Installing a Certificate Authority
In the event you are connecting to a third party server using RXS_getUri and the following is displayed in the job log then it most likely means you need to install/import the Certificate Authority being used on the remote server.
“Error performing SSL handshake. There is no error. RC(23) errno().”
A formal list of valid values can be found in the below table:
Return Constant
Code Name
0 GSK_OK
4 GSK_INSUFFICIENT_STORAGE
502 GSK_WOULD_BLOCK
1 GSK_INVALID_HANDLE
2 GSK_API_NOT_AVAILABLE
3 GSK_INTERNAL_ERROR
5 GSK_INVALID_STATE
107 GSK_KEYFILE_CERT_EXPIRED
201 GSK_NO_KEYFILE_PASSWORD
202 GSK_KEYRING_OPEN_ERROR
301 GSK_CLOSE_FAILED
402 GSK_ERROR_NO_CIPHERS
403 GSK_ERROR_NO_CERTIFICATE
404 GSK_ERROR_BAD_CERTIFICATE
405 GSK_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
406 GSK_ERROR_IO
407 GSK_ERROR_BAD_KEYFILE_LABEL
408 GSK_ERROR_BAD_KEYFILE_PASSWORD
409 GSK_ERROR_BAD_KEY_LEN_FOR_EXPORT
410 GSK_ERROR_BAD_MESSAGE
411 GSK_ERROR_BAD_MAC
412 GSK_ERROR_UNSUPPORTED
414 GSK_ERROR_BAD_CERT
415 GSK_ERROR_BAD_PEER
417 GSK_ERROR_SELF_SIGNED
420 GSK_ERROR_SOCKET_CLOSED
421 GSK_ERROR_BAD_V2_CIPHER
422 GSK_ERROR_BAD_V3_CIPHER
428 GSK_ERROR_NO_PRIVATE_KEY
501 GSK_INVALID_BUFFER_SIZE
601 GSK_ERROR_NOT_SSLV3
602 GSK_MISC_INVALID_ID
701 GSK_ATTRIBUTE_INVALID_ID
702 GSK_ATTRIBUTE_INVALID_LENGTH
703 GSK_ATTRIBUTE_INVALID_ENUMERATION
705 GSK_ATTRIBUTE_INVALID_NUMERIC
6000 GSK_OS400_ERROR_NOT_TRUSTED_ROOT
6001 GSK_OS400_ERROR_PASSWORD_EXPIRED
6002 GSK_OS400_ERROR_NOT_REGISTERED
6003 GSK_OS400_ERROR_NO_ACCESS
6004 GSK_OS400_ERROR_CLOSED
6005 GSK_OS400_ERROR_NO_CERTIFICATE_AUTHORITIES
6007 GSK_OS400_ERROR_NO_INITIALIZE
6008 GSK_OS400_ERROR_ALREADY_SECURE
6009 GSK_OS400_ERROR_NOT_TCP
6010 GSK_OS400_ERROR_INVALID_POINTER
6011 GSK_OS400_ERROR_TIMED_OUT
6012 GSK_OS400_ASYNCHRONOUS_RECV
6013 GSK_OS400_ASYNCHRONOUS_SEND
6014 GSK_OS400_ERROR_INVALID_OVERLAPPEDIO_T
6015 GSK_OS400_ERROR_INVALID_IOCOMPLETIONPORT
6016 GSK_OS400_ERROR_BAD_SOCKET_DESCRIPTOR
6017 GSK_OS400_ERROR_CERTIFICATE_REVOKED
6018 GSK_OS400_ERROR_CRL_INVALID
6019 GSK_OS400_ASYNCHRONOUS_SOC_INIT
0 Successful return
-1 SSL_ERROR_NO_CIPHERS
-2 SSL_ERROR_NO_CERTIFICATE
-4 SSL_ERROR_BAD_CERTIFICATE
-6 SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
-10 SSL_ERROR_IO
-11 SSL_ERROR_BAD_MESSAGE
-12 SSL_ERROR_BAD_MAC
-13 SSL_ERROR_UNSUPPORTED
-15 SSL_ERROR_BAD_CERT (map to -4)
-16 SSL_ERROR_BAD_PEER (map to -11)
-18 SSL_ERROR_SELF_SIGNED
-21 SSL_ERROR_BAD_STATE
-22 SSL_ERROR_SOCKET_CLOSED
-23 SSL_ERROR_NOT_TRUSTED_ROOT
-24 SSL_ERROR_CERT_EXPIRED
-26 SSL_ERROR_BAD_KEY_LEN_FOR_EXPORT
-91 SSL_ERROR_KEYPASSWORD_EXPIRED
-92 SSL_ERROR_CERTIFICATE_REJECTED
-93 SSL_ERROR_SSL_NOT_AVAILABLE
-94 SSL_ERROR_NO_INIT
-95 SSL_ERROR_NO_KEYRING
-97 SSL_ERROR_BAD_CIPHER_SUITE
-98 SSL_ERROR_CLOSED
-99 SSL_ERROR_UNKNOWN
-1009 SSL_ERROR_NOT_REGISTERED
-1011 SSL_ERROR_NO_CERTIFICATE_AUTHORITIES
-9998 SSL_ERROR_NO_REUSE
In the above example we are looking for a return code of -23 (always add a negative sign) which is highlighted in yellow.
The error is “SSL_ERROR_NOT_TRUSTED_ROOT “
