Mar 23

Retrieving list of messages and displaying in PHP

We have been looking at how to display the messages generated by our products to allow the user to view them. Generating a list of the messages and the first level text was pretty simple, but we wanted to be able to retrieve the 1st and second level text from the message after it has been selected. The reason we wanted to do it this way was to reduce the data being sent between the systems. We have the Easycom Server running on both systems so we use the functionality provided by it to call the required programs and generate the data. We are also running this from the iAMP Server which is running on one of the systems and calling Easycom on both systems, we think this is a great solution as it allows us to pull data from any IBMi system running Easycom which we have access to..

The first list is generated by a program call which creates a list of the messages in the queue using the QGYOLMSG API, this allows us to get all the messages at once and return them to the PHP page. Once the list has been built we then needed to be able to get the individual message information back, to do this we have to use the QMHLSTM API which allows us to pull a single message back using a message key which we had received using the QGYOLMSG API.

After some head scratching we finally found a way to get the message key passed into the QMHLSTM API in the correct format (the key is converted when being passed back to the PHP page so we had to convert it back to HEX from Character String) and the results are pretty swish even if I do say so myself…

Here is an image showing the list of messages retrieved in the first call, this is from our High Availability Product HA4i but we also have the same process installed for JobQGenie and DR4i.

Message Listing

Message Listings

The Display link in the left hand column links to a new page which display the following. We took a CPF message and not one of the HA4i Messages to show the second level text it retrieves.

Message Detail output

Message Details

And that’s it, we can now display the content of the message queues very elegantly (OK so the CSS is not brilliant) and effectively. Application modernization at its best..

Chris…

Mar 20

New version of iAMP Server available with updated content

A new version of iAMP Server is available from Aura Equipments which updates the PHP and MySQL content. See the full details on the Forums using the following Link.

Always get the latest versions by using iAMP Server and do not be forced to wait for IBM or Zend updates to get to the latest and greatest technology.

Chris…

Mar 19

iAMP Server and Server Certificates

We had been asked by a prospect for iAMP how they should go about configuring and installing SSL Certificates for the iAMP server. They had already found some information about creating and installing the certificates as it pertained to other platforms but not for the IBM i. Here is a link to the information we used as a basis for our setup.

Using the information provided we were able to create the setup for the iAMP server and now have a running server which serves both secure and non secure webpages.

First of all we had to create the directories we were going to use to generate the certificates, we decided on /usr/local/sslcert as the base directory for the certificates to be generated. Create the directories using the following commands from an IBMi command line.


mkdir '/www/usr/local/sslcert'
mkdir '/www/usr/local/sslcert/certs'
mkdir '/www/usr/local/sslcert/private'

Next we needed to create the files used by the process, it is important these are created in ASCII format so DO NOT use the IBMi commands (EDTF etc) to create them. We used notepad on a PC and transferred the files to the relevant directory on the IBMi using FTP.

First of all we need the config file here is a sample we used, The bold items need to be filled in by you. We named it openssl.conf as per the instructions.

#
# OpenSSL configuration file.
#

# Establish working directory.

dir = .

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name Prompt string
#————————- ———————————-
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name Value
#———————— ——————————
0.organizationName_default = Shield Advanced Solutions Ltd
localityName_default = Caledon
stateOrProvinceName_default = Ontario
countryName_default = CA

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

The bolded items are simply shown when the request to build the keys is carried out, you can override these values when the command runs as well, it just allows you to press enter when these values are required to be entered which is useful when you generate lots of certificates.

Next we need to create the file which stores the serial number in it. This is going to be called serial (note it does not have a type such as .txt etc) and simply has the serial number assigned to the certificate. Again we used the 100001 serial number as suggested in the linked information.

The other document we created was certindex.txt, there is no content for this file.

Once we had created these files we used FTP to copy them to the /usr/local/sslcert directory on the IBMi.

Now to create the actual certificates. We need to use the PASE environment to access the openssl commands so on a command line issue the following command.


CALL QP2TERM

Now change the directory using the following command.

cd /usr/local/sslcert

Now we are ready to build the certificates.
Here is the command we ran in the QP2TERM environment, note we were still in the /usr/local/sslcert directory.

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

As the request runs you will see the following prompts returned.

