{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Explosion°爆炸 的问题《IBM i DB2 JDBC Encryption using SSL》','https://www.manongdao.com/q-905901.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Remote server is an IBM i (7.1) with DB2 installed on it. I am trying to connect to this remote db2 database on IBM i machine via JDBC encrypted link using SSL from my windows machine, I am using jt400-6.7.jar. I can see that SSL is correctly configured on IBM i machine as I see the following in Digital Certificate Manager :
Current Certificate Store
You have selected to work with the certificate store listed below. The left frame is being refreshed to show the task list for this certificate store. Select a task from the left frame to begin working with this certificate store.
Certificate type: Server or client
Certificate store: *SYSTEM
Certificate store path and filename:
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB
I followed this link to set up SSL on my IBM i machine : https://isupport.krengeltech.com/rxs/setting_up_ssl/
This is my JDBC program executed from my windows 10 machine:
import java.sql.*;
public class IBMiSSLConnect
{
public static void main(String[] args) throws Exception
{
try
{
Class.forName("com.ibm.as400.access.AS400JDBCDriver");
Connection con = DriverManager.getConnection("jdbc:as400://IBMiMachineIP:5021/DBNAME&secure=true", "USER", "PASSWORD");
}
catch(Exception e)
{
System.out.println(e.getMessage());
}
}
}
I get the following error :
[PWS0082] library(s) not added to the library list.
If however I replace url as below (adding system library):
Connection con = DriverManager.getConnection("jdbc:as400://IBMiMachineIP:5021/DBNAME;naming=system;libraries=QSYS;secure=true", "USER", "PASSWORD");
I get the following error instead :
The application requester cannot establish the connection. (sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
I have two questions:
Q 1: Does one always needs to add naming and libraries in url for JDBC encryption using SSL ?
something like this:
dbc:as400://someserver;naming=system;libraries=devfiles,prodfiles,sysibm,etc
I am refering to this link :
How can I insert additional libraries to my jdbc/DB2 connection?
Q 2: Should I use secure or sslConnection as url parameter ? that is:
a: jdbc:as400://IBMiMachineIP:5021/DBNAME&secure=true
or
b: jdbc:as400://IBMiMachineIP:5021/DBNAME&sslConnection=true
*Note: I have already made changes to SSL permissions for truststore files default.kdb and default.rdb as mentioned here :
https://isupport.krengeltech.com/rxs/configuring_ssl_permissions/
Q1. No, you do not need to add the naming and libraries properties when using SSL.
Q2. You shouldn't be using the :5021 as part of the URL. It is currently ignored, but may be used in the future. You should be using secure=true to get an SSL connection.
I suspect your problem is that the truststore used by the JVM on the client system does not have the certificate for your Certificate Authority (it looks like you are using a self signed certificate on the server). If you still have problems, turn on SSL trace on the client by using the following when starting java:
-Djavax.net.debug=ssl:handshake:verbose
Note, jt400.jar comes with a jdbcClient, so you can used that to test your connection. Here is an example of connecting using SSL. In this case, the cacerts is the trust store that contains a certificate for the CA that signed the server certificate.
java -Djavax.net.debug=ssl:handshake:verbose -Djavax.net.ssl.trustStore=cacerts -jar jt400.jar 'jdbc:as400:SYSTEM;secure=true' USERID PASSWORD
This will show the SSL negotiation that the JVM is doing.
what @jweberhard said in terms of question, use of library is not required and ssl port is not 5021 is correct, thanks @jweberhard .However I realized in my case particularly I was making one wrong assumption based on prior knowledge .
I have done a similar SSL encrypted connection from windows machine to remote machines with MySQL DB and Postgres DB and in both cases you see in wireshark something like this:
I was looking for TLSv1.2 protocol usage in wireshark , but however I realized that specially when you are working with DB2 database on IBM i you would still see TCP protocol being used, but the litmus test is if you see :
1: Port 9471 being used for SSL Connection in wireshark ( if it is not secure you will see port 8471 being used instead). Refer this link for port usage for IBM i :
https://www-03.ibm.com/systems/power/software/i/toolbox/faq/ports.html
and
2: QZDASSINIT job being created on your IBM i machine( Use green screen to check your job by using WRKACTJOB command and check for this job , this job is created for SSL connection to your DB2 database , else you would see only QZDASONIT job which is for a non-secure connection.