Troubleshooting
Problem
There are some additional steps that need to be performed when setting up a client application to consume a Web service over a secure (https) connection. One method is using the axiscpp.conf file.
This information is current as of 1/31/2024.
This information is current as of 1/31/2024.
Resolving The Problem
There are some additional steps that need to be performed when setting up a client application to consume a Web service over a secure (https) connection.
As with any secure connection, you need to ensure that the CA certificate from the HTTPS server is in the *SYSTEM certificate store on the System i. By default, many of the commonly used CA certificates are shipped with Digital Certificate Manager (DCM). You can view the CA certificates that are in the *SYSTEM store using DCM. If the CA certificate for the server that you wish to connect to is not in the *SYSTEM store, you need to obtain a copy of it from the server administrator (or extract it using browser tools while connected to the secure site), and then import it into the certificate store. You should refer to document How to Import a Certificate Authority Certificate into Heritage Digital Certificate Manager for more details on how to import a CA certificate.
Once you have imported the CA certificate, you need to edit the axiscpp.conf file, which is in the following path:
/qibm/ProdData/OS/WebServices/V1/client/etc/axiscpp.conf
You can edit this file directly; however, it is strongly recommended that you place a copy of the /etc directory from the above path into another path on the System i. For example: /tmp/etc/axiscpp.conf
If you make a copy, you need to set the environment variable AXISCPP_DEPLOY to point to the path containing the new /etc directory. If it was placed in /tmp per the example above, the environment variable would be:
ADDENVVAR ENVVAR(AXISCPP_DEPLOY) VALUE('/tmp')
You can use either *SYS or *JOB for the environment variable; however, *SYS will cause the configuration file to be read for any job consuming a Web service. If you edit the axiscpp.conf file in the original directory, you should be aware that this file can be replaced when PTFs are loaded.
Here is a sample of how you would code the axiscpp.conf file:
************Beginning of data**************
# The comment character is '#'
# Available directives are as follows
#
# ClientWSDDFilePath: The path to the client WSDD
# SecureInfo: The GSKit security information
#
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB,kdbpwd,AXIS,NONE,NONE,35
************End of Data********************
Notes:
1. The first parameter (parameters separated by commas) in the SecureInfo statement is the path to the *SYSTEM certificate store in DCM
2. The second parameter is the password to the certificate store
3. The third parameter is the label associated with the certificate in the store. If you receive GSKIT errors saying the certificate cannot be found (for example, 407, 428, and so on). Try passing a null string for this parameter to have the certificate store searched for a valid CA. For example:
DEFAULT.KDB,kdbpwd, ,NONE,NONE,35
Important Note: There is a space between the two commas.
Explanation of the parameters given in the Web Services Client programming guide are located at the following URL:
https://public.dhe.ibm.com/systems/support/i/iws/systems_i_software_iws_pdf_WebServicesClient_new.pdf
Used to define SSL information that is to be used by all Web service clients (in other words, you are not setting the SSL information programmatically). The property value contains comma-delimited strings as follows (they should be all one line):
SecureInfo:keyRingFile,keyRingPasswordOrStash,keyRingLabel,v2CipherSpec,v3CipherSpec,tlsCipherSpec
where:
keyRingFile
Full path and filename to the certificate store file to be used for the secure session or SSL environment.
keyRingPassword
The password for the certificate store file to be used for the secure session or SSL environment.
keyRingLabel
The certificate label associated with the certificate in the certificate store to be used for the secure session or SSL environment.
v2CipherSpec
The list of SSL Version 2 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 2 ciphers. Valid values: 01, 02, 03, 04, 06 or 07.
v3CipherSpec
The list of SSL Version 3/TLS Version 1 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 3 ciphers. Valid values: 00, 01, 02, 03, 04, 05, 06, 09, 35, 0A, 2F, or 35.
tlsCipherSpec
Whether to enable or disable TLS Version 1 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1 ciphers are enabled.
tlsV11CipherSpec
Whether to enable or disable TLS Version 1.1 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1.1 ciphers are enabled.
tlsV12CipherSpec
Whether to enable or disable TLS Version 1.2 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1.2 ciphers are enabled.
