why HTTPTransportException in the IBM but not in Windows?

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
RomainG
Posts: 16
Joined: Mon Aug 05, 2024 4:29 pm

Re: why HTTPTransportException in the IBM but not in Windows?

Post by RomainG »

Hello everyone,

I’m facing a similar issue with making HTTPS requests from Visual LANSA on an IBM i system. I am using the LANSA Server as the "Client".

I’m using the #Request.DoGet (#Request is a #XPRIM_HttpRequest component) command in my Srvroutine to call an HTTPS endpoint.
The command works fine with HTTP, but when switching to HTTPS, I encounter the following error:
Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel to the remote end.
Failed to establish SSL connection to server, the operation gsk_secure_soc_init() failed.
GSKit Error is 6000 - Certificate is not signed by a trusted certificate authority.
What I've Tried:

1. Testing on POSTMAN:
The same URL works fine in Postman without issues.

2. Importing Certificates into DCM:
I exported the server's CA certificate and imported it into the *SYSTEM certificate store using IBM i's Digital Certificate Manager (DCM).

3. Changing User authorization
I also gave *R access as well as OBJEXIST authority to these files:
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.RDB
but I still have the error.

The issue seems to be with IBM i not trusting the CA or some configuration mismatch.

How can I ensure I’m assigning the certificate to the correct application in DCM?
Is there a way to debug the GSKit or LANSA connection further to identify what’s missing?
Has anyone successfully resolved similar issues with HTTPS and Visual LANSA?

Thanks in advance for your help!

Romain
Top
RomainG
Posts: 16
Joined: Mon Aug 05, 2024 4:29 pm

Re: why HTTPTransportException in the IBM but not in Windows?

Post by RomainG »

After asking LANSA Support, we have found the solution to our issue.

Here is what they said:
Problem determination:

The call LANSA is making only support strict SNI. So if the FQDN doesn't match or the SNI doesn't send an acknowledgement, the secure connection will fail (page 110 of document https://public.dhe.ibm.com/systems/supp ... nt_new.pdf) Taken from document: Server Name Indication (SNI) when establishing SSL connections, as defined by RFC 6066, allows TLS clients to provide to the TLS server the name of the server they are contacting. This function is used to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. If the client requested FQDN does not match or no server SNI acknowledgment is sent, the secure connection will fail. SNI supports non-critical SNI requests (ibm.com) https://www.ibm.com/support/pages/sni-s ... i-requests and Known Issue: DT301082 (ibm.com) https://www.ibm.com/mysupport/s/defect/ ... uage=en_US In other words at the time the original doc was written you could only ask for strict SNI Since then ibm allowed non critical SNI requests, which is to say request SNI to help the server

You are connecting but don't expect a confirmation back - by default the strict interpretation is expect a response back. What appears to be needed is a new property to set that transport property AXISC_PROPERTY_HTTP_SSL_SNI_CRITICAL = FALSE qsys2.gethttp calls that use axis and do this via an http option sslSniCritical
The solution they gave us was to add the following properties:

#Request.Options.SetMiscProperty Name('sni_fqdn') Value('somevalue')
#Request.Options.SetMiscProperty Name('app_id') Value('QIBM_QTV_TELNET_CLIENT')
#Request.options.SetMiscProperty name('sni_critical') value('false')
Top
kno_dk
Posts: 219
Joined: Tue Feb 23, 2016 12:00 am

Re: why HTTPTransportException in the IBM but not in Windows?

Post by kno_dk »

Hi.

Looked into this issue once again. The answer was actually in a support case I had with Theo - I must have overlooked it in the answer.

I just had to set the sni_fqdn to the same valeu as the host
#Url.SetHost( 'xyz.server.com' )
ÆReq.Options.SetMiscProperty Name('sni_fqdn') Value('xyz.server.com')

Now it works.

