why HTTPTransportException in the IBM but not in Windows?

Dino · Post by **Dino** » Thu Jan 25, 2024 9:01 am

Hi Guys

Here I am playing with restful in V15, EPC 150050, wondering why this works when I run from windows, but not when running in the IBM, maybe someone can point me to the issue.

When running in windows, I get the response with the bearer token and all is good, I do my follow up request with the json using that bearer token, success.

But in the IBM, the httprequest returns:

Code: Select all

 BAD HTTP Request Status Code: 
 CONNECTION_ERROR 
 Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel 
   to the remote end. Failed to establish SSL connection to server, the operation gsk_secure_soc_init() failed.GSKi

the code in use for this is basically this:

Code: Select all

#Url.SetScheme( 'https' )
#Url.SetHost( 'auth.dddddd.aaaaxxx.companyxxxx.com' )
#Url.SetPath( '/oauth2/token' )
#HttpRequest.Options.AddHeader Name('Content-Type') Value('application/x-www-form-urlencoded')
#HttpRequest.Content.AddUrlEncodedFormValue( 'grant_type' 'client_credentials' )
#HttpRequest.Content.AddUrlEncodedFormValue( 'client_id' '0000000aaaaaaaaaaaabbbbbbbbbbb' )
#HttpRequest.Content.AddUrlEncodedFormValue( 'client_secret' 'ccccccccccccccccdddddddddddeeeeeeeeeeeeee' )
#HttpRequest.Content.AddUrlEncodedFormValue( 'scope' 'updateaaaaaaaaaaabbbbbbbbbbcccccc' )
#HttpRequest.DoPost Url(#Url)

If (#HttpRequest.Response.IsSuccessfulRequest)   /* <==== This is the one returning the error in the IBM */
If (#HttpRequest.Response.IsSuccessHttpStatusCode)

and off course, I dont get any response if using the trace in the IBM. Just request.body, request.general, request.headers log.

As additional information, the IBM is set in the LANSA configuration for http and https (no that it should matter as my pc it is not and can send the https communication without issues).

Thank you

PatrickF · Post by **PatrickF** » Thu Jan 25, 2024 10:11 am

Hi Dino

The GSKIT error on IBMi indicates that the IBMi DIgital Certificate manager doesn't have a trusted Certificate Authority for the other party's certificate. The Certificate Authority is similar to a passport that a traveler going through Airport immigration might use, and Immigration need to trust that the passport is valid from an passport issuing authority in order to trust that traveler. Lansa on IBMi uses the HTTP Server to send and handle the response unlike LANSA Integrator which uses the Java Keystore.

You will need to get the CA for their https endpoint, save as a base 64 CER using Certificate Export Wizard, ftp to IBMi IFS and then import to the IBMi Certificate Store using DCM.
Attached is an old docuiment from V7R3. IBM have refaced the DCM interface for V7R4 and V7R5 but the steps are similar

On IBMi the Digital Certificate Manager is used to import the cert from the Cert Authority
There may also be settings required covering TLS version compatability because newer IBMi OS versions handle newer TLS versions
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *OPSYS
I located these articles https://www.ibm.com/docs/en/i/7.5?topic ... l-settings

Dino · Post by **Dino** » Fri Jan 26, 2024 5:46 am

Thank you Patrick, working to solve this following your instructions.

I leave a couple links here in this process:
https://www.ibm.com/support/pages/extra ... ertificate

https://www.ibm.com/support/pages/how-i ... te-manager

Dino · Post by **Dino** » Fri Jan 26, 2024 11:16 am

I did all the steps,
found the CA was ESET,
used the windows certificate manager to generate the .cer
copied it to the IBM,
imported successfully to the CA list

(...and from seeing that list, having an old V7R3, given the large list of CA providers you can see in the certificate manager "certmgr" in Windows, and the short list in the IBM, that seems to be the correct issue... windows have windows update, the IBM ptfs that are not checked that often and I dont know if the PTFs contain the latest CAs.)

changed the application to use the trusted CA list and indicated the new ESET between others to be accepted.
authorized the file to public *r.
restarted the http server.

still the same issue... scratching my head.... any other thing to take a look?
as the issue occurs in the act of posting, no log is created.

is any way to obtain a verbose output for this restful api usage?

atostaine · Post by **atostaine** » Fri Jan 26, 2024 1:42 pm

You might be able to get IBM to help with the GSKIT error.

I know this is LANSA but if you know any RPG you can try Scott Klement's Open Source HTTPAPI or Brad Stone's (BVSTOOLS.COM) Geturi on a 7 day trial. You can get more logging with those solutions.

Dino · Post by **Dino** » Sat Jan 27, 2024 1:50 am

Thank you Patrick and Art,

Before installing I have noticed a list of more things to check on this regard in that same site from Scott... working on that now.

https://github.com/ScottKlement/httpapi

Dino · Post by **Dino** » Fri Feb 02, 2024 2:02 pm

A few more kicks in the ibm certificate manager fixed the issue. Populating with CA's,
Validate certificates, assigning all validated certificates finally did the trick. Interesting, no need to restart the http server.
Thank you!

kno_dk · Post by **kno_dk** » Wed Mar 20, 2024 1:40 am

Hi.

I have made more or less the same code as you and when I run it on an IBM I, I got the same problem as you:

Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel to the remote end.
Failed to establish SSL connection to server, the operation gsk_secure_soc_init() failed.
GSKit Error is 406 - Error occurred in TLS pr
ocessing, check the errno value.
GSK_ERROR_IO errno 3426 - A connection with a remote socket was reset by that socket.

