Midrange News for the IBM i Community


Posted by: Danny Hayes
iSockets & port 8443
has no ratings.
Published: 10 Feb 2016
Revised: 11 Mar 2016 - 560 days ago
Last viewed on: 21 Sep 2017 (1254 views) 

Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.

iSockets & port 8443 Published by: Danny Hayes on 10 Feb 2016 view comments(9)

Return to midrangenews.com home page.
Sort Ascend | Descend

COMMENTS

(Sign in to Post a Comment)
Posted by: clbirk
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 12 days 12 hours 53 minutes ago

Port 8443 is an https port typically and so depending on the certificate it uses, then you will need to be sure that the CA and intermediate CA's are installed. While the ibm i has several common ones, today with everyone going to SHA256 instead of SHA128, etc. there could be some required certificates required.

So assuming that this port is "https", then you will need to know if it is SSL V3.0 or TLS 1.0, TLS 1.1 or TLS 1.2 (you really only want to connect with TLS 1.X (preferbly 1.2). In v7r1, TLS 1.2 is done via TR6 (technology refresh 6). You will need to go into system values and maybe add that is how you want to connect.

Next you will need to find out the "maker" of the remote certificate and then go to that company's website and see what root/intermediate CA's are there.  You will need to go into DCM (xx.xx.xx.xxx:2001 (where xx.xx is your ip of the ibm i). In the digital certificate manager, you will need to see what is in the system store for CA's and if the ones you have aren't there, you will need to import the text file that you got from the website.

For a bit more information, you can go to: http://docs.bvstools.com/home/ssl-documentation

as brad stone has some pretty good documentation on such. Now what I don't know if isockets will do ssl.  What you might do is go download geturi from www.bvstools.com and give it a try for if you can do the webservice with it and you can't with isockets then it MIGHT have something to do with isockets and handling "SSL". I think geturi is like 78cents a day.  Plus if you can't do it with geturi, then either you don't have something right, etc. because geturi will handle SSL, etc.

For example, my credit card provider recently changed to an entrust "ssl" certificate, and I had to download some new CA's (certificate authority) intermediate and root certificates. Had to do the same when I renewed my certificate on a website (symantec) in order to do webservices.

Hope this helps.

 

chris

 

 

 

Posted by: clbirk
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 12 days 12 hours 51 minutes ago

One other comment, if you are on an old release of i5/os (i.e. prior to 7.1), and the server on the other end is only doing like TLS 1.2, well you might be out of luck.

SSL 3.0 was deprecated last year due to poodle and many folks are only doing TLS 1.2. If you are on 7.1 or 7.2 you need to check your ptf and technology refresh levels to be sure that you have tls 1.2

 

chris

 

Posted by: clbirk
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 12 days 12 hours 42 minutes ago

bob can probably answer if isockets does "https/SSL" I thought I read once that it did not but I could be confusing that with another product and so I don't want to say it won't do such. Does the documentation indicate anything about https? 

Posted by: DannyFromOP
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 10 days 17 hours 10 minutes ago

Chris,

Thanks so much, Bob said he thought he put in the SSL handling, but was not certain.  Our issue seems to be installing the certificate, and possibly the extraction from the web service server, which is a Linux box.  We did have a Linux engineer pull the certificate off, but maybe there is some special technique for doing this for the iSeries?

Have you done the cert install yourself?  The server is inside our own firewall, so not sure why SSL is even a requirement, but I try to do what they ask for.

I do appreciate your knowledge sharing.

 

Danny

(813) 901-2150 X 133154

Posted by: clbirk
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 10 days 13 hours 58 minutes ago

You don't pull off anything from the linux server. You need to know what "brand" of certificate they have and maybe a few other bits about it, but you don't need that certificate.

Then you go to that provider of certificates and look for root and intermediate CA's. Say for example, the certificate they have is a GEOTRUST RAPIDSSL. You would google that for root/intermediate CA's and you will land with a page like: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

Then if it is a SHA-1 or 2, you would download the appropriate ones (if in doubt download "all" of them), and then you would go install such onto the ibm i.

To do that install, you get what you downloaded onto the the IFS (easiest way is to create a folder in ifs, share it and then map it at your pc, and drop/drag the file(s) in.