Thanks Theo

/klaus
Top
User avatar
MARCOREMMEDATA
Posts: 14
Joined: Mon Apr 11, 2022 4:48 pm
Location: ITALIA
Contact:
Contact MARCOREMMEDATA

Re: why HTTPTransportException in the IBM but not in Windows?

Post by MARCOREMMEDATA »

Hi

i've the same problem, but sometimes work fine.
I am using the example provided xDemoExternalProvidersLoginWebpage downloaded from
https://docs.lansa.com/14/EN/lansa018/i ... y%7C_____3
to implement SSO
The code as downloaded on AS400 it did not work, then I added the MiscProperty as indicated in this discussion, it works occasionally

follow the code segment

Code: Select all

£Req <= *New £XPRIM_HttpRequest
£Response <= *New £XPRIM_RandomAccessJsonReader
£Url <= *New £XPRIM_UriBuilder

£Url.SetScheme SCHEME("https")
£Url.SetHost HOST('login.microsoftonline.com')
£Url.SetPort PORT(443)
£Url.SetPath PATH('/f22af536-d2e3-4b57-a7b8-ab91e7cd3906/oauth2/v2.0/token')

£Req.Clear

£Req.Content.AddUrlEncodedFormValue( 'client_id' '*************************' )
£Req.Content.AddUrlEncodedFormValue( 'scope' 'user.read mail.read' )
£Req.Content.AddUrlEncodedFormValue( 'code' £AuthorizationCode )
£Req.Content.AddUrlEncodedFormValue( 'redirect_uri' £gLoginCallbackUrl )
£Req.Content.AddUrlEncodedFormValue( 'grant_type' 'authorization_code' )
£Req.Content.AddUrlEncodedFormValue( 'client_secret' '****************************' )

£Req.Options.SetTimeout SECONDS(10)

£Req.Options.SetMiscProperty NAME('sni_fqdn') VALUE('login.microsoftonline.com')
£Req.Options.SetMiscProperty NAME('app_id') VALUE('QIBM_QTV_TELNET_CLIENT')
£Req.options.SetMiscProperty NAME('sni_critical') VALUE('false')

£Req.DoPost URL(£Url)
The behaviour is as follows:

it manages to retrieve the token once,
then stops working and returns the message:

Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel to the remote end.
Failed to establish SSL connection to server, the operation gsk_secure_soc_init() failed.
GSKit Error is 6000 - Il certificato non è firmato da una autorità di certificazione affidabile.

After few mitues, work corectly

Follow a sample trace

Code: Select all

094444 -------------------------------------------
094452 Url....................: https://login.microsoftonline.com/f22af536-d2e3-4b57-a7b8-ab91e7cd3906/oauth2/v2.0/token
094452 IsSuccessfulRequest....: TRUE
094452 IsSuccessHttpStatusCode: TRUE
094452 HttpStatusCode.........: 200
094452 ErrorMessage...........: 
094452 ErrorCode..............: 
094452 -------------------------------------------
094458 Url....................: https://login.microsoftonline.com/f22af536-d2e3-4b57-a7b8-ab91e7cd3906/oauth2/v2.0/token
094458 IsSuccessfulRequest....: FALSE
094458 IsSuccessHttpStatusCode: FALSE
094458 HttpStatusCode.........: 0
094458 ErrorMessage...........: Failed to send outgoing data to the server, HTTPTransportException: Cannot initialize a channel to the remote end.
Failed to establish SSL connection to server, the operation gsk_secure_soc_init() failed.
GSKit Error is 6000 - Il certificato non è firmato da una autorità di certificazione affidabile.
094458 ErrorCode..............: CONNECTION_ERROR
094458 -------------------------------------------
As you can see, the first request response is Ok with Http Status 200, the next end in error.
My impression is that after the first success, the certificate is lost.

Has this ever happened to you?
Do you have any suggestions for this specific case?
MARCO ROSSI | Software Developer Sr. - Software Production
Top
Post Reply

Return to “Questions & Answers”