Setting SSL Store Permissions
Published: 2024-05-15
When calling a remote web service that uses SSL (i.e. the URL starts with https) MDRest4i is using the SSL related components of the IBM i GSK API's underneath the covers, and in turn those API’s are accessing system objects that are locked up fairly tight by default.
The most common errors are with SSL permission issues (you can see errors in the job log of the user trying to run the consumer program).
To correct this you need to provide the *PUBLIC profile access to what are called the keyring SSL files. You can locate your keyring files in the IFS by running the following command:
WRKLNK '/QIBM/UserData/ICSS/Cert/Server'
You should then see files DEFAULT.KDB and DEFAULT.RDB as show in the below screen shot. If you don’t see those files then you probably have not run SSL setup on your IBM i yet. If so, do this first.
Take an option 9 on each of the DEFAULT.* files and give *PUBLIC a Data Authority of *R as shown in the below screen shot:
The last step is to change the Data Authority on folder /QIBM/UserData/ICSS/Cert/Server for profile *PUBLIC to be *RX. Use the following command to view the …/Server folder:
WRKLNK '/QIBM/UserData/ICSS/Cert/Server'
Next take option 9 on the …/Server folder and give *PUBLIC a Data Authority of *RX as shown in the screen shot below:
That’s it! Now go back and re-run the program under the profile that was having permission issues to ensure it is running correctly.