I have just cracked this one.  I was having similar issues.
 
Bottom line, there is the native Digital Certificate Manager where you
use the DCM for your certificates and there is the SUN version where an
application uses the Sun version of the keystore (not native) that
portable applications use.
 
The iSeries defaults to DCM and uses the ibm/only classes.  In this
scenario the 128 bit Cryptographic Provider (AC3) must be installed and
the Java PTFs re-applied and the Verisign PTFs on the system (for the
expired...  You must then create a *SYSTEM store and decide what you
need for certificates.
 
For an application that is developed to be portable across systems it
makes more sense to use Sun's logic.  You will have the jsse.jar,
jcert.jar and jnet.jar in the classpath and use the
com.sun.net.ssl.internal.ssl.Provider cryptographic provider loaded
programatically.
 
Here is an explanation of the differing SSL scenarios on the iSeries:
 
http://www-912.ibm.com/s_dir/slkbase.NSF/0/f2696335784feedb86256e450020e
015?OpenDocument
 
I had to set up using the Sun Pure Java JSSE provider at the bottom of
the document and it worked for me.  
 
NOTE: There is a typo in the IBM document: 

ssl.ServerSocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLServerS
ocketFactoryImp must have a lower case L on the end.

 

ssl.ServerSocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLServerS
ocketFactoryImpl


Kristen Henry
303-883-0144
 
 
 
Previous text:
======================================================
We've got a java application that has been supplied to us by a partner
that
establishes an SSL link between us and them.  We only received the app
last
week and it failed to establish the connection due to the recent
expiring of
the Verisign certificates that come with Java.

I found the PTFs at IBM that should correct the problem, but I held off
installing them because this last weekend we were scheduled to upgrade
V5R1
=> V5R2.  The upgrade went smoothly.  I located the same PTFs for V5R2
that
should take care of the certificates problem, and installed them.  As
best I
can tell, the cacerts file has been properly updated.

Now the connection attempt fails with a different error,
javax.net.ssl.SSLException "The value specified for the argument is not
correct."

A search for this on the net has proved nearly fruitless, with one
exception
in the java.sun.com forums (
http://forum.java.sun.com/thread.jsp?forum=2
<http://forum.java.sun.com/thread.jsp?forum=2&thread=483905>
&thread=483905 ) which,
interestingly, also applies to a recently upgraded V5R2 iSeries.

There's no resolution (yet) there and I followed the test code with the
same
error result.  I don't see anything applicable on the IBM support areas.
Has anyone else encountered this?  I'm inclined to believe this is a
problem
with the java implementation on the iSeries, but...

Posted below is the test code and the run info.  This occurs using both
JDK1.3 and JDK1.4.  It runs fine on a non-iSeries.  if anybody's got any
suggestions/ideas, I'd love to hear 'em.

Code
------------------------------------------------------------------------
----
------------------------
import java.io.*;
import javax.net.ssl.*;
public class ssltest {

        public static void main(String[] argv) throws Exception {

                String host = argv[0];

                System.err.println("Attempting to contact host..." +
host);

                SSLSocketFactory sslFact =
                        (SSLSocketFactory)
SSLSocketFactory.getDefault();
                SSLSocket s = (SSLSocket) sslFact.createSocket(host,
443);
                OutputStream out = s.getOutputStream();
                //Fails on the line above - (when trying to connect.)

                byte[] outdata = "GET / HTTP/1.1".getBytes();
                out.write(outdata);
                out.close();
        }
}
------------------------------------------------------------------------
----
------------------------
Run
------------------------------------------------------------------------
----
------------------------
java -Djavax.net.debug=all ssltest www.verisign.com

Attempting to contact host...www.verisign.com

javax.net.ssl.SSLException: The value specified for the argument is not
correct.                                                 
       java/lang/Throwable.<init>(Ljava/lang/String;)V+4
(Throwable.java:85)

       java/lang/Exception.<init>(Ljava/lang/String;)V+1
(Exception.java:33)

       java/io/IOException.<init>(Ljava/lang/String;)V+1
(IOException.java:38)

       javax/net/ssl/SSLException.<init>(Ljava/lang/String;)V+1
(SSLException.java:43)                                            

com/ibm/as400/ibmonly/net/ssl/AuthContext.getDefault()Lcom/ibm/as400/ibm
only
/net/ssl/AuthContext;+18 (AuthContext.java:159)


       com/ibm/as400/ibmonly/net/ssl/SSLSocketFactoryImpl.<init>()V+4
(SSLSocketFactoryImpl.java:70)                              
       java/lang/Class.newInstance()Ljava/lang/Object;+14
(Class.java:238)


javax/net/ssl/SSLSocketFactory.getDefault()Ljavax/net/SocketFactory;+86
(SSLSocketFactory.java:88)                         
       ssltest.main([Ljava/lang/String;)V+0 (ssltest.java:7)

$                                                                     
------------------------------------------------------------------------
----
------------------------


Eugene Glover
Arizona Insurance Department


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.