I have not tried to import the CA's on 3 different servers with os400 V7R2, V7R3, V7R4 and they are all giving me the same error. I have tried to run the application on my dev pc and it runs without any problems.

I have not tried to "Populating with CA'" in the DCM. What does that option?

Does anybody know why we get the above error?

Dino · Post by **Dino** » Wed Mar 20, 2024 1:53 am

Hi

The CA's are populated in window continuously and keep up to date. The ones in the IBM are updated using that option and ptfs. You can manually add a CA as well.

The CA is the certify authority, the ones that say that the encrypted certified is valid. And there is a lot of CA's in the market. You need to register them for the certificates issued by them to be recognized as valid.

https://www.ibm.com/docs/en/sia?topic=c ... ies-system

Notice that this error may have more information in the error_log in the log folder of your apache instance in the ibm

kno_dk · Post by **kno_dk** » Wed Mar 20, 2024 3:36 am

Hi dino.

I Have imported the certificate tree into the DCM on the IBM I. I have validated the CA certificates and they are valid.

It is an api from a partner I am trying to connect to, so I dont think there is any log in a http-server on the IBM I.

I think if it is a problem on 3 differnt IBM I servers, then it must be something I have missed, because it worked out of the box on my windows PC

René Houba · Post by **René Houba** » Wed Mar 20, 2024 6:32 pm

Hi Klaus,

We solved a GSKit error yesterday:

: GSKit error.JPG (11.42 KiB) Viewed 9713268 times

This was related to insufficient IFS authority:

: GSKit error (2).JPG (33.66 KiB) Viewed 9713268 times

So please check there (on the folder, folders, files, etc) if something has authority *EXCLUDE.

/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB

kno_dk · Post by **kno_dk** » Wed Mar 20, 2024 9:14 pm

Hi Rene

None with *excluded.

I have now tried to make the same, but in free RPG with Scott Klements LIBHTTP - and it works on the same server. No SSL errors.

I can not see what the differance is right now, but I have to dig into it.

/Klaus

Theo de Bruin · Post by **Theo de Bruin** » Thu Mar 21, 2024 11:02 pm

kno_dk wrote: Wed Mar 20, 2024 3:36 am
I Have imported the certificate tree into the DCM on the IBM I. I have validated the CA certificates and they are valid.

It is an api from a partner I am trying to connect to, so I dont think there is any log in a http-server on the IBM I.

I think if it is a problem on 3 differnt IBM I servers, then it must be something I have missed, because it worked out of the box on my windows PC

>> Most probably is that the communication is not compatible, e.g. you use older TLS / SSL protocol , or an obsolete Cyper Suite ,
as in the older OS/400 versions (What OS versions do you have on your systems? and which Cyphe Suites were used ?)

kno_dk · Post by **kno_dk** » Fri Mar 22, 2024 1:44 am

HI.

Why could I then make it work using Scott Klements LIBHTTP tool on the same IBM I?

Dino · Post by **Dino** » Fri Mar 22, 2024 4:29 am

The settings can be per application. Are you using the same application definition for both Scott and lansa instances? Sslappname value.
If not, do they have the same assigned certificates, ca trust list values, etc.?

kno_dk · Post by **kno_dk** » Fri Mar 22, 2024 6:22 pm

Hi.

It is the same API I am calling from LANSA and RPG. My LANSA function is working if I run it on my development PC with out any error.

adale · Post by **adale** » Sat Mar 23, 2024 12:53 am

Klaus,
I don't know if this will help, but I had a similar issue in the past (receiving the error: Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel to the remote end, and the GSKit error, trying to connect to a trade partner API server).

I was battling the issue where I could run it successfully in dev/test, but users could not in prod.

Turned out to be a user authority issue; note from IBM at the time:
"Do you know what keystore the CA certificates were imported into? If it was the *SYSTEM certificate store, you will need to insure that the users have *SECADM and *ALLOBJ special authorities."

In our case, the CA certs from the trade partner, were being imported into the *SYSTEM certificate store, and my profile had the *SECADM and *ALLAOBJ special authorities, but the default Lansa job profile did not.

We didn't want to change the default Lansa job profile authorities "carte blanche", so we ending up building a special "change user profile" program when this specific job was being submitted to run.

kno_dk · Post by **kno_dk** » Tue Mar 26, 2024 5:13 am

Hi

What i find strange is that in the same 5250 session I can run the RPG version of integration to the API but not the LANSA Version.

I know the lansa Version is working correct on my development PC - so I am a bit stuck in this project.

I may make the rest of the project in RPG - but I would like it to working in LANSA

Theo de Bruin · Post by **Theo de Bruin** » Thu Apr 25, 2024 9:20 pm

Please check under which user profile this job executes , e.g. by checking the field #USER in runtime.
This user needs *RX access to all of these directories, as well as OBJEXIST authority:

/QIBM
/QIBM/UserData
/QIBM/UserData/ICSS
/QIBM/UserData/ICSS/Cert
/QIBM/UserData/ICSS/Cert/Server

And also need *R access as well as OBJEXIST authority to these files:

/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.RDB

Or, the user must have *ALLOBJ authority

Theo de Bruin · Post by **Theo de Bruin** » Fri Jul 26, 2024 6:46 am

As per documentation, the user that runs the listener job must also have sufficient authorities

https://docs.lansa.com/15/en/lansa018/i ... _0165.htm

The user profile of your LANSA listener must have READ access to the certificate store file you
will be using when you make your HTTP request.

Make sure that the user profile has also READ and EXECUTE access to all directories in the file path.

The default system certificate store located on this path:
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB
"

Visual LANSA Forum