How To
Summary
This document provides information on how to configure TLS/HTTPS secure communications for the IBM i Db2 HTTP Functions.
Objective
Guidance for enabling IBM i Db2 HTTP functions for TSL/SSL.
Environment
IBM i
Steps
- By default, the functions use the system default certificate store (/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB). You need to create the required certificate store and add certificates with the Digital Certificate Manager (DCM).
- If your application chooses to trust the certificates used by the JVM, the following SQL Statements can be used to create the certificate store for use by the HTTP Functions. The following example uses changeit as the default password for the cacerts file packaged with Java. A temporary password of xyz789 is used during setup, which is replaced by the final password abc123. The user must have permission to create /home/javaTrustStore
- Create an SQL schema to contain temporary variables.
CREATE SCHEMA FROM_JAVA_TRUST_STORE; SET SCHEMA FROM_JAVA_TRUST_STORE; SET PATH CURRENT PATH, FROM_JAVA_TRUST_STORE;The user might run into an issue with the SET PATH statement depending on which, naming convention is used. (See CURRENT PATH)Alternatively use the following:CREATE SCHEMA FROM_JAVA_TRUST_STORE; SET SCHEMA FROM_JAVA_TRUST_STORE; SET PATH = FROM_JAVA_TRUST_STORE, SYSTEM PATH; -
Define global variables needed for generating the new truststore. Specify the IFS directory to use for the new truststore.
-- Specify the IFS Directory. CREATE OR REPLACE VARIABLE NEW_TRUST_DIRECTORY VARCHAR(80) CCSID 37; SET NEW_TRUST_DIRECTORY='/home/javaTrustStore'; -- Specify the name of the new trust store name CREATE OR REPLACE VARIABLE NEW_TRUST_STORE VARCHAR(80) CCSID 37; SET NEW_TRUST_STORE = NEW_TRUST_DIRECTORY CONCAT '/fromJava.KDB'; -- Specify the password for the trust store. This should be changed to keep the new trust store secure. CREATE OR REPLACE VARIABLE NEW_TRUST_STORE_PASSWORD VARCHAR(80) CCSID 37; SET NEW_TRUST_STORE_PASSWORD= 'abc123'; -- Specify the Java trust store to use. CREATE OR REPLACE VARIABLE JAVA_TRUST_STORE VARCHAR(80) CCSID 37; SET JAVA_TRUST_STORE='/QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts'; -- Specify the Java trust store password. The default password is changeit. -- If the password has been changed on the system, the correct value will need to be used. CREATE OR REPLACE VARIABLE JAVA_TRUST_STORE_PASSWORD VARCHAR(80) CCSID 37; SET JAVA_TRUST_STORE_PASSWORD = 'changeit'; -- Specify the name of a temporary JKS format TRUST STORE. CREATE OR REPLACE VARIABLE JKS_TRUST_STORE VARCHAR(80) CCSID 37; SET JKS_TRUST_STORE = NEW_TRUST_DIRECTORY CONCAT 'jksExport'; -- Specify the password of the temporary JKS format TRUST STORE. CREATE OR REPLACE VARIABLE JKS_TRUST_STORE_PASSWORD VARCHAR(80) CCSID 37; SET JKS_TRUST_STORE_PASSWORD = 'xyz789' ; - Use QCMDEXC and QSH and mkdir to create a directory in which to save the new store file
CALL QSYS2.QCMDEXC( 'QSH CMD(''mkdir ' CONCAT NEW_TRUST_DIRECTORY CONCAT ''')'); - Use QCMDEXC and QSH to run the keytool command to export the default Java certificate store in PKCS12 format.
CALL QSYS2.QCMDEXC( 'QSH CMD(''keytool -importkeystore ' CONCAT ' -srcstorepass ' CONCAT JAVA_TRUST_STORE_PASSWORD CONCAT ' -srckeystore ' CONCAT JAVA_TRUST_STORE CONCAT ' -destkeystore ' CONCAT JKS_TRUST_STORE CONCAT ' -srcstoretype JKS -deststoretype PKCS12 ' CONCAT ' -deststorepass ' CONCAT JKS_TRUST_STORE_PASSWORD CONCAT ''')'); - Create the SQL Procedure to call the QSYS/QYMKIMPK API to create the keystore. A SQL7909 warning message will be issued which, can be ignored.
CREATE OR REPLACE PROCEDURE ImportKeyStore( STOREPATH CHAR(100) CCSID 37, STOREPATHLEN INT, STOREFORMAT CHAR(9) CCSID 37, STOREPASSWORD CHAR(100) CCSID 37, STOREPASSWORDLEN INT, STOREPASSWORDCCSID INT, IMPORTPATH CHAR(100) CCSID 37, IMPORTPATHLEN INT, IMPORTFORMAT CHAR(9) CCSID 37, IMPORTVERSION CHAR(11) CCSID 37, IMPORTPASSWORD CHAR(100) CCSID 37, IMPORTPASSWORDLEN INT, IMPORTPASSWORDCCSID INT, ERRORCODE CHAR(100) FOR BIT DATA) LANGUAGE C PARAMETER STYLE GENERAL EXTERNAL NAME 'QSYS/QYKMIMPK'; - Call the newly created procedure.
CALL IMPORTKEYSTORE( STOREPATH => NEW_TRUST_STORE, STOREPATHLEN => LENGTH(NEW_TRUST_STORE), STOREFORMAT => 'OBJN0100', STOREPASSWORD => NEW_TRUST_STORE_PASSWORD, STOREPASSWORDLEN => LENGTH(NEW_TRUST_STORE_PASSWORD), STOREPASSWORDCCSID => 37, IMPORTPATH => JKS_TRUST_STORE, IMPORTPATHLEN => LENGTH(JKS_TRUST_STORE), IMPORTFORMAT => 'OBJN0100', IMPORTVERSION => '*PKCS12V3 ', IMPORTPASSWORD => JKS_TRUST_STORE_PASSWORD, IMPORTPASSWORDLEN => LENGTH(JKS_TRUST_STORE_PASSWORD), IMPORTPASSWORDCCSID => 37, ERRORCODE => X'00000000000000000000000000000000000000000000000000000000000000'); - Use the new truststore to verify it works. (It might cause an error. Please use other url's to verify. Import of CA's can be needed.)
values qsys2.http_get( URL => 'https://www.ibm.com/support/pages/sites/default/files/inline-files/xmldoc.xml', OPTIONS => '{"sslCertificateStoreFile":"' CONCAT NEW_TRUST_STORE CONCAT '"}');Clean up the schema.DROP SCHEMA FROM_JAVA_TRUST_STORE;
Additional Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000001i4eAAA","label":"IBM i Db2-\u003ESQL Examples \/ DB Examples \/ Misc how to"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
10 July 2023
UID
ibm16567211