Yep... just needed the CAs on your client. :) Glad you got it working!

On Wed, Mar 6, 2024 at 12:55 PM Sizer, Joseph via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

Thank you to everyone that assisted with this issue.

After a few more days of testing, I believe I have gotten to a good
solution.

While the recommendation provided by Richard Schoen initially worked, the
next day it stopped working. I kept trying different methods to get a
consistent solution. I did use this link, which was in Richard's document
-
https://www.ibm.com/support/pages/importing-certificates-use-ibm-i-access-client-solutions-windows-application-package-acs-winap

I was using the "Push to Windows" method that is in IBM i Access Client
Solutions (Tools / Key Management) as it saved me the step of having to
manually validate my certs using gsk8capicmd.exe (gsk8capicmd.exe -cert
-modify -trust enable). Using the Push to Windows method added the
information to the key database file located in
C:\Users\Public\Documents\IBM\Client Access\cwbssldf.kdb and marked it as
trusted for me.

Two additional items made a difference. Since I was using Microsoft Word
Mail Merge, if the ODBC connection failed, updating the key management
database was not enough. MS Word was caching the cert info. I had to
close all other Word/Excel documents and then retry the ODBC connection.
Second, I found out that my AD environment had an Active Directory Group
Policy that would automatically push the key database file cwbssldf.kbd to
all PCs. So, each time I fixed the file, it would get replaced again at
the next push. Now the Group Policy has the correct file and the ODBC
connection is working.



-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Richard Schoen
Sent: Friday, March 1, 2024 10:20 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: TLS/SSL Certificate update for IBM i ODBC

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not
click on any links or open attachments unless the sender is known, and the
content is verified as safe.
________________________________

Check this link out. I have run into this issue before.


https://github.com/richardschoen/howtostuff/blob/master/ibmi_acs_odbcssl_windows_issue_.md

Regards,
Richard Schoen
Web: http://www.richardschoen.net
Email: richard@xxxxxxxxxxxxxxxxx

-----Original Message-----

On Fri, Mar 1, 2024 at 8:50?AM Sizer, Joseph via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

Each year I use Digital Certificate Manager (DCM) to import my new SSL
cert. My root and CA cert are still good. I then assign the new SSL
cert to the applications that require them based on what last year's
cert was assigned to. I then verify that telnet, IBM i HTTP servers,
etc. are all using the new SSL cert.

This year, a client PC that uses a System DSN 64-bit ODBC connection
to the IBM I for a Microsoft Word mail merge, generated an error that
defined the SSL cert as not being trusted. I am using ODBC driver IBM
I Access ODBC Driver version 13.64.27.00 and ACS version 1.1.9.4.

The error message generated when testing the connection is:
Data link error: Test connection failed because of an error in
initializing provider. IBM System I Access ODBC Driver Communication
link failure. Comm rc-25414 - CWBCO1050 - The IBM I server
application certificate is not trusted.

Changing the ODBC driver configuration to Non-SSL allows the mail
merge to work (Configure / Connection Options / Security - Do not user
Secured Sockets Layer (SSL)

Telnet (ACS) does not require any update at the PC client level. Is
anyone aware of a requirement where a PC client ODBC connect must run
an update for a new SSL cert? I would like to switch the connection
back to SSL.

Thanks.


Joe Sizer
IBM I Power Systems Administrator
Pencor Digital Services
--
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.