Installing Certificate Authority
From Wiki
|
| User Guide |
In the event you are connecting to a third party server using RXS_getUri and the following is displayed in the job log then it most likely means you need to install/import the Certificate Authority being used on the remote server.
“Error performing SSL handshake. There is no error. RC(23) errno().”
A formal list of valid values can be found here
In the above example we are looking for a return code of -23 (always add a negative sign) which is highlighted in yellow.
The error is “SSL_ERROR_NOT_TRUSTED_ROOT “
What this means is that there is most likely a Certificate Authority on the remote server that is not installed on your iSeries. By default IBM ships the most popular Certificate Authorities with the iSeries (i.e. Verisign, Thawte, Equifax, etc).
Obtaining the Certificates
To fix this problem you need to obtain the CA for installing on your iSeries via the Digital Certificate Manager (i.e. *ADMIN instance).
The following is an example. Please replace the UPS url with your own: To obtain the certificate go to URL https://wwwcie.ups.com/ups.app/xml/AV with Internet Explorer. You will notice a padlock in the lower right of the window (In Internet Explorer 7 or lower).
In Internet Explorer 8, the padlock has been moved to the right of the Location Bar:
Double click this padlock and you will see the following Certificate window.
Click on the Certification Path tab to view the different signers of this certificate. In this case we have two signers, GTE Cyber Trust and Akamai. With GTE highlighted select View Certificate button.
You should now be presented with a new Certificate window and upon clicking the Details tab should see a window like the following. Select the Copy to File button which will start you into a wizard process.
Select the Next Button.
Leave DER encoded binary X.509 (.CER) selected and select Next button.
You will be prompted to save the file, browse to your desktop and save it will a name of ups_GTE.cer as shown in the following screen shot:
Now repeat this process by closing all dialogs and go back to the original browser window and this time after double clicking on the padlock, select Akamai and then the View Certificate button. Name this exported certificate ups_Akamai.cer
Upload the .cer files to your iSeries via FTP (or other means) and place them in /home (or other folder of choice, just remember where you put it).
Applying the Certificates
Next log into the *ADMIN instance of the IBM HTTP server and select the Digital Certificate Manager as shown below.
After you get logged into DCM click the Select a Certificate Store button. Click on the Select a Certificate Store button in the far left of the page.
Then select the *SYSTEM store and hit the Continue button. If the *SYSTEM store is not shown you will need to create it <!!!> (refer to www.rpg-xml.com for setting up SSL).
It will then prompt you for your password. Enter your password and select the Continue button.
Going back to the left nav, select the Expand All button.
Next select the Work with CA certificates link in the left nav. You will now be presented with a screen displaying all of the Certificate Authorities installed on your machine under the *SYSTEM store. As you scan through them you SHOULD NOT see the name of the company of the certificate you created on your machine above (i.e. GTE and/or Akamai).
Click the Import button.
Enter the path of the file you uploaded via FTP. Note that if there are multiple nested levels of certificates, like our example, then you need to import the highest level first. In this case we need to import ups_GTE.cer and then ups_Akamai.cer. Below shows how to import the ups_GTE.cer certificate. Repeat the process by clicking the Import button for file ups_Akamai.cer.
That’s it! Now go back and execute the program that has the RXS_getUri call to the URL that was producing this error to ensure the correct certificates were installed.