Configuring SSL Permissions

When calling a remote web service that uses SSL (i.e. the URL starts with https) RPG API Express is making use of the SSL related components of the IBM API’s underneath the covers, and in turn those IBM API’s are accessing system objects that are locked up fairly tight by default.

The most common scenario we come across is a developer will create a program that calls a remote web service that uses SSL. Everything works fine for the developer during their testing, but when they have other people use the same program it throws errors with SSL permission issues (you can see errors in the job log of the user trying to run the program).

To rectify the issue you need to provide the *PUBLIC profile access to what are called the keyring SSL files. You can locate your keyring files in the IFS by running the following command:

WRKLNK '/QIBM/UserData/ICSS/Cert/Server/*'

You should then see files DEFAULT.KDB and DEFAULT.RDB as show in the below screen shot. If you don’t see those files then you probably don’t have SSL setup on your IBM i.

Take an option 9 on each of the DEFAULT.* files and give *PUBLIC a Data Authority of *R as shown in the below screen shot:

The last step is to change the Data Authority on folder /QIBM/UserData/ICSS/Cert/Server for profile *PUBLIC to be *RX. Use the following command to view the …/Server folder:

WRKLNK '/QIBM/UserData/ICSS/Cert/Server'

Next take option 9 on the …/Server folder and give *PUBLIC a Data Authority of *RX as shown in the screen shot below:

That’s it! Now go back and re-run the program under the profile that was having permission issues to ensure it is running correctly.