How To
Summary
Beginning with version 1.1.0.27, the "IBM i Access ODBC Driver" for Linux now supports SSL connectivity to IBM i.
Objective
Secure ODBC connections from Linux clients to DB2 for i using OpenSSL, rather than configuring stunnel.
Environment
Linux
IBM i
From the Linux Application Package readme.txt:
4.0 ENHANCEMENTS AND INTERNAL FIXES
------------------------------------
This a list of enhancements and internal fixes.
------------------------------------
This a list of enhancements and internal fixes.
---------------------------------
Version: 1.1.0.27
Build Date = November 2022
---------------------------------
Version: 1.1.0.27
Build Date = November 2022
---------------------------------
- Add TLS (SSL) support using OpenSSL. This requires that the OpenSSL libraries
provided by your OS are installed, eg. openssl-libs, libopenssl-1_1,
libssl1.1, etc. OpenSSL versions 3.0, 1.1.1, and 1.0.2 are supported, with the
most recent version found taking precedence. Unlike with GSKit on Windows, FIPS
mode is not supported.
provided by your OS are installed, eg. openssl-libs, libopenssl-1_1,
libssl1.1, etc. OpenSSL versions 3.0, 1.1.1, and 1.0.2 are supported, with the
most recent version found taking precedence. Unlike with GSKit on Windows, FIPS
mode is not supported.
Steps
First, use the IBM i Access Client Solutions "System Configurations" function to test SSL connectivity to the IBM i host servers:
Once secure connectivity is verified successfully, from the main ACS menu, select "Tools" -> "Key Management". Select the CA certificate for the IBM i system in question and click the "Extract..." button. Use a file name extension of ".crt".
Move the certificate file to Linux (binary mode) and follow these instructions to install the certificate on an Ubuntu client.
For Red Hat systems, these are the instructions to get the CA installed:
"To add a certificate, download it, place it into the /etc/pki/ca-trust/source/anchors directory, and then run the command update-ca-trust. You will need to be root for these two tasks"
Then added the following connection keyword to the .odbc.ini file (locate with "odbcinst -j") :
SSL = 1
Test connectivity with:
$ cwbping /ssl:1 <IBM_iName_or_IPaddress>
Make an SSL ODBC connection using :
$ isql <myDSNName> <myUSRPRF> <myPassword>
"myDSNName" must be the DSN with " SSL = 1"
If successful, QZDASSINIT job log will contain message:
The following special registers have been set: CLIENT_APPLNAME: ISQL
Additional Information
In the event of a failure such as :
[IBM][System i Access ODBC Driver]Communication link failure. comm rc=25404 - CWBCO1050 - The IBM i server application certificate is not trusted (25404) (SQLDriverConnect)')
...use the following test:
$ openssl s_client -noservername -connect myhost.example.com:9471 </dev/null
Output containing:
Verify return code: 68 (CA signature digest algorithm too weak)
...indicates the signer certificate in use is too weak for use with OpenSSL and needs to be updated on the IBM i with a stronger algorithm. After doing so, re-download and install into the client OpenSSL keystore.
- SLES
# Copy certificates to /etc/pki/trust/anchors
sudo cp cacert.pem /etc/pki/trust/anchors
# Update system trust
sudo update-ca-certificates
sudo cp cacert.pem /etc/pki/trust/anchors
# Update system trust
sudo update-ca-certificates
- PASE
# Copy certificates to /QOpenSys/etc/pki/trust/anchors
cp cacert.pem /QOpenSys/etc/pki/trust/anchors
# Update system trust
update-ca-certificates
cp cacert.pem /QOpenSys/etc/pki/trust/anchors
# Update system trust
update-ca-certificates
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CTzAAM","label":"Data Access-\u003EAccess for Linux"}],"ARM Case Number":"TS012582377","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
10 October 2023
UID
ibm16983540