IBM Support

Configuring IBM i DB2 SYSTOOLS HTTP User-Defined Functions for TLS/HTTPS Secure Communications

How To


Summary

This document will provide information on how to configure TLS/HTTPS secure communications with the IBM i DB2 SYSTOOLS HTTP Java User-Defined Functions (UDFs).

Environment

IBM i OS

Steps

1) Obtain the CA certificate(s) from the 3rd party URL

There are 3 primary ways to do this:
a) Enter the HTTPS URL into your web browser's address bar and view the TLS certificate currently used on the connection.  Then, follow the instructions on Extracting a CA Root Certificate from a Digital Certificate.

b) Use the QMGTOOLS/GETSSL utility.

c) Follow the steps on How to extract CA certificates for the  remote port 443 instead of 990.    
2)
Create the Java keystore, import the CA cert(s), and set the        
javax.net.ssl.trustStore Java property for the IBM i user profile executing the DB2 HTTP User-Defined Function.

STRQSH

cp /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts /home/cacerts
NOTE:  This is assuming 5770JV1 Option 17 is installed.  If the above command fails, you can switch the java version (jdk70, jdk71, or jdk80) and bit level (32bit or 64bit) based on what 5770JV1 options are currently installed.  To identify your installed 5770JV1 LPPs, execute GO LICPGM Option 10 and then press F11 twice to view the "Product Option" column.

keytool -import -trustcacerts -keystore /home/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/mycertificate.cer
NOTE:  Repeat the keytool command for all CA certificates and change the -alias value to be unique for each certificate imported.

touch -C 819 /home/<JVMuser>/SystemDefault.properties
NOTE: You can execute the CL command, DSPUSRPRF <JVMuser>, to verify the "Home directory" value.  This would be the very last attribute listed.  The value of "Home directory" should be where the SystemDefault.properties file is created.

echo javax.net.ssl.trustStore=/home/cacerts >> /home/<JVMuser>/SystemDefault.properties
cat /home/<JVMuser>/SystemDefault.properties
where <JVMuser> is the current user of the job executing the IBM i DB2 HTTP UDF.
 
In the example below, the DB2 HTTP function (HTTPGETCLOB, HTTPPOSTCLOB, etc.) is executed by the IBM i user profile, JPROFILE, with a Home directory set to /home/JPROFILE.

image-20190726124630-1

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"DB2 SYSTOOLS","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
18 December 2019

UID

ibm10960844