As with any secure connection, you need to ensure that the CA certificate from the HTTPS server is in the *SYSTEM certificate store on the System i. By default, many of the commonly used CA certificates are shipped with Digital Certificate Manager (DCM). You can view the CA certificates that are in the *SYSTEM store using DCM. If the CA certificate for the server that you wish to connect to is not in the *SYSTEM store, you need to obtain a copy of it from the server administrator (or extract it using browser tools while connected to the secure site), and then import it into the certificate store. You should refer to document How to Import a Certificate Authority Certificate into Heritage Digital Certificate Manager for more details on how to import a CA certificate.
Once you have imported the CA certificate, you need to edit the axiscpp.conf file, which is in the following path:
/qibm/ProdData/OS/WebServices/V1/client/etc/axiscpp.conf
You can edit this file directly; however, it is strongly recommended that you place a copy of the /etc directory from the above path into another path on the System i. For example: /tmp/etc/axiscpp.conf
If you make a copy, you need to set the environment variable AXISCPP_DEPLOY to point to the path containing the new /etc directory. If it was placed in /tmp per the example above, the environment variable would be:
ADDENVVAR ENVVAR(AXISCPP_DEPLOY) VALUE('/tmp')
You can use either *SYS or *JOB for the environment variable; however, *SYS will cause the configuration file to be read for any job consuming a Web service. If you edit the axiscpp.conf file in the original directory, you should be aware that this file can be replaced when PTFs are loaded.
Here is a sample of how you would code the axiscpp.conf file:
************Beginning of data**************
# The comment character is '#'
# Available directives are as follows
#
# ClientWSDDFilePath: The path to the client WSDD
# SecureInfo: The GSKit security information
#
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB,kdbpwd,AXIS,NONE,NONE,35
************End of Data********************
Notes:
1. The first parameter (parameters separated by commas) in the SecureInfo statement is the path to the *SYSTEM certificate store in DCM
2. The second parameter is the password to the certificate store
3. The third parameter is the label associated with the certificate in the store. If you receive GSKIT errors saying the certificate cannot be found (for example, 407, 428, and so on). Try passing a null string for this parameter to have the certificate store searched for a valid CA. For example:
DEFAULT.KDB,kdbpwd, ,NONE,NONE,35
Important Note: There is a space between the two commas.
Explanation of the parameters given in the Web Services Client programming guide are located at the following URL:
https://public.dhe.ibm.com/systems/support/i/iws/systems_i_software_iws_pdf_WebServicesClient_new.pdf
Used to define SSL information that is to be used by all Web service clients (in other words, you are not setting the SSL information programmatically). The property value contains comma-delimited strings as follows (they should be all one line):
SecureInfo:keyRingFile,keyRingPasswordOrStash,keyRingLabel,v2CipherSpec,v3CipherSpec,tlsCipherSpec
where:
keyRingFile
Full path and filename to the certificate store file to be used for the secure session or SSL environment.
keyRingPassword
The password for the certificate store file to be used for the secure session or SSL environment.
keyRingLabel
The certificate label associated with the certificate in the certificate store to be used for the secure session or SSL environment.
v2CipherSpec
The list of SSL Version 2 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 2 ciphers. Valid values: 01, 02, 03, 04, 06 or 07.
v3CipherSpec
The list of SSL Version 3/TLS Version 1 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 3 ciphers. Valid values: 00, 01, 02, 03, 04, 05, 06, 09, 35, 0A, 2F, or 35.
tlsCipherSpec
Whether to enable or disable TLS Version 1 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1 ciphers are enabled.
tlsV11CipherSpec
Whether to enable or disable TLS Version 1.1 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1.1 ciphers are enabled.
tlsV12CipherSpec
Whether to enable or disable TLS Version 1.2 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version 1.2 ciphers are enabled.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Historical Number
592289479
Was this topic helpful?
Document Information
Modified date:
31 January 2024
UID
nas8N1011664