Debug Service Continues to Fail (Refer to issue #2110)

[Nick1497]

Type: Bug

Connect to IBM i system > Start the debug server > Attempt to start the debug service in which the issue occurs at this step. It is affecting my entire team who use this tool, we all receive the same error message as well.

Opened new issue as I did not see any option to re-open the old one. The first suggestion in #2110 was to wipe the certs and generate new ones and that did not fix the problem. The second troubleshooting step had an unrelated error message to mine. Seeing if anyone has any other suggestions.

Extension version: 2.10.1
VS Code version: Code 1.90.0 (89de5a8d4d6205e5b11647eb6a74844ca23d2573, 2024-06-04T19:33:54.889Z)
OS version: Windows_NT x64 10.0.19045
Modes:

System Info

Item	Value
CPUs	AMD Ryzen 5 PRO 7530U with Radeon Graphics (12 x 1996)
GPU Status	2d_canvas: enabled canvas_oop_rasterization: enabled_on direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_graphite: disabled_off video_decode: enabled video_encode: enabled vulkan: disabled_off webgl: enabled webgl2: enabled webgpu: enabled
Load (avg)	undefined
Memory (System)	15.31GB (5.00GB free)
Process Argv	--crash-reporter-id f363ceb0-20c6-49c7-80ad-3a25bbb3f05d
Screen Reader	no
VM	0%

A/B Experiments

vsliv368cf:30146710
vspor879:30202332
vspor708:30202333
vspor363:30204092
vscoreces:30445986
vscod805cf:30301675
binariesv615:30325510
vsaa593cf:30376535
py29gd2263:31024239
c4g48928:30535728
azure-dev_surveyone:30548225
a9j8j154:30646983
962ge761:30959799
pythongtdpath:30769146
welcomedialog:30910333
pythonidxpt:30866567
pythonnoceb:30805159
asynctok:30898717
pythontestfixt:30902429
pythonregdiag2:30936856
pythonmypyd1:30879173
2e7ec940:31000449
pythontbext0:30879054
accentitlementst:30995554
dsvsc016:30899300
dsvsc017:30899301
dsvsc018:30899302
cppperfnew:31000557
dsvsc020:30976470
pythonait:31006305
jchc7451:31067544
chatpanelc:31048052
dsvsc021:30996838
bdiig495:31013172
pythoncenvpt:31062603
a69g1124:31058053
dvdeprecation:31068756
pythonprt:31056678
dwnewjupytercf:31046870
26j00206:31048877

[sebjulliand]

Two questions for you:

• What does this query returns when run on your system?

With JAVA_PTF_GROUP as (
  SELECT PTF_GROUP_TARGET_RELEASE OS,
  Case PTF_GROUP_TARGET_RELEASE
    When 'V7R4M0' Then 'SF99665'
    When 'V7R3M0' Then 'SF99725'
    When 'V7R2M0' Then 'SF99716'
    When 'V7R1M0' Then 'SF99572' End PTF_GROUP
FROM QSYS2.GROUP_PTF_INFO
WHERE PTF_GROUP_DESCRIPTION = 'TECHNOLOGY REFRESH'
AND PTF_GROUP_STATUS = 'INSTALLED'
LIMIT 1)
Select Max(OS) OS,
PTF_GROUP_NAME,
Max(PTF_GROUP_LEVEL) "CURRENT LEVEL"
From  QSYS2.GROUP_PTF_INFO
Inner Join JAVA_PTF_GROUP On PTF_GROUP = PTF_GROUP_NAME
Group by PTF_GROUP_NAME;

• What's the output of java -version when run in batch?

[Nick1497]

• Return of query:
  

• The system is running 11.0.8 but JAVA_HOME that the debugger is referencing is java version 1.8.0_341

[Nick1497]

This links seems like it may be useful https://www.ibm.com/support/pages/support-hmacpbesha256-algorithm-app-connect-enterprise. Will investigate this to see if it will assist.

