How To
Summary
This document will provide information on how to configure TLS/HTTPS secure communications with the IBM i DB2 SYSTOOLS HTTP Java User-Defined Functions (UDFs).
Environment
IBM i OS
Steps
| 1) |
Obtain the CA certificate(s) from the 3rd party URL
There are 3 primary ways to do this: a) Enter the HTTPS URL into your web browser's address bar and view the TLS certificate currently used on the connection. Then, follow the instructions on Extracting a CA Root Certificate from a Digital Certificate. b) Use the QMGTOOLS/GETSSL utility. c) Follow the steps on How to extract CA certificates for the remote port 443 instead of 990. |
| 2) |
Create the Java keystore, import the CA cert(s), and set the
javax.net.ssl.trustStore Java property for the IBM i user profile executing the DB2 HTTP User-Defined Function. STRQSHcp /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts /home/cacertsNOTE: This is assuming 5770JV1 Option 17 is installed. If the above command fails, you can switch the java version (jdk70, jdk71, or jdk80) and bit level (32bit or 64bit) based on what 5770JV1 options are currently installed. To identify your installed 5770JV1 LPPs, execute GO LICPGM Option 10 and then press F11 twice to view the "Product Option" column.
keytool -import -trustcacerts -keystore /home/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/mycertificate.cerNOTE: Repeat the keytool command for all CA certificates and change the -alias value to be unique for each certificate imported.
touch -C 819 /home/<JVMuser>/SystemDefault.propertiesNOTE: You can execute the CL command, DSPUSRPRF <JVMuser>, to verify the "Home directory" value. This would be the very last attribute listed. The value of "Home directory" should be where the SystemDefault.properties file is created. echo javax.net.ssl.trustStore=/home/cacerts >> /home/<JVMuser>/SystemDefault.propertieswhere <JVMuser> is the current user of the job executing the IBM i DB2 HTTP UDF.
As an alternative to defining the javax.net.ssl.trustStore property at the IBM i user profile scope, you can also use the IBM_JAVA_OPTIONS environment variable. This can be set at the *JOB level before the JVM is invoked or set at the *SYS level to apply to all JVM instances that run on the IBM i OS. IBM_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/home/cacerts ADDENVVAR ENVVAR(IBM_JAVA_OPTIONS) VALUE('-Djavax.net.ssl.trustStore=/home/cacerts') LEVEL(*JOB) REPLACE(*YES) ADDENVVAR ENVVAR(IBM_JAVA_OPTIONS) VALUE('-Djavax.net.ssl.trustStore=/home/cacerts') LEVEL(*SYS) REPLACE(*YES) You can also use the QIBM_SQJAVA_PROPERTIES environment variable. These environment variables can be added by executing the following SQL statement in the same job immediately before the IBM i Db2 HTTP Function is executed.
CALL QSYS2.QCMDEXC('ADDENVVAR ENVVAR(IBM_JAVA_OPTIONS) VALUE(''-Djavax.net.ssl.trustStore=/home/cacerts'') LEVEL(*JOB) REPLACE(*YES)')
CALL QSYS2.QCMDEXC('ADDENVVAR ENVVAR(QIBM_SQJAVA_PROPERTIES) VALUE(''javax.net.ssl.trustStore=/home/cacerts'') LEVEL(*JOB) REPLACE(*YES)')
In the example below, the DB2 HTTP function (HTTPGETCLOB, HTTPPOSTCLOB, etc.) is executed by the IBM i user profile, JPROFILE, with a Home directory set to /home/JPROFILE.
 |
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"DB2 SYSTOOLS","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]
Was this topic helpful?
Document Information
Modified date:
20 July 2022
UID
ibm10960844