|
I have just cracked this one. I was having similar issues. Bottom line, there is the native Digital Certificate Manager where you use the DCM for your certificates and there is the SUN version where an application uses the Sun version of the keystore (not native) that portable applications use. The iSeries defaults to DCM and uses the ibm/only classes. In this scenario the 128 bit Cryptographic Provider (AC3) must be installed and the Java PTFs re-applied and the Verisign PTFs on the system (for the expired... You must then create a *SYSTEM store and decide what you need for certificates. For an application that is developed to be portable across systems it makes more sense to use Sun's logic. You will have the jsse.jar, jcert.jar and jnet.jar in the classpath and use the com.sun.net.ssl.internal.ssl.Provider cryptographic provider loaded programatically. Here is an explanation of the differing SSL scenarios on the iSeries: http://www-912.ibm.com/s_dir/slkbase.NSF/0/f2696335784feedb86256e450020e 015?OpenDocument I had to set up using the Sun Pure Java JSSE provider at the bottom of the document and it worked for me. NOTE: There is a typo in the IBM document: ssl.ServerSocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLServerS ocketFactoryImp must have a lower case L on the end. ssl.ServerSocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLServerS ocketFactoryImpl Kristen Henry 303-883-0144 Previous text: ====================================================== We've got a java application that has been supplied to us by a partner that establishes an SSL link between us and them. We only received the app last week and it failed to establish the connection due to the recent expiring of the Verisign certificates that come with Java. I found the PTFs at IBM that should correct the problem, but I held off installing them because this last weekend we were scheduled to upgrade V5R1 => V5R2. The upgrade went smoothly. I located the same PTFs for V5R2 that should take care of the certificates problem, and installed them. As best I can tell, the cacerts file has been properly updated. Now the connection attempt fails with a different error, javax.net.ssl.SSLException "The value specified for the argument is not correct." A search for this on the net has proved nearly fruitless, with one exception in the java.sun.com forums ( http://forum.java.sun.com/thread.jsp?forum=2 <http://forum.java.sun.com/thread.jsp?forum=2&thread=483905> &thread=483905 ) which, interestingly, also applies to a recently upgraded V5R2 iSeries. There's no resolution (yet) there and I followed the test code with the same error result. I don't see anything applicable on the IBM support areas. Has anyone else encountered this? I'm inclined to believe this is a problem with the java implementation on the iSeries, but... Posted below is the test code and the run info. This occurs using both JDK1.3 and JDK1.4. It runs fine on a non-iSeries. if anybody's got any suggestions/ideas, I'd love to hear 'em. Code ------------------------------------------------------------------------ ---- ------------------------ import java.io.*; import javax.net.ssl.*; public class ssltest { public static void main(String[] argv) throws Exception { String host = argv[0]; System.err.println("Attempting to contact host..." + host); SSLSocketFactory sslFact = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket s = (SSLSocket) sslFact.createSocket(host, 443); OutputStream out = s.getOutputStream(); //Fails on the line above - (when trying to connect.) byte[] outdata = "GET / HTTP/1.1".getBytes(); out.write(outdata); out.close(); } } ------------------------------------------------------------------------ ---- ------------------------ Run ------------------------------------------------------------------------ ---- ------------------------ java -Djavax.net.debug=all ssltest www.verisign.com Attempting to contact host...www.verisign.com javax.net.ssl.SSLException: The value specified for the argument is not correct. java/lang/Throwable.<init>(Ljava/lang/String;)V+4 (Throwable.java:85) java/lang/Exception.<init>(Ljava/lang/String;)V+1 (Exception.java:33) java/io/IOException.<init>(Ljava/lang/String;)V+1 (IOException.java:38) javax/net/ssl/SSLException.<init>(Ljava/lang/String;)V+1 (SSLException.java:43) com/ibm/as400/ibmonly/net/ssl/AuthContext.getDefault()Lcom/ibm/as400/ibm only /net/ssl/AuthContext;+18 (AuthContext.java:159) com/ibm/as400/ibmonly/net/ssl/SSLSocketFactoryImpl.<init>()V+4 (SSLSocketFactoryImpl.java:70) java/lang/Class.newInstance()Ljava/lang/Object;+14 (Class.java:238) javax/net/ssl/SSLSocketFactory.getDefault()Ljavax/net/SocketFactory;+86 (SSLSocketFactory.java:88) ssltest.main([Ljava/lang/String;)V+0 (ssltest.java:7) $ ------------------------------------------------------------------------ ---- ------------------------ Eugene Glover Arizona Insurance Department
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.