[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Suggestions on missing config- Do we need to Crypto access product installed ?
In your https_init, you called with appID UPS. Scott indicated that you might consider *blanks. Using a specific application ID is possible, but then you have to associate the DCM profile with the application. This is usually reserved for those specific occasions where the entity you are communicating with has provided you with a certificate that you have installed in the DCM. In your debug, you can see that UPS did not work out very well:
SetError() #35: Application is not registered with DCM!
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Tuesday, December 23, 2014 10:49 AM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Suggestions on missing config- Do we need to Crypto access product installed ?
Krish,
To enable SSLv3 in HTTPAPI 1.26+, you must call https_init() at the start of your program. For example:
https_init(*blanks: *OFF: *ON: *ON: *ON: *ON);
This tells the HTTPS support in HTTPAPI to use a blank appid (default application profile), disable SSLv2 (*OFF), and enable SSLV3 (*ON), as well as TLSv1.0, 1.1 and 1.2 (all set to *ON). By default *OFF is used for SSLv3 due to the fact that it is no longer considered secure.
The QSSLPCL system value specifies which versions of SSL/TLS that applications are *allowed* to use. So it's important that SSLv3 is enabled there, but HTTPAPI 1.26+ will not attempt to use it unless you
also specify it in https_init(). The *OPSYS value means "use whatever
versions are the default for the operating system", which is different in different versions of IBM i. In V7R1 and older, I believe SSLV3 is enabled with *OPSYS, however, with V7R2, it is not, so you would need to enable it explicitly.,
Good luck
On 12/22/2014 10:59 PM, Krish Thirumalai wrote:
> I installed the new HTTPAPI version outside the application and tried
> to send the PLD, but need some direction in determining how i can keep
> the SSLV3 enabled within HTTPAPPI.
> Looking at the logs it looks like it is enabled till the
> https_url_post_stmf step. I think i am missing something else at this
> time, but cannot figure out what though. For some reason even though i
> enabled it specifically in the QSSLPCL and in the program i get an
> error that indicates (GSKit) Operation is not supported by SSL. If i
> change the system value QSSLPCL to *OPSYS, this error goes away, but
> the communication to UPS does not work since they only support SSLV3.
>
> ************Beginning of data**************
>
> HTTPAPI Ver 1.26 released 2014-12-19
>
> OS/400 Ver V7R2M0
>
>
>
> https_init(): entered
>
> QSSLPCL = *SSLV3
>
> SSL version 2 support disabled
>
> SSL version 3 support enabled
>
> Old interface to TLS version 1.0 support enabled
>
> TLS version 1.0 support enabled
>
> TLS version 1.1 support enabled
>
> TLS version 1.2 support enabled
>
> SetError() #35: Application is not registered with DCM!
>
> http_url_post_stmf(): entered
>
> getting post file size...
>
> opening file to be sent...
>
> opening file to be received
>
> http_persist_open(): entered
>
> http_long_ParseURL(): entered
>
> DNS resolver retrans: 2
>
> DNS resolver retry : 2
>
> DNS resolver options: x'00000136'
>
> DNS default domain: [1]SKECHERS.COM
>
> DNS server found: 172.31.102.14
>
> DNS server found: 172.22.4.5
>
> https_init(): entered
>
> QSSLPCL = *SSLV3
>
> SSL version 2 support disabled
>
> SSL version 3 support disabled
>
> Old interface to TLS version 1.0 support enabled
>
> TLS version 1.0 support enabled
>
> TLS version 1.1 support enabled
>
> TLS version 1.2 support enabled
>
> (GSKit) Operation is not supported by SSL.
>
> ssl_error(412): (GSKit) Operation is not supported by SSL.
>
> SetError() #24: gsk_env_init: (GSKit) Operation is not supported by
> SSL.
> The code i have is as follows
> https_init('UPS':*OFF:*ON);
>
>
>
> rc = http_url_post_stmf('[2]https://www.pld.ups.com'
>
> + '/hapld/tos/kdwhapltos'
>
> : '/UPS_300/UPS_001_007.txt'
>
> : '/UPS_300/UPS_001_result.txt'
>
> : HTTP_TIMEOUT
>
> : HTTP_USERAGENT
>
> : ContentType );
>
>
>
> Thanks
> Krish
>
> On Fri, Dec 19, 2014 at 12:08 PM, Scott Klement
> <[3]sk@xxxxxxxxxxxxxxxx> wrote:
>
> Hi Krish,
> Any chance you can try this with a newer version of HTTPAPI? The
> version you used is 9 years old, and it's hard to remember what
> quirks (if any) were in that version, since I haven't used it in
> about 8 years.
> Also, what version of IBM i are you running? (Whether you
> do/don't need 57xx-AC3 depends on the version of the OS)
> -SK
> On 12/19/2014 8:33 AM, Krish Thirumalai wrote:
>
> I am attempting to communicate to UPS using the SSL tool to
> post their
> PLD. We have two iSeries machines and are able to do so
> successfully
> from one of them but not from another
> When i turn debug on i get only the following from both the
> systems.
> I trying to determine what the issue is, I have uninstalled
> the
> certificates and reinstalled them but that does not seem to
> help
> Do we need to install the
> 5722AC3 Crypto Access Provider 128-bit for AS/400
>
> --------------------------------------------------------------------
> ---
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> [4]http://www.scottklement.com/mailman/listinfo/ftpapi
> --------------------------------------------------------------------
> ---
>
> References
>
> 1. http://SKECHERS.COM/
> 2. https://www.pld.ups.com/
> 3. mailto:sk@xxxxxxxxxxxxxxxx
> 4. http://www.scottklement.com/mailman/listinfo/ftpapi
>
>
>
> ----------------------------------------------------------------------
> - This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> ----------------------------------------------------------------------
> -
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------