All- Found a way to get support from IBM on this. Instead of reporting that HTTPAPI was having an issue I used the SQL UDF SYSTOOLS.HTTPPOSTCLOB and reported its error. https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzajq/rzajqudfhttppostclob.htm Note these are on our V7R1, but couldn’t find the info on that version’s manual. Here is what IBM sent at first, good information on tracing: https://www.ibm.com/support/pages/mustgather-ibm-i-db2-systools-http-functions-httpgetclob-etc THIS I think confirms what I had been suspecting, that we are not up to date on cipher suites and so we can no longer make a secure connection. [IBM] You can call some HTTP functions using the JDBC client program. From QSH $ java -Djavax.net.debug=ssl:handshake:verbose -cp /QIBM/UserData/OS400/SQLLib/Function/jar/SYSTOOLS/DB2RESTUDF.jar:/qibm/proddata/os400/jt400/lib/jt400.jar
com.ibm.as400.access.jdbcClient.Main jdbc:as400:localhost >!callmethod com.ibm.db2.rest.DB2UDFWrapper.httpGetClob('https://prod1.IPCharge2.net',null) .. Debugging information displayed. -- then search the web for matching information [IBM] NOTE: !callmethod… must be typed as it with the “!” to work, not a java guy so I missed that at first.
J I substituted our problem webservice for the URL in the httpGetClob, just the full URL not the XML data, and presto got a dump on the screen of all java debug info, here is the important bit I think: [snipit] Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AE S_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DE S_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST] [/snipit] This combined with the SSL analysis from this website:
https://www.ssllabs.com/ssltest/ [snipit]
[/snipit] Leads me to conclude that the webservice no longer has compatible cipher suites for TLS v1.2 with our machine and so no SSL connection is possible. Waiting for IBM to confirm. Anyway I hope all this helps someone, and maybe even myself in 5 or 10 years when I come across this again. Have a great weekend everyone! Michael P.S. Thanks to Scott for all his Open Source work!! |
-- _______________________________________________ Ftpapi mailing list Ftpapi@xxxxxxxxxxxxxxxxxxxxxx http://scottklement.com/mailman/listinfo/ftpapi