- What licensed program do I need installed for SSL to work?
You'll need to make sure you have cryptographic support installed. This is a free product from IBM. Contact your IBM Business Partner and they should be able to get it to you. Here are the Licensed Program details:
5722AC3 Crypto Access Provider 128-bit for AS/400
- I'm receiving the error "Error performing SSL handshake. There is no error. RC(23) errno()." How can I fix this?
This error is saying that you don't have the proper Certificate Authority(ies) (CAs) installed on your machine in order to communicate over SSL with the web service you are using. You'll need to install the CAs required for this.
This page will provide instructions on how this is done.
- I'm receiving an error like "Error during initializing SSL. Permission Denied. RC(10) errno(3401)". What do I need to do to fix this?
This is because the user that is making the request does not have the proper authorities to the SSL keyring files and/or directory that are located in the IFS. The keyring files (on most systems) can be found by using the following command:
You will need to grant at least *RX authority to the directory and *R authority to the objects contained within the directory for the users that you want to be able to use SSL features. Normally granting *PUBLIC these authorities will be good enough.
- Other Common SSL Return Codes
- -2 - SSL_ERROR_NO_CERTIFICATE - This error normally occurs when you are communicating with a server that requires that you use a client side certificate and one has not been provided. This is normally done by creating an application ID in Digital Certificate Manager (DCM) and assigning the client side certificate you were supplied to this application ID. You then specify the application ID on the client (such as GETURI) that you are using.
- -10 - SSL_ERROR_IO - See the above note for this about permissions to the keyring files and/or directories..
- -11 or -16 - SSL_ERROR_BAD_MESSAGE or SSL_ERROR_BAD_PEER - This normally occurs when you don't specify the proper port when communicating via SSL. For example, with GETURI the default port is 80, even if you specify SSL(*YES). So, we often see this return code when the port is not changed to 443 for SSL communications.
- -13 - SSL_ERROR_NOT_SUPPORTED - This normally means that the SSL Certificate used by the server is not compatible with the available cipher suites set up on your system. This is rare unless you're on an old or unsupported OS version (maybe even V7R1). See this article for a possible workaround.
- -23 - SSL_ERROR_NOT_TRUSTED_ROOT - See the above note about this error.
- -24 - SSL_ERROR_CERT_EXPIRED - This normally means that you have a Certificate Authority (CA) or a certificate (self-signed or signed by a trusted authority) that has expired. On V6R1 and up in Digital Certificate Manager (DCM) when viewing CAs or certificates there is a "Check Expiration" button you can click to view expired CAs and/or Certificates. Even if this CA or Certificate(s) that is expired has nothing to do with your application, it can cause issues. (Don't ask me why). Delete the expired CA(s) and/or certificates(s) and you should be back in action.
- -93 - SSL_ERROR_NOT_AVAILABLE - This error usually occurs when you have not yet set up your *SYSTEM certificate Store. Click Here for more information on performing this function.
- -95 - SSL_ERROR_NO_KEYRING - This error is similar to -3. Make sure that you have created your *SYSTEM store and the default CAs were installed.