Hello. Some time ago I was trying to configure the S3 without encryption for Informix backup https://community.ibm.com/community/user/datamanagement/discussion/informix-and-minio-backup-without-encryption

I configured MinIO to provide the requested encryption on the server/bucket side so that I could configure the Informix device using the onpsm command.

[informix@informix15 etc]$ onpsm -D add https://minio.example.com/test -g DBSPOOL -p HIGH -t CLOUD --creds ./aws_ks.p12 --max_part_size 25600

The device is now registered.

[informix@informix15 etc]$ onpsm -D listInformix Primary Storage Manager Devices ListType    Prio      Pool     Provider Name         Keystore                        CLOUD   HIGH      DBSPOOL  https://minio.example.com/test ./aws_ks.p12                    CLOUD   HIGH      LOGPOOL  https://minio.example.com/test ./aws_ks.p12                    [informix@informix15 etc]$ 

I saw an error described in this knowledge base article (https://www.ibm.com/mysupport/s/defect/aCIKe000000Xne3/dt416256?language=en_US), so I added a variable IFX_LIBCURL_PATH, to point to the current library on the operating system.

declare -x IFX_LIBCURL_PATH="/usr/lib64/libcurl.so.4"

Now... The error I see is an issue with certificates. In the PSM debug log, there is:

2024-12-31 16:49:34 2220  2218 sm_rest.c:1607 cloudS3V4ClientStart: enter2024-12-31 16:49:34 2220  2218 sm_rest.c:633 curlSetDefaultOptions: enter2024-12-31 16:49:34 2220  2218 sm_rest.c:698 curlSetDefaultOptions: return 0 (0x00)2024-12-31 16:49:34 2220  2218 sm_rest.c:1727 S3 URL = 'https://minio.example.com/test/binor/rootdbs/0.8.2',2024-12-31 16:49:34 2220  2218 sm_rest.c:1850 Adding HTTP Header 'Authorization: AWS4-HMAC-SHA256 Credential=yXy5wMX1j0kfGUgWrB4Y/20241231/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=12bdf404c69506db0c09c92206ad77242d53aa347d41b0e10c57da8895ce4677'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1855 Adding HTTP Header 'host: minio.example.com'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1860 Adding HTTP Header 'x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1865 Adding HTTP Header 'x-amz-date: 20241231T154934Z'.2024-12-31 16:49:35 2220  2218 sm_rest.c:1901 ifxcurl_easy_perform() failed(60): SSL peer certificate or SSH remote key was not OK.2024-12-31 16:49:35 2220  2218 sm_rest.c:1904 Error -88292: There is a problem with your Certification Authority (CA) certificates store.2024-12-31 16:49:35 2220  2218 sm_rest.c:1982 cloudS3V4ClientStart is returning 602024-12-31 16:49:35 2220  2218 smobject.c:1541 nsmGetObjDetail: enter2024-12-31 16:49:35 2220  2218 smobject.c:1556 nsmGetObjDetail: looking for detail with copyid = 8, seq = 3.2024-12-31 16:49:35 2220  2218 smobject.c:1563  Error -88001: C-ISAM function 'dsmFetchDetail' returned error (17).2024-12-31 16:49:35 2220  2218 smobject.c:1577 nsmGetObjDetail: return 17 (0x11)

I added the CA for the certificate to the trusted certificates on the operating system.

[informix@informix15 etc]$ trust list... pkcs11:id=%F5%65%5B%6A%0D%3F%A3%68%87%B3%BB%9B%08%70%6A%A9%87%72%7C%7A;type=cert    type: certificate    label: S3 CA    trust: anchor    category: authority

Then when I try to check that with the Bash cURL command everything looks OK.

[informix@informix15 etc]$ curl -vvv https://minio.example.com/*   Trying 192.168.122.179:443...* Connected to minio.example.com (192.168.122.179) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1*  CAfile: /etc/pki/tls/certs/ca-bundle.crt* TLSv1.0 (OUT), TLS header, Certificate Status (22):* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS header, Certificate Status (22):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS header, Finished (20):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, CERT verify (15):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Finished (20):* TLSv1.2 (OUT), TLS header, Finished (20):* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS header, Unknown (23):* TLSv1.3 (OUT), TLS handshake, Finished (20):* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384* ALPN, server accepted to use http/1.1* Server certificate:*  subject: C=CN; ST=Prague; L=Prague; O=VUMS Legend; OU=K8S; CN=S3 certs*  start date: Dec 31 09:35:53 2024 GMT*  expire date: Dec 29 09:35:53 2034 GMT*  subjectAltName: host "minio.example.com" matched cert's "*.example.com"*  issuer: C=CN; ST=Prague; L=Prague; O=VUMS Legend; OU=K8S; CN=S3 CA*  SSL certificate verify ok.* TLSv1.2 (OUT), TLS header, Unknown (23):> GET / HTTP/1.1> Host: minio.example.com> User-Agent: curl/7.76.1> Accept: */*

You can see a message "SSL certificate verify ok." There is also no complaint about the certificate, and the command does not require the -k parameter for an insecure call, but I still see the error in the PSM log. I restarted the Informix machine to ensure all changes took effect.

Is there a special way to configure trusted CAs in Informix or is there an env variable or configuration that made the backend cURL calls run with an insecure (-k or --insecure) option?

Thank you

Have you verified if Informix is using the correct CA store for cURL calls, or if there is an environment variable, like CURL_CA_BUNDLE, that needs to be set to the correct path of the trusted certificates? It's possible that Informix is not picking up the OS CA settings. Also, have you checked if there's a specific cURL configuration for Informix that overrides the default certificate store?

