All-
Found a way to get support from IBM on this. Instead of reporting that HTTPAPI was having an issue I used the SQL UDF SYSTOOLS.HTTPPOSTCLOB and reported its error.
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzajq/rzajqudfhttppostclob.htm
Note these are on our V7R1, but couldn’t find the info on that version’s manual.
Here is what IBM sent at first, good information on tracing:
https://www.ibm.com/support/pages/mustgather-ibm-i-db2-systools-http-functions-httpgetclob-etc
THIS I think confirms what I had been suspecting, that we are not up to date on cipher suites and so we can no longer make a secure connection.
[IBM]
You can call some HTTP functions using the JDBC client program.
From QSH
$ java -Djavax.net.debug=ssl:handshake:verbose -cp /QIBM/UserData/OS400/SQLLib/Function/jar/SYSTOOLS/DB2RESTUDF.jar:/qibm/proddata/os400/jt400/lib/jt400.jar com.ibm.as400.access.jdbcClient.Main
jdbc:as400:localhost
>!callmethod com.ibm.db2.rest.DB2UDFWrapper.httpGetClob('https://prod1.IPCharge2.net',null)
.. Debugging information displayed. -- then search the web for matching information
[IBM]
NOTE: !callmethod… must be typed as it with the “!” to work, not a java guy so I missed that at first.
J
I substituted our problem webservice for the URL in the httpGetClob, just the full URL not the XML data, and presto got a dump on the screen of all java debug info, here is the
important bit I think:
[snipit]
Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AE
S_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DE
S_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
[/snipit]
This combined with the SSL analysis from this website:
https://www.ssllabs.com/ssltest/
[snipit]
Cipher Suites
|
# TLS 1.2 (suites in server-preferred order)
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH
secp256r1 (eq. 3072 bits RSA) FS
|
256
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
|
256
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH
secp256r1 (eq. 3072 bits RSA) FS
|
128
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
|
128
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
|
256
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
|
128
|
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH
2048 bits FS
|
256
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
DH 2048 bits FS WEAK
|
256
|
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH
2048 bits FS
|
128
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
DH 2048 bits FS WEAK
|
128
|
|
[/snipit]
Leads me to conclude that the webservice no longer has compatible cipher suites for TLS v1.2 with our machine and so no SSL connection is possible.
Waiting for IBM to confirm.
Anyway I hope all this helps someone, and maybe even myself in 5 or 10 years when I come across this again.
Have a great weekend everyone!
Michael
P.S. Thanks to Scott for all his Open Source work!!