Generating a 1024 bit RSA private key
……………………………….++++++
…………………….++++++
unable to write ‘random state’
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
You need to enter your pass phrase here, make sure you remember it and keep in a safe place. you will be asked to repeat it
Verifying – Enter PEM pass phrase:
Repeat the previous pass phrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Organization Name (company) [Shield Advanced Solutions Ltd]: Note how it is reading the data from the config file, we can press enter as this is what we want to use or enter new values

Organizational Unit Name (department, division) []: We did not configure a default for this so the prompt is blank, you can enter what you want
Email Address []: Same as above no default so enter an email address associated with the company who people can contact about the certificate
Locality Name (city, district) [Caledon]: Predefined in the config file
State or Province Name (full name) [Ontario]: again…
Country Name (2 letter code) [CA]: ….
Common Name (hostname, IP, or your name) []: Enter a value you want here which denotes the server

If you get no errors you should now have a couple of new files.

/usr/local/sslcert/cacert.pem
/usr/local/sslcert/private/cakey.pem

Now we need to create the server certificates for the http server (the above are the ROOT certificates). It is going to use these certificates just generated to build the server certificates so make sure you have these before moving to the next stage.

To build the server certificates we ran the following commands. We are still in the sslcert directory.


openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf

You will be asked similar questions to above BUT remember the Common Name HAS to be the name of your server such as “www.mysslserver.tst” which HAS to match that you will configure as the server name in the httpd.conf. We used our server name which is shield4.

Now we will create the certificate using the following command.

openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem

The following is a sample output.

Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
organizationName :PRINTABLE:’Shield Advanced Solutions Ltd’
organizationalUnitName:PRINTABLE:’Development’
localityName :PRINTABLE:’Caledon’
stateOrProvinceName :PRINTABLE:’Ontario’
countryName :PRINTABLE:’CA’
commonName :PRINTABLE:’shield4′
Certificate is to be certified until Mar 19 13:56:23 2013 GMT (365 days)
Sign the certificate? [y/n]:
y
1 out of 1 certificate requests certified, commit? [y/n]
y
Write out database with 1 new entries
Data Base Updated
unable to write ‘random state’

We saw the unable to write random state but the certificates were created?
So now we have to change the the config files for the iAMP server to allow it to run the ssl config. In the httpd.conf file which is located in the webserver config directory (/www/iamp/conf directory if you took the defaults) we need to enable the import of the ssl config file. This is a simple task of un-commenting the line ‘Include conf/extra/httpd-ssl.conf’ by removing the ‘#’ from the beginning.
Now we will install a couple of new directories where we will store the certificates, use the following commands on an IBMi command line.

MKDIR '/www/iamp/conf/ssl.crt/'
MKDIR '/www/iamp/conf/ssl.key/'

Now you can copy the certificates into the relevant directories. This can be done through the copy option when viewing the IFS or the following commands.

CPY OBJ('/usr/local/sslcert/private/name-key.pem') TODIR('/www/iamp/conf/ssl.key/')
CPY OBJ('/usr/local/sslcert/name-cert.pem') TODIR('/www/iamp/conf/ssl.crt/')

The config file ‘/www/iamp/conf/extra/httpd-ssl.conf now needs to be changed to point to the correct certificates and keys. Open the config file in the editor and make the following changes.
The virtual host container can be changed to the following. Change the information to match what you entered as the Command Name for the ServerName or it will reject the start request. We created a sub directory in the htdocs directory to just hold the ssl server pages.

DocumentRoot “/www/iamp/htdocs/sslsrv”
ServerName shield4

Change the Certificate paths and names to show the following.
SSLCertificateKeyFile “/www/iamp/conf/ssl.key/name-key.pem”
SSLCertificateKeyFile “/www/iamp/conf/ssl.key/name-key.pem”

Now you can save the file and restart the server, the non secure pages will still show as before but now when you request a connection to the https server such as “https://shield4″ you will be prompted with a certificate challenge before allowing to view the page, accept the challenge and store the certificate after which the required page will be displayed.

That is it, we now have iAMP server up and running with certificates generated using the openssl commands. The other choice would be to create the certificates and copy them to the location required by the server.

If you have any questions etc let us know, we are not experts on this but having been through the exercise we can show it is possible to do.

Chris…