[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggestions on missing config- Do we need to Crypto access product installed ?
In the previous email i was pointing at the wrong place where the
program was hanging up in the earlier email. I went deeper into the
code to determine where it was hanging up and determined it was a
different point trying to get certificate info.
It is getting hung up within the SSL_debug_cert_info procedure in
COMMSSLR4 at the following statement.
� � � � � � � � �eval � � �rc =
gsk_attribute_get_cert_info( � � � � � � � � � � � � � � � � � � � peSSLh � � � � � � � � : � � � � � � � � � � � � � � � � � � � peInfoID � � � � � � � : � � � � � � � � � � � � � � � � � � � p_start � � � � � � � �: � � � � � � � � � � � � � � � � � � � wwCount � � � � � � � �) � and not in the persist open procedure as identified in the previous
email.�
On Tue, Dec 23, 2014 at 10:52 PM, Krish Thirumalai
<[1]krisht.400@xxxxxxxxx> wrote:
Thanks for the suggestion of using blanks as the application id helped
get past the gsKit error.� I am past that error, but still back to the same original issue where i
am not getting any response from UPS. I tried to debug the HTTPAPIR4
service program to see where it was stopping and it seems to be stuck
at the following line in the�http_url_post_raw2 procedure
eval � � �wwComm = http_persist_open( peURL � � �� � � � � � � � � � � � � � � � � � � : peTimeout )� The program just seems to go into an endless wait and when i ran a
trace with netstat it seemed to go into a close wait state after the
time specified in the petimeout without any response and i have to end
the job abnormally each time.� Attached is the log that i see when i end the job
In this case entity we are communicating with(UPS) has provided
instructions to download their certificate and install on the DCM. Do
we need an application id if we have installed a specific certificate
that UPS has provided ? Any other thoughts on any other setting that i
could have missed ?
HTTPAPI Ver 1.26 released 2014-12-19 � � � � � � � � � � � � � � � � � � � � � � � � � � OS/400 Ver V7R2M0 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
� � � � � � � �� https_init(): entered � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� QSSLPCL = *SSLV3 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � SSL version 2 support disabled � � � � � � � � � � � � � � � � � � � � � � � � � � � � � SSL version 3 support enabled � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� Old interface to TLS version 1.0 support disabled � � � � � � � � � � � � � � � � � � �� TLS version 1.0 support disabled � � � � � � � � � � � � � � � � � � � � � � � � � � � � TLS version 1.1 support disabled � � � � � � � � � � � � � � � � � � � � � � � � � � � � TLS version 1.2 support disabled � � � � � � � � � � � � � � � � � � � � � � � � � � � � -----------------------------------------------------------------------
-------------- �� Dump of local-side certificate information: � � � � � � � � � � � � � � � � � � � � � �� -----------------------------------------------------------------------
-------------- �� http_url_post_stmf(): entered � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� getting post file size... � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� opening file to be sent...
opening file to be received � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� http_persist_open(): entered � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � http_long_ParseURL(): entered � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� DNS resolver retrans: 2 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� DNS resolver retry �: 2 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� DNS resolver options: x'00000136' � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� DNS default domain: [2]SKECHERS.COM � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � DNS server found: 172.31.102.14 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� DNS server found: 172.22.4.5 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Nagle's algorithm (TCP_NODELAY) disabled. � � � � � � � � � � � � � � � � � � � � � � � � �� SNI hostname set to: [3]www.pld.ups.com � � � � � � � � � � � � � � � � � � � � � � � � � � � � -----------------------------------------------------------------------
-------------- � � �� Dump of server-side certificate information: � � � � � � � � � � � � � � � � � � � � � � � � -----------------------------------------------------------------------
-------------- � � �� Cert Validation Code = 0 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
On Tue, Dec 23, 2014 at 12:30 PM, Mike Krebs
<[4]mkrebs@xxxxxxxxxxxxxxxxxx> wrote:
In your https_init, you called with appID UPS. Scott indicated that
you might consider *blanks. Using a specific application ID is
possible, but then you have to associate the DCM profile with the
application. This is usually reserved for those specific occasions
where the entity you are communicating with has provided you with a
certificate that you have installed in the DCM. In your debug, you
can see that UPS did not work out very well:
SetError() #35: Application is not registered with DCM!