Then you need to go into DCM, to do that you put in your ibm i's ip address colon 2001, like : 192.168.1.10:2001 and you log in, and you click on the middle/right to work with ibm i tasks and  then you will see digital certificate manager and you might have to use the http (and previously when you asked for :2001, it might have said it wasn't a trusted site since it is a self signed certificate).

select your certificate store (upper left) and select system and login there, then select manage certificiates and view your certificates and select certificate authorities and you can see what you have installed.

This is pretty much laid out in the reference I made above over at bvstools.  Like I said, you aren't really taking anything from the linux server, except to find out the "maker" of the certificate and its "brand name" which might mean like in case of geotrust there is rapidssl, geotrust essential, etc. and if it is sha-1 or sha-2. If you can't find out about the sha-1 or -2, get the root authorities and intermediates for both and put them on.

To import a CA instead of viewing, you do the import and when you name it, put down what it is like GEOTRUST RAPIDSSL SHA-1 INTERMEDIATE.  This will help later on if you have to see if you have it or not.

I have put on several CA's and have also put on a certificate for outside use which is similar but different.

Also if you think you have the stuff in place and it doesn't work, simply download geturi and you can try it from the greenscreen to hit it and if you can't, then you have other issues. If you can and you can't with isockets, that too will be helpful for you to know.

The other thing may be what level of SSL they connect with or what they will allow. That is, they may only allow TLS 1.2 or maybe TLS 1.x. And that can come into play.

Like I said, you aren't extracting anything off the linux box, that won't help you, you need to be sure you have the correct CA's root/intermediate.  You see today most certificates build on a trust level which happens through an intermediate or two and a root.

chris

 

 

 

 

 

Posted by: DannyFromOP
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 7 days 7 minutes ago
Edited: Wed, 17 Feb, 2016 at 09:48:54 (583 days ago)

Chris,

Looking at the Cert the Linux team provided:

Version - V3

Serial number - 55 cb fa 49

Signature algorithm - sha 1RSA

Signature hash algorithm - sha1

Issuer - CN = d-cnmhpd-1.ccx.carecentrix.com
OU = IT
O = Carecentrix
L = Tampa
S = Florida
C = US

So I guess we are the provider, in that case how would I get the root and intermediate CA's?

I really appreciate you sharing your knowledge.

Danny

Posted by: clbirk
Premium member *
Comment on: iSockets & port 8443
Posted: 1 years 7 months 4 days 17 hours 8 minutes ago

so what you are saying is it is a self signed certificate. I am not sure, but I would assume that the software that did the self signing should offer a root that can be installed. Honestly for the $12 to $15 for a cheap ssl certificate like rapidssl, I would never go with a self signed for reasons like this.

So I can't be of any help. Here is an article on self signed and it talks about generating the root CA, etc. So maybe this might help.  good luck.

 

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

 

chris

Posted by: bobcozzi
Site Admin ****
Chicagoland
Comment on: iSockets & port 8443
Posted: 1 years 6 months 29 days 21 hours 27 minutes ago

Turns out I did add SSL support to iSockets.

The big challenge most people have it setting up the CA's.

Brad has a good step-by-step on his site, here.

IBM also added a System Value in v7.1 to setup TLS.

The system value in question is QSSLPCL which defaults to *OPSYS and that should be fine. But check it out on your system.   WRKSYSVAL QSSL*

 

Posted by: bobcozzi
Site Admin ****
Chicagoland
Comment on: iSockets & port 8443
Posted: 1 years 6 months 13 days 22 hours 39 minutes ago
Edited: Fri, 11 Mar, 2016 at 08:01:37 (560 days ago)

Since this thread started, i've bee working with IBM's HTTP Services for SQL. If you're an SQL user, you can use the HTTPxxxxClobVerbose() UDTFs, such as HTTPPOSTClobVerbose(), to do the HTTP/HTTPS connection. It does all the SOCKETS and SSL stuff for you under the covers--similar to iSockets, HTTPAPI, and GetURi.

I'm going to do a tutorial on it when I get back into the country, but for now here are the links.

IBM Web page with a small overview.

IBM PDF White Paper describing each HTTP service.