This document will provide information on how to configure TLS/HTTPS secure communications with the IBM i DB2 SYSTOOLS HTTP Java User-Defined Functions (UDFs).
|1)||Obtain the CA certificate(s) from the 3rd party URL |
There are 3 primary ways to do this:
a) Enter the HTTPS URL into your web browser's address bar and view the TLS certificate currently used on the connection. Then, follow the instructions on Extracting a CA Root Certificate from a Digital Certificate.
b) Use the QMGTOOLS/GETSSL utility.
c) Follow the steps on How to extract CA certificates for the remote port 443 instead of 990.
Create the Java keystore, import the CA cert(s), and set the
javax.net.ssl.trustStore Java property for the IBM i user profile executing the DB2 HTTP User-Defined Function.
NOTE: This is assuming 5770JV1 Option 17 is installed. If the above command fails, you can switch the java version (jdk70, jdk71, or jdk80) and bit level (32bit or 64bit) based on what 5770JV1 options are currently installed. To identify your installed 5770JV1 LPPs, execute GO LICPGM Option 10 and then press F11 twice to view the "Product Option" column.
NOTE: Repeat the keytool command for all CA certificates and change the -alias value to be unique for each certificate imported.
NOTE: You can execute the CL command, DSPUSRPRF <JVMuser>, to verify the "Home directory" value. This would be the very last attribute listed. The value of "Home directory" should be where the SystemDefault.properties file is created.
where <JVMuser> is the current user of the job executing the IBM i DB2 HTTP UDF.
In the example below, the DB2 HTTP function (HTTPGETCLOB, HTTPPOSTCLOB, etc.) is executed by the IBM i user profile, JPROFILE, with a Home directory set to /home/JPROFILE.
18 December 2019