-----Original Message-----
From: [5]ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:[6]ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott
Klement
Sent: Tuesday, December 23, 2014 10:49 AM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Suggestions on missing config- Do we need to Crypto
access product installed ?
Krish,
To enable SSLv3 in HTTPAPI 1.26+, you must call https_init() at the
start of your program.� For example:
https_init(*blanks: *OFF: *ON: *ON: *ON: *ON);
This tells the HTTPS support in HTTPAPI to use a blank appid (default
application profile), disable SSLv2 (*OFF), and enable SSLV3 (*ON), as
well as TLSv1.0, 1.1 and 1.2 (all set to *ON). By default *OFF is used
for SSLv3 due to the fact that it is no longer considered secure.
The QSSLPCL system value specifies which versions of SSL/TLS that
applications are *allowed* to use.� So it's important that SSLv3 is
enabled there, but HTTPAPI 1.26+ will not attempt to use it unless you
also specify it in https_init().� � The *OPSYS value means "use
whatever
versions are the default for the operating system", which is different
in different versions of IBM i.� In V7R1 and older, I believe SSLV3 is
enabled with *OPSYS, however, with V7R2, it is not, so you would need
to enable it explicitly.,
Good luck
On 12/22/2014 10:59 PM, Krish Thirumalai wrote:
>� � �I installed the new HTTPAPI version outside the application
and tried
>� � �to send the PLD, but need some direction in determining how i
can keep
>� � �the SSLV3 enabled within HTTPAPPI.
>� � �Looking at the logs it looks like it is enabled till the
>� � �https_url_post_stmf step. I think i am missing something else
at this
>� � �time, but cannot figure out what though. For some reason even
though i
>� � �enabled it specifically in the QSSLPCL and in the program i
get an
>� � �error that indicates (GSKit) Operation is not supported by
SSL. If i
>� � �change the system value QSSLPCL to *OPSYS, this error goes
away, but
>� � �the communication to UPS does not work since they only support
SSLV3.
>
>� � � �************Beginning of data**************
>
>� � �HTTPAPI Ver 1.26 released 2014-12-19
>
>� � �OS/400 Ver V7R2M0
>
>
>
>� � �https_init(): entered
>
>� � �QSSLPCL = *SSLV3
>
>� � �SSL version 2 support disabled
>
>� � �SSL version 3 support enabled
>
>� � �Old interface to TLS version 1.0 support enabled
>
>� � �TLS version 1.0 support enabled
>
>� � �TLS version 1.1 support enabled
>
>� � �TLS version 1.2 support enabled
>
>� � �SetError() #35: Application is not registered with DCM!
>
>� � �http_url_post_stmf(): entered
>
>� � �getting post file size...
>
>� � �opening file to be sent...
>
>� � �opening file to be received
>
>� � �http_persist_open(): entered
>
>� � �http_long_ParseURL(): entered
>
>� � �DNS resolver retrans: 2
>
>� � �DNS resolver retry� �: 2
>
>� � �DNS resolver options: x'00000136'
>
>� � �DNS default domain: [1][7]SKECHERS.COM
>
>� � �DNS server found: 172.31.102.14
>
>� � �DNS server found: 172.22.4.5
>
>� � �https_init(): entered
>
>� � �QSSLPCL = *SSLV3
>
>� � �SSL version 2 support disabled
>
>� � �SSL version 3 support disabled
>
>� � �Old interface to TLS version 1.0 support enabled
>
>� � �TLS version 1.0 support enabled
>
>� � �TLS version 1.1 support enabled
>
>� � �TLS version 1.2 support enabled
>
>� � �(GSKit) Operation is not supported by SSL.
>
>� � �ssl_error(412): (GSKit) Operation is not supported by SSL.
>
>� � �SetError() #24: gsk_env_init: (GSKit) Operation is not
supported by
>� � �SSL.
