Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.
I am consuming a webservice on a Linux server fine using port 8080, but when I switch to port 8443 I only get 7 bytes back from the server.
Someone suggested I needed some certificate installed, but seems to have no knowledge beyond that.
Has anyone had this issue and if so how did you solve it?
Thanks in advance,
Danny
Port 8443 is an https port typically and so depending on the certificate it uses, then you will need to be sure that the CA and intermediate CA's are installed. While the ibm i has several common ones, today with everyone going to SHA256 instead of SHA128, etc. there could be some required certificates required.
So assuming that this port is "https", then you will need to know if it is SSL V3.0 or TLS 1.0, TLS 1.1 or TLS 1.2 (you really only want to connect with TLS 1.X (preferbly 1.2). In v7r1, TLS 1.2 is done via TR6 (technology refresh 6). You will need to go into system values and maybe add that is how you want to connect.
Next you will need to find out the "maker" of the remote certificate and then go to that company's website and see what root/intermediate CA's are there. You will need to go into DCM (xx.xx.xx.xxx:2001 (where xx.xx is your ip of the ibm i). In the digital certificate manager, you will need to see what is in the system store for CA's and if the ones you have aren't there, you will need to import the text file that you got from the website.
For a bit more information, you can go to: http://docs.bvstools.com/home/ssl-documentation
as brad stone has some pretty good documentation on such. Now what I don't know if isockets will do ssl. What you might do is go download geturi from www.bvstools.com and give it a try for if you can do the webservice with it and you can't with isockets then it MIGHT have something to do with isockets and handling "SSL". I think geturi is like 78cents a day. Plus if you can't do it with geturi, then either you don't have something right, etc. because geturi will handle SSL, etc.
For example, my credit card provider recently changed to an entrust "ssl" certificate, and I had to download some new CA's (certificate authority) intermediate and root certificates. Had to do the same when I renewed my certificate on a website (symantec) in order to do webservices.
Hope this helps.
chris
One other comment, if you are on an old release of i5/os (i.e. prior to 7.1), and the server on the other end is only doing like TLS 1.2, well you might be out of luck.
SSL 3.0 was deprecated last year due to poodle and many folks are only doing TLS 1.2. If you are on 7.1 or 7.2 you need to check your ptf and technology refresh levels to be sure that you have tls 1.2
chris
bob can probably answer if isockets does "https/SSL" I thought I read once that it did not but I could be confusing that with another product and so I don't want to say it won't do such. Does the documentation indicate anything about https?
Chris,
Thanks so much, Bob said he thought he put in the SSL handling, but was not certain. Our issue seems to be installing the certificate, and possibly the extraction from the web service server, which is a Linux box. We did have a Linux engineer pull the certificate off, but maybe there is some special technique for doing this for the iSeries?
Have you done the cert install yourself? The server is inside our own firewall, so not sure why SSL is even a requirement, but I try to do what they ask for.
I do appreciate your knowledge sharing.
Danny
(813) 901-2150 X 133154
You don't pull off anything from the linux server. You need to know what "brand" of certificate they have and maybe a few other bits about it, but you don't need that certificate.
Then you go to that provider of certificates and look for root and intermediate CA's. Say for example, the certificate they have is a GEOTRUST RAPIDSSL. You would google that for root/intermediate CA's and you will land with a page like: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548
Then if it is a SHA-1 or 2, you would download the appropriate ones (if in doubt download "all" of them), and then you would go install such onto the ibm i.
To do that install, you get what you downloaded onto the the IFS (easiest way is to create a folder in ifs, share it and then map it at your pc, and drop/drag the file(s) in.
Then you need to go into DCM, to do that you put in your ibm i's ip address colon 2001, like : 192.168.1.10:2001 and you log in, and you click on the middle/right to work with ibm i tasks and then you will see digital certificate manager and you might have to use the http (and previously when you asked for :2001, it might have said it wasn't a trusted site since it is a self signed certificate).
select your certificate store (upper left) and select system and login there, then select manage certificiates and view your certificates and select certificate authorities and you can see what you have installed.
This is pretty much laid out in the reference I made above over at bvstools. Like I said, you aren't really taking anything from the linux server, except to find out the "maker" of the certificate and its "brand name" which might mean like in case of geotrust there is rapidssl, geotrust essential, etc. and if it is sha-1 or sha-2. If you can't find out about the sha-1 or -2, get the root authorities and intermediates for both and put them on.
To import a CA instead of viewing, you do the import and when you name it, put down what it is like GEOTRUST RAPIDSSL SHA-1 INTERMEDIATE. This will help later on if you have to see if you have it or not.
I have put on several CA's and have also put on a certificate for outside use which is similar but different.
Also if you think you have the stuff in place and it doesn't work, simply download geturi and you can try it from the greenscreen to hit it and if you can't, then you have other issues. If you can and you can't with isockets, that too will be helpful for you to know.
The other thing may be what level of SSL they connect with or what they will allow. That is, they may only allow TLS 1.2 or maybe TLS 1.x. And that can come into play.
Like I said, you aren't extracting anything off the linux box, that won't help you, you need to be sure you have the correct CA's root/intermediate. You see today most certificates build on a trust level which happens through an intermediate or two and a root.
chris
Chris,
Looking at the Cert the Linux team provided:
So I guess we are the provider, in that case how would I get the root and intermediate CA's?
I really appreciate you sharing your knowledge.
Danny
so what you are saying is it is a self signed certificate. I am not sure, but I would assume that the software that did the self signing should offer a root that can be installed. Honestly for the $12 to $15 for a cheap ssl certificate like rapidssl, I would never go with a self signed for reasons like this.
So I can't be of any help. Here is an article on self signed and it talks about generating the root CA, etc. So maybe this might help. good luck.
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
chris
Turns out I did add SSL support to iSockets.
The big challenge most people have it setting up the CA's.
Brad has a good step-by-step on his site, here.
IBM also added a System Value in v7.1 to setup TLS.
The system value in question is QSSLPCL which defaults to *OPSYS and that should be fine. But check it out on your system. WRKSYSVAL QSSL*
Since this thread started, i've bee working with IBM's HTTP Services for SQL. If you're an SQL user, you can use the HTTPxxxxClobVerbose() UDTFs, such as HTTPPOSTClobVerbose(), to do the HTTP/HTTPS connection. It does all the SOCKETS and SSL stuff for you under the covers--similar to iSockets, HTTPAPI, and GetURi.
I'm going to do a tutorial on it when I get back into the country, but for now here are the links.