How to Protect Secure Websites & APIs from Certificates Expiring

API & web security on IBM iIf you have encrypted your website, API, Telnet server, or other service with TLS (SSL), good for you!

Now, do you know when those certificates will expire? If they expire without renewal, your service could become unavailable without warning.

In the past, to find expiration dates for digital certificates on IBM i, you’d either have to look in the Digital Certificate Manager (DCM), call the Retrieve Certificate Information (QYCURTVCI, QycuRetrieveCertificateInfo) API, or keep extremely good notes!

CERTIFICATE_INFO, an IBM i service recently delivered by IBM, solves all this. This SQL table function, documented here, returns a result table that contains information about server or Certificate Authority (CA) certificates, including their expiration date.

Here’s how to use CERTIFICATE_INFO to find expiring certificates.

Read more

Basic Authentication Credentials are Encrypted with TLS

https://You may have heard claims that HTTP “basic” authentication (classic user/password popup prompt or via an API call) leaves credentials unencrypted and exposed. While it’s true that basic auth itself doesn’t encrypt credentials, this doesn’t matter in practice.

Modern sites and APIs should be using HTTPS, which encrypts everything over the wire, protecting basic authentication credentials in transit. This article will explain why that’s the case.

Read more

Encrypting IBM i ODBC Connections from Linux with TLS/SSL

ODBC with Db2 for IBM i

ODBC connections between Linux and IBM i should be encrypted to keep their Db2 data safe in transit.

To encrypt ODBC data, IBM recommends the industry-standard TLS encryption protocol (the successor to SSL).

Read more

How to Validate Self-Signed SSL / TLS Certificates from IBM i

(Co-authored by Gautier Dumas and Calvin Buckley)

When we use open source languages such as PHP, Python, and Node.js on IBM i to help companies build and access APIs and other resources, we expect these resources to be protected with encryption (for example, the https:// protocol). Further protection is provided by an SSL / TLS certificate that can be authorized, or signed, by a popular certificate authority such as Verisign,  Comodo, or Let’s Encrypt, or signed internally by the company itself.

Self-signed certificates are most useful in situations where public trust of a certificate is unnecessary, such as:

Read more

Free encryption for Node.js on IBM i

Let's EncryptWhen you browse a secure web site or API whose address starts with “https,” what makes the site secure? The site uses a special certificate, provided by a trusted Certificate Authority (CA), to prove that it is legitimate. Until recently, IT shops had to pay for these certificates and generate them manually.

In the last few years, Let’s Encrypt has earned the thanks of technology professionals. Let’s Encrypt, a CA run for the public’s benefit, offers certificates at no charge, along with scripts to generate and regenerate certificates as needed, reducing the effort of keeping certificates up to date, and keeping sites secure.

Read more