>� � �The code i have is as follows
>� � �https_init('UPS':*OFF:*ON);
>
>
>
>� � �rc = http_url_post_stmf('[2][8]https://www.pld.ups.com'
>
>� � � � � � � � � � � � � � � � � � � � � � +
'/hapld/tos/kdwhapltos'
>
>� � � � � � � � � � � � � � � � � � � � :
'/UPS_300/UPS_001_007.txt'
>
>� � � � � � � � � � � � � � � � � � � � :
'/UPS_300/UPS_001_result.txt'
>
>� � � � � � � � � � � � � � � � � � � � :
HTTP_TIMEOUT
>
>� � � � � � � � � � � � � � � � � � � � :
HTTP_USERAGENT
>
>� � � � � � � � � � � � � � � � � � � � :
ContentType );
>
>
>
>� � �Thanks
>� � �Krish
>
>� � �On Fri, Dec 19, 2014 at 12:08 PM, Scott Klement
>� � �<[3][9]sk@xxxxxxxxxxxxxxxx> wrote:
>
>� � � �Hi Krish,
>� � � �Any chance you can try this with a newer version of
HTTPAPI?� �The
>� � � �version you used is 9 years old, and it's hard to remember
what
>� � � �quirks (if any) were in that version, since I haven't used
it in
>� � � �about 8 years.
>� � � �Also, what version of IBM i are you running?� � � (Whether you
>� � � �do/don't need 57xx-AC3 depends on the version of the OS)
>� � � �-SK
>� � � �On 12/19/2014 8:33 AM, Krish Thirumalai wrote:
>
>� � � � � � �I am attempting to communicate to UPS using the
SSL tool to
>� � � �post their
>� � � � � � �PLD. We have two iSeries machines and are able to
do so
>� � � �successfully
>� � � � � � �from one of them but not from another
>� � � � � � �When i turn debug on i get only the following from
both the
>� � � �systems.
>� � � � � � �I trying to determine what the issue is, I have
uninstalled
>� � � �the
>� � � � � � �certificates and reinstalled them but that does
not seem to
>� � � �help
>� � � � � � �Do we need to install the
>� � � � � � �5722AC3 Crypto Access Provider 128-bit for AS/400
>
>� � � �--------------------------------------------------------------------
>� � � �---
>� � � �This is the FTPAPI mailing list.� �To unsubscribe, please
go to:
>� � � �[4][10]http://www.scottklement.com/mailman/listinfo/ftpapi
>� � � �--------------------------------------------------------------------
>� � � �---
>
> References
>
>� � �1. [11]http://SKECHERS.COM/
>� � �2. [12]https://www.pld.ups.com/
>� � �3. mailto:[13]sk@xxxxxxxxxxxxxxxx
>� � �4. [14]http://www.scottklement.com/mailman/listinfo/ftpapi
>
>
>
>
----------------------------------------------------------------------
> - This is the FTPAPI mailing list.� To unsubscribe, please go to:
> [15]http://www.scottklement.com/mailman/listinfo/ftpapi
>
----------------------------------------------------------------------
> -
-----------------------------------------------------------------------
This is the FTPAPI mailing list.� To unsubscribe, please go to:
[16]http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list.� To unsubscribe, please go to:
[17]http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
References
1. mailto:krisht.400@xxxxxxxxx
2. http://SKECHERS.COM/
3. http://www.pld.ups.com/
4. mailto:mkrebs@xxxxxxxxxxxxxxxxxx
5. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
6. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
7. http://SKECHERS.COM/
8. https://www.pld.ups.com/
9. mailto:sk@xxxxxxxxxxxxxxxx
10. http://www.scottklement.com/mailman/listinfo/ftpapi
11. http://SKECHERS.COM/
12. https://www.pld.ups.com/
13. mailto:sk@xxxxxxxxxxxxxxxx
14. http://www.scottklement.com/mailman/listinfo/ftpapi
15. http://www.scottklement.com/mailman/listinfo/ftpapi
16. http://www.scottklement.com/mailman/listinfo/ftpapi
17. http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------