Hello. Some time ago I was trying to configure the S3 without encryption for Informix backup https://community.ibm.com/community/user/datamanagement/discussion/informix-and-minio-backup-without-encryption

I configured MinIO to provide the requested encryption on the server/bucket side so that I could configure the Informix device using the onpsm command.

[informix@informix15 etc]$ onpsm -D add https://minio.example.com/test -g DBSPOOL -p HIGH -t CLOUD --creds ./aws_ks.p12 --max_part_size 25600

The device is now registered.

[informix@informix15 etc]$ onpsm -D listInformix Primary Storage Manager Devices ListType    Prio      Pool     Provider Name         Keystore                        CLOUD   HIGH      DBSPOOL  https://minio.example.com/test ./aws_ks.p12                    CLOUD   HIGH      LOGPOOL  https://minio.example.com/test ./aws_ks.p12                    [informix@informix15 etc]$ 

I saw an error described in this knowledge base article (https://www.ibm.com/mysupport/s/defect/aCIKe000000Xne3/dt416256?language=en_US), so I added a variable IFX_LIBCURL_PATH, to point to the current library on the operating system.

declare -x IFX_LIBCURL_PATH="/usr/lib64/libcurl.so.4"

Now... The error I see is an issue with certificates. In the PSM debug log, there is:

2024-12-31 16:49:34 2220  2218 sm_rest.c:1607 cloudS3V4ClientStart: enter2024-12-31 16:49:34 2220  2218 sm_rest.c:633 curlSetDefaultOptions: enter2024-12-31 16:49:34 2220  2218 sm_rest.c:698 curlSetDefaultOptions: return 0 (0x00)2024-12-31 16:49:34 2220  2218 sm_rest.c:1727 S3 URL = 'https://minio.example.com/test/binor/rootdbs/0.8.2',2024-12-31 16:49:34 2220  2218 sm_rest.c:1850 Adding HTTP Header 'Authorization: AWS4-HMAC-SHA256 Credential=yXy5wMX1j0kfGUgWrB4Y/20241231/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=12bdf404c69506db0c09c92206ad77242d53aa347d41b0e10c57da8895ce4677'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1855 Adding HTTP Header 'host: minio.example.com'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1860 Adding HTTP Header 'x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'.2024-12-31 16:49:34 2220  2218 sm_rest.c:1865 Adding HTTP Header 'x-amz-date: 20241231T154934Z'.2024-12-31 16:49:35 2220  2218 sm_rest.c:1901 ifxcurl_easy_perform() failed(60): SSL peer certificate or SSH remote key was not OK.2024-12-31 16:49:35 2220  2218 sm_rest.c:1904 Error -88292: There is a problem with your Certification Authority (CA) certificates store.2024-12-31 16:49:35 2220  2218 sm_rest.c:1982 cloudS3V4ClientStart is returning 602024-12-31 16:49:35 2220  2218 smobject.c:1541 nsmGetObjDetail: enter2024-12-31 16:49:35 2220  2218 smobject.c:1556 nsmGetObjDetail: looking for detail with copyid = 8, seq = 3.2024-12-31 16:49:35 2220  2218 smobject.c:1563  Error -88001: C-ISAM function 'dsmFetchDetail' returned error (17).2024-12-31 16:49:35 2220  2218 smobject.c:1577 nsmGetObjDetail: return 17 (0x11)

I added the CA for the certificate to the trusted certificates on the operating system.

[informix@informix15 etc]$ trust list... pkcs11:id=%F5%65%5B%6A%0D%3F%A3%68%87%B3%BB%9B%08%70%6A%A9%87%72%7C%7A;type=cert    type: certificate    label: S3 CA    trust: anchor    category: authority

Then when I try to check that with the Bash cURL command everything looks OK.

[informix@informix15 etc]$ curl -vvv https://minio.example.com/*   Trying 192.168.122.179:443...* Connected to minio.example.com (192.168.122.179) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1*  CAfile: /etc/pki/tls/certs/ca-bundle.crt* TLSv1.0 (OUT), TLS header, Certificate Status (22):* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS header, Certificate Status (22):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS header, Finished (20):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, CERT verify (15):* TLSv1.2 (IN), TLS header, Unknown (23):* TLSv1.3 (IN), TLS handshake, Finished (20):* TLSv1.2 (OUT), TLS header, Finished (20):* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS header, Unknown (23):* TLSv1.3 (OUT), TLS handshake, Finished (20):* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384* ALPN, server accepted to use http/1.1* Server certificate:*  subject: C=CN; ST=Prague; L=Prague; O=VUMS Legend; OU=K8S; CN=S3 certs*  start date: Dec 31 09:35:53 2024 GMT*  expire date: Dec 29 09:35:53 2034 GMT*  subjectAltName: host "minio.example.com" matched cert's "*.example.com"*  issuer: C=CN; ST=Prague; L=Prague; O=VUMS Legend; OU=K8S; CN=S3 CA*  SSL certificate verify ok.* TLSv1.2 (OUT), TLS header, Unknown (23):> GET / HTTP/1.1> Host: minio.example.com> User-Agent: curl/7.76.1> Accept: */*

You can see a message "SSL certificate verify ok." There is also no complaint about the certificate, and the command does not require the -k parameter for an insecure call, but I still see the error in the PSM log. I restarted the Informix machine to ensure all changes took effect.

Is there a special way to configure trusted CAs in Informix or is there an env variable or configuration that made the backend cURL calls run with an insecure (-k or --insecure) option?

Thank you