Configuring IBM i Java Client Applications for TLS/HTTPS Secure Communications

How To

Summary

This document will provide information on how to configure TLS/HTTPS secure communications with Java client applications running on the IBM i OS.

Environment

IBM i OS

Steps

1)	Obtain the CA certificate(s) from the remote TLS/HTTPS host the Java client application is connecting to. There are 3 primary ways to do this: a) Enter the HTTPS URL into your web browser's address bar and view the TLS certificate currently used on the connection. Then, follow the instructions on Extracting a CA Root Certificate from a Digital Certificate. b) Use the QMGTOOLS/GETSSL utility. c) Follow the steps on How to extract CA certificates for the remote TLS port instead of 990. (i.e. 443 for HTTPS)
2)	Create the Java keystore, import the CA cert(s), and set the javax.net.ssl.trustStore Java property for the IBM i user profile executing the Java client application. `STRQSH` `cp /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts /home/cacerts` NOTE: This is assuming 5770JV1 Option 17 is installed. If the above command fails, you can switch the java version (jdk70, jdk71, or jdk80) and bit level (32bit or 64bit) based on what 5770JV1 options are currently installed. To identify your installed 5770JV1 LPPs, execute GO LICPGM Option 10 and then press F11 twice to view the "Product Option" column. `keytool -import -trustcacerts -keystore /home/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/mycertificate.cer` NOTE: Repeat the keytool command for all CA certificates and change the -alias value to be unique for each certificate imported. `touch -C 819 /home/<JVMuser>/SystemDefault.properties` NOTE: You can execute the CL command, DSPUSRPRF <JVMuser>, to verify the "Home directory" value. This would be the very last attribute listed. The value of "Home directory" should be where the SystemDefault.properties file is created. `echo javax.net.ssl.trustStore=/home/cacerts >> /home/<JVMuser>/SystemDefault.properties cat /home/<JVMuser>/SystemDefault.properties` where <JVMuser> is the current user of the job executing the Java client application. As an alternative to defining the javax.net.ssl.trustStore property at the IBM i user profile scope, you can also use the IBM_JAVA_OPTIONS environment variable. This can be set at the JOB level before the JVM is invoked or set at the SYS level to apply to all JVM instances that run on the IBM i OS. IBM_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/home/cacerts ADDENVVAR ENVVAR(IBM_JAVA_OPTIONS) VALUE('-Djavax.net.ssl.trustStore=/home/cacerts') LEVEL(JOB) REPLACE(YES) ADDENVVAR ENVVAR(IBM_JAVA_OPTIONS) VALUE('-Djavax.net.ssl.trustStore=/home/cacerts') LEVEL(SYS) REPLACE(YES) Or you can set the following JVM argument on Java invocation. java -Djavax.net.ssl.trustStore=home/cacerts MyProgram In the example below, the Java client application is executed by the IBM i user profile, JPROFILE, with a Home directory set to /home/JPROFILE.

Related Information

How to Customize Java Security Configuration Properties for JDKs on the IBM i OS

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"Java Secure Sockets Extension (JSSE)","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Was this topic helpful?

Document Information

More support for:
IBM i

Software version:
All Versions

Operating system(s):
IBM i

Document number:
964804

Modified date:
05 January 2022

UID

ibm10964804

IBM Support

Tips