, 2025 at 11:41:31 PM EST, Alan Seiden <
> alan@xxxxxxxxxxxxxxx> wrote:
>
>  Nick,
> The external API may have changed its Certificate Authority (CA) to one
> that your DCM or Java store doesn’t contain. For example, by default, the
> IBM i does not include CA certificates from LetsEncrypt. If so, this
> tutorial explains how to find out:
> https://docs.bvstools.com/home/ssl-documentation/exporting-certificate-authorities-cas-from-a-websiteand
> how to import into DCM:
> https://docs.bvstools.com/home/ssl-documentation/importing-a-certificate-authority-ca-newand
> into a Java keystore.
> https://www.ibm.com/support/pages/configuring-ibm-i-java-client-applications-tlshttps-secure-communications
> Let us know if this helps.
>
> Alan Seidenhttps://www.seidengroup.com
>
>
> On Feb 4, 2025, at 3:54 PM, Nick Stoltzfus via WEB400 <
> web400@xxxxxxxxxxxxxxxxxx> wrote:
> We're getting the error below when we try to connect to an external API
> from the IBM i.  We were previously able to connect to it without error and
> without downloading anything to the IBM i or installing anything with DCM.
> The API provider created a new certificate and now we get this.  Does
> anybody have any idea what can be done to resolve it?
> com.pjx.cfo.multicast.MulticastException:
> javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.ValidatorException:
> PKIX path building failed:
> com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid
> certification path to requested target at
> com.pjx.xaf.multicast.handler.HttpHandler.sendMessageProtected(HttpHandler.java:158)
> at
> com.pjx.xaf.multicast.handler.AbstractHandler.sendMessage(AbstractHandler.java:168)
> at
> com.pjx.slo.SLOServerProcessor.resendMessage(SLOServerProcessor.java:388)
> at
> com.pjx.slo.SLOServerProcessor.processMessage(SLOServerProcessor.java:217)
> at
> com.pjx.slo.SLOServerProcessor.processMessages(SLOServerProcessor.java:163)
> at com.pjx.slo.SLOServerProcessor.run(SLOServerProcessor.java:105) at
> java.lang.Thread.run(Thread.java:825)
> Thanks,
> Nick
> --
> This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
> list
> To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: https://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at https://archive.midrange.com/web400.
>
>
>
>
> --
> This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
> list
> To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: https://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at https://archive.midrange.com/web400.