(GSKit) No hay ningún certificado disponible para el proceso SSL.

[jtalavera]

Hi Scott,

I have a problem with SSL when I use HTTPAPI.

I get the following error.

Módulo origen . . . . . . . : HTTPUTILR4
Procedimiento origen . . . : UTIL_DIAG
Sentencia . . . . . . . . . : 5557
Módulo destino . . . . . . : COMMSSLR4
Procedimiento destino . . . : SSL_ERROR
Sentencia . . . . . . . . . : 7938
Mensaje . . . . : (GSKit) No hay ningún certificado disponible para el
proceso SSL.
Causa . . . . . : No se dispone de información adicional de ayuda en línea.

Agradeceria que nos oriente sobre la solucion al inconveniente.

Muchas gracias.

[Scott Klement]

Hello jtalavera,

Unfortunately, I don't speak Spanish. I ran the message through Google Translate, and it says "There is no certificate available for the SSL process." This sounds to me like GSK_ERROR_NO_CERTIFICATE (English message: "No certificate is available for TLS processing.)

Unfortunately, I have never received this message in HTTPAPI. It sounds like you've configured it to use a certificate, but there is no certificate installed.

The normal configuration of HTTPAPI does not require you to have a certificate. So it surprises me that you would receive this message. Have you configured it for client-side certificate processing? If so, have you installed the client certificate, associated it with an application profile, and passed the application ID to https_init()?

Or, if you have not configured it for client-side certificates (this is normal and the default.) Can you tell me how to reproduce the problem? Tell me how your digital certificate manager is set up, and how you've associated that configuration with HTTPAPI.

Or... perhaps my translation is bad?

[jtalavera]

Hi Scott, thanks for the answer, and taking this time for translate it, my english skill is not the best, and i let you know that i'm pretty new into WS in As400.

In this conection we need a certificate to conect over tls 1.2 to an apache server from a provider. We should consume that service over TLS and sign the XLM by SHA256 first, we signed that OK and tested without SSL check on the provider all OK, then after the promote to prd, we got this mesage.

Our HTTP_Init was configured before us with https_init(*blanks:*Off:*Off:*On:*On:*On) and we keep the same mesage.

We dont have a clue about the right way to configure the certificate, to be used by the HTTPAPI.

We got a certificate, and the system administrator asociate that certificate with the Sistem I aplication, and Central Server aplication, but i dont know the way to pass that over HTTPAPI.

Again really thanks for ur time, and sorry for my English.

I hope this could help you understand our status.

Thanks.

[Scott Klement]

Your English is good.

Do you know what the SSL/TLS requirements for this site are? I'm not understanding why you're getting this particular error.

I'm assuming this error is referring to a client-side certificate, but maybe that's a false assumption, maybe it's referring to a CA certificate. Can you tell me more about the *SYSTEM certificate store and how it's configured?

[jtalavera]

Hi, Scott, we are connecting to a banc for that they need a certificate to validate that we are a trusted consumer, they have a ws exposed and we need to consume that for each new customer, using a xml signed and ssl over Tls1. 2 with certificate, we got solve the xml signed outside httplib, but, the issue is on the ssl Tls1. 2 because we don't have a clue, on how to setup the certificate to be used by httplib, and we don't have direct access to the IBM settings, there are other teams that call to us, they have the certificated installed into the system store certificate, and I asume we need a way to tell to the http api witch certificate need for this specific connection, by the way, we got many other services consuming httpapi for other purposes, so I'm a bit scare off changing it at all.... So I Dont really know what is the way is configured right now, but I'm wondering if perhaps you have the proper way it should be?

Thanks.

[Scott Klement]

Well... I don't really know what your requirements are, this makes it hard to tell you how to set it up.

I think when you say "they need a certificate to validate that we are a trusted consumer" you are saying that you need to send them a client-side certificate. This is a very unusual requirement, so I want to be clear that this is what you are asking for, and isn't a misunderstanding. APIs almost never require client-side certificates... but, perhaps your situation is the exception to that rule.

You keep referring to TLS 1.2, as if that is the main challenge you are facing. If I'm correct that you need to use client-side certificates, it doesn't matter which version of TLS you are using. The system will automatically negotiate TLS 1.2 (or better, TLS 1.3) if it is required. Client-side certificates can be used with any flavor of SSL or TLS, so it doesn't really matter whether you are using TLS 1.2 vs other versions.

To configure a client-side certificate, you will need to use the IBM Digital Certificate Manager to assign the certificate to the application. This involves configuring the IBM i operating system (not HTTPAPI) to tell it which certificate you wish to use.

• If you haven't already installed the certificate into the digital certificate manager, please make sure you do that before performing this procedure.
• Use http://your-system:2001 to sign in. Select Internet Configurations / Digital Certificate Manager.
• Click "Select a Certificate Store". Choose *SYSTEM, and enter the password to sign into the system certificate store.
• Click Manage applications / Add Application to add a new application.
• Choose "client" because HTTPAPI is client software.
• Set the application ID to something that begins with your company name. For example, if your company's name is ACME, and you're building an application ID for connecting to Wells Fargo Bank, the Application ID might be ACME_HTTPAPI_WELLSFARGO
• Check the box next to "Application description" and put a description like "Use HTTPAPI to connect to Wells Fargo"
• Leave the other settings at their default values, and click "Add" at the bottom of the page.
• Click "Update Certificate Assignment" on the left. Choose "Client".
• Find your new application ("Use HTTPAPI to connect to Wells Fargo") and check the box next to it, and click "Update Certificate Assignment"
• It will list the certificates on your system. Place a check mark next to the one that you'd like to assign to the application, and click "Update Certificate Assignment".
• Back in your HTTPAPI program, make certain to code https_init('ACME_HTTPAPI_WELLSFARGO') (or whatever you used for your application id) before each call that accesses an https:// URL. This tells HTTPAPI to use the settings you configured in the digital certificate manager.

Since this is all configured for a specific application (via the Application ID) it should not affect other applications. Though, if they are running in the same job within the same activation group, they might need https_init(*blanks) to ensure they don't accidentally pick up the application id from the new program. If running in separate jobs or separate activation groups, this will not be a problem.

[jtalavera]

We are going to test those indications and see if that will solve it.

Thanks a lot.

[jtalavera]

Scott, I want to inform you that the application worked with the instructions you sent me.

Thank you very much and happy holidays !!!!!

[Scott Klement]

Happy Holidays!

[jtalavera]

Igualmente, Feliz 2022 !!!!!!