What this means is that there is most likely a Certificate Authority on the remote server that is not installed on your iSeries. By default IBM ships the most popular Certificate Authorities with the iSeries (i.e. Verisign, Thawte, Equifax, etc).
To fix this problem you need to obtain the CA for installing on your iSeries via the Digital Certificate Manager (i.e. *ADMIN instance).
The following is an example. Please replace the UPS url with your own:
To obtain the certificate go to URL https://wwwcie.ups.com/ups.app/xml/AV with Internet Explorer. You will notice a padlock in the lower right of the window. Double click this padlock and you will see the following Certificate window.
Click on the Certification Path tab to view the different signers of this certificate. In this case we have two signers, GTE Cyber Trust and Akamai. With GTE highlighted select View Certificate button.
You should now be presented with a new Certificate window and upon clicking the Details tab should see a window like the following. Select the Copy to File button which will start you into a wizard process.
Select the Next Button.
Leave DER encoded binary X.509 (.CER) selected and select Next button.
You will be prompted to save the file, browse to your desktop and save it will a name of ups_GTE.cer as shown in the following screen shot:
Now repeat this process by closing all dialogs and go back to the original browser window and this time after double clicking on the padlock, select Akamai and then the View Certificate button. Name this exported certificate ups_Akamai.cer
Upload the .cer files to your iSeries via FTP (or other means) and place them in /home (or other folder of choice, just remember where you put it).
Next log into the *ADMIN instance of the IBM HTTP server and select the Digital Certificate Manager as shown below.
After you get logged into DCM click the Select a Certificate Store button.
Click on the Select a Certificate Store button in the far left of the page.
Then select the *SYSTEM store and hit the Continue button. If the *SYSTEM store is not shown you will need to create it (refer to www.rpg-xml.com for setting up SSL).
It will then prompt you for your password. Enter your password and select the Continue button.
Going back to the left nav, select the Expand All button.
Next select the Work with CA certificates link in the left nav. You will now be presented with a screen displaying all of the Certificate Authorities installed on your machine under the *SYSTEM store. As you scan through them you SHOULD NOT see the name of the company of the certificate you created on your machine above (i.e. GTE and/or Akamai).
Click the Import button.
Enter the path of the file you uploaded via FTP. Note that if there are multiple nested levels of certificates, like our example, then you need to import the highest level first. In this case we need to import ups_GTE.cer and then ups_Akamai.cer. Below shows how to import the ups_GTE.cer certificate. Repeat the process by clicking the Import button for file ups_Akamai.cer.
That’s it! Now go back and execute the program that has the RXS_getUri call to the URL that was producing this error to ensure the correct certificates were installed.