Hello,

We are trying to make a SSL connection to DB2 [AS400-Iseries] from Biztalk 2010. We used a .UDL file to test the connection from our Win Server 2008 R2 Enterprise edition. The connection is successful when we connect using the port 446. But we are getting "Access denied" error when we use the port 448 with the certificate name.

From the trace we go following information.

State Transition 8/8/2014 15:24:57.149 Instantiating underlying TcpClient 11124 12116 10 DRDADriverConnect managedssltcpclient.cpp 0
State Transition 8/8/2014 15:24:57.883 Failed to connect using ManagedSslTcpClient 11124 12116 54 DRDADriverConnect managedssltcpclient.cpp 0
State Transition 8/8/2014 15:24:57.883 A TCPIP socket error has occured (5): Access is denied.
 11124 12116 73 DRDADriverConnect messages.cpp 0
State Transition 8/8/2014 15:24:57.883 DRDA AR message: Severity: Error, SQLSTATE: 08S01 11124 12116 48 DRDADriverConnect messagesync.h 0
State Transition 8/8/2014 15:24:57.883 Disposing ManagedSslTcpClient 11124 12116 19 DRDADriverConnect managedssltcpclient.cpp 0
State Transition 8/8/2014 15:24:57.883 Disposing TCP Manager 11124 12116 76 DRDADriverConnect tcpmanager.cpp 0

We are using following connection string to test our connection.

[oledb]
; Everything after this line is an OLE DB initstring
Provider=DB2OLEDB;Cache Authentication=False;Password=*****;Persist Security Info=True;User ID=****;Initial Catalog=****;Authentication=Server;Defer Prepare=False;Binary Codepage=0;DateTime As Char=False;Use Early Metadata=False;Derive Parameters=False;Rowset Cache Size=0;Network Transport Library=TCPIP;Host CCSID=37;PC Code Page=1252;Max Pool Size=100;Network Address=OSMSOUTH;Network Port=446;Package Collection=MICSDEV;Default Schema=MICSDEV;DBMS Platform=DB2/AS400;Process Binary as Character=True;DateTime As Date=False;AutoCommit=True;Connection Pooling=True;Units of Work=RUW

Any advise on this issue or any pointers to get us in the right direction
will be highly appreciated.

Thanks
Vijay.

A support case for this issue was opened and the issue was finally resolved. While troubleshooting, we saw that initially during the TLS/SSL handshake that the iSeries (AS/400) was not returning the certificate in the "Hello Server" step of the handshake.

Later, another certificate was created on the AS/400 and exported for use on the Windows System where the DB2 Provider was installed. The same error occurred, but this time we saw that the certificate was returned by the AS/400 in the "Hello Server" command. The cause of the final error was that there were two certificates returned in the "Hello Server" command and one of those was no longer "trusted" on the Windows side so there was a problem when trying to use that certificate. The certificate was imported again on the Windows side and this resolved the issue.

In general, the following steps need to be done in order to use SSL between a Windows system using the Microsoft OLE DB Provider for DB2 (included with Host Integration Server or the SQL Server Feature Pack) and DB2/400:

-  Create and export a certificate on the AS/400 using the Digital Certificate Manager (DCM). See IBM documentation for details on the DCM.

- Copy the exported certificate to the Windows system where the DB2 Provider is installed.

- Import the certificate in the Certificates MMC snap-in under Current User -> Trusted Root Certification Authorities -> Certificates. Check the certificate status within the certificate itself to make sure no errors are detected.

- Configure the DB2 connection string (UDL) to include the Common Certificate Name and specify the SSL-enabled TCP/IP port (default is port 448) that DB2 is using.

Thanks...

Thanks Stephen, this is helpful. In my scenario, we have BizTalk 2013 R2 and try to connect to DB2/MVS using SSL certificate. We installed Microsoft HIS 2013 server to get the BizTalk adapter for host systems (for DB2). I did the same thing as you mentioned:

- exported the certificate in .der format and copy it in Windows System (C:\Program Files\Microsoft Host Integration Server 2013\system and SysWOW64 folder)

- import certificate in Trusted Root Certification Authorities->Certificates for the current user and to local computer

- configure DB2 connection to include common certificate name (if I double click certificate, go to details and click on subject, the first value CN is common name. Am I correct?)

When I test the connection it always give me this error "could not connect to data source 'New data source' A TCPIP socket error has occurred (5): Access is denied."

I used portqry to check the connection but it says Listening so no issues with the connection.

I am stuck at this point, any help would be greatly appreciated.

Thanks,

This is resolved. Common certificate name was wrong.

I don't think this step is required:

- copy the exported certificate to the windows system where DB2 provider is installed.

Only import to Trusted Root Certificate Authorities is required.

Thanks,

Abhi