[sebjulliand]

I looked into this a bit and every time, it boils down to "Java doesn't support this algorithm". I would understand if the keystore was generated by Java, but we use openssl to generate it; and it worked fine on every LPAR I tried it on (i.e. Java 8 had no issue opening the keystore).

What's the output of these commands for you?

openssl version

which openssl

[Nick1497]

Our test system is down for the next 3 days. Will check this out when it is back up.

[mkwan01]

IBM i Debug v2.0.1 was just released. Debug v2 uses Java 11 instead of Java 8. This Java 8 specific error is unlikely to happen in Java 11.

[Nick1497]

Nice, when the system is back up I will give this a go! Updates to come.

[Nick1497]

I've updated to IBM i Debug v2.0.1 but, when I boot up the system and such the debugger still says 1.0.0:

Any way to get it to use the new version?

[sebjulliand]

I've updated to IBM i Debug v2.0.1 but, when I boot up the system and such the debugger still says 1.0.0:

Any way to get it to use the new version?

You need to install the host update too to get Debugger v2.

And now that I think about it, the debug service configuration will have to be updated to use Java 11, too.

[Nick1497]

Noted, I will look into getting the new PTF next week, and will also change the debugger config. Updates to come.

[sebjulliand]

Noted, I will look into getting the new PTF next week, and will also change the debugger config. Updates to come.

Nice! To update the configuration, open it from the Debugger view:

Then scroll down and update the JAVA_HOME variable

Change it to:

JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk11/64bit

Save the configuration and you should be good to go.
Alternatively, you can delete the existing certificate and let Code for IBM i create a new one; it will update the configuration as well.

[Nick1497]

@sebjulliand to answer your question:

I looked into this a bit and every time, it boils down to "Java doesn't support this algorithm". I would understand if the keystore was generated by Java, but we use openssl to generate it; and it worked fine on every LPAR I tried it on (i.e. Java 8 had no issue opening the keystore).

What's the output of these commands for you?

openssl version

which openssl

Openssl version: OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

which openssl: /QOpenSys/usr/bin/openssl

Our system hardware was upgraded and there has been some issues, so for the time being I am not able to apply the new PTF to allow me to use the new debugger (2.0). Would be nice if I could get version 1.0 working while I wait.

[sebjulliand]

Maybe the output from which openssl is a good hint. Your openssl version seems OK but which points to /QOpenSys/usr/bin instead of /QOpenSys/pkgs/bin.

Can you check your PATH variable?

echo $PATH

I assume that /QOpenSys/usr/bin must appear before /QOpenSys/pkgs/bin. If it's the case, then try to put /QOpenSys/pkgs/bin in first position in the .bashrc file in your home directory.

Then re-open a shell session and check that which openssl answers /QOpenSys/pkgs/bin/openssl this time.
Then generate the certificate again.

If it still doesn't work, I'll have one more trick up my sleeve (or maybe two...).

[Nick1497]

echo $PATH ouput: /usr/bin:.:/QOpenSys/usr/bin

And when I check my .bashrc in the following directory /home/myProfileName it has the current contents:

Generated by Code for IBM i
export PATH=/QOpenSys/pkgs/bin:$PATH

So it seems like it is already setup how it should be?

[sebjulliand]

Try this now:

• Download this zip: code-for-ibmi-2.11.4-dev.0.vsix.zip

• Unzip it

• Install the vsix found inside. It's a special build that includes the -legacy flag when openssl is invoked to generate the PKCS12 file.

• Connect to your LPAR

• Delete any existing certificate

• Generate a new one

• Start the debug service

I tried it on my system and it worked (with or without the -legacy flag).
Let me know how it goes for you after you generated a certificate with this 2.11.4-dev.0 build.

[Nick1497]

I installed the vsix file and removed the certificates. When trying to re-generate them I get this error (where the blacked out portion is the DNS for our system):

[sebjulliand]

After having a close look, it turns out your PATH makes you use openssl provided by yum instead of /QOpenSys/usr/bin/openssl. This causes some issues, obviously 😅

Here is another vsix generated from this PR: #2151
code-for-ibmi-2.11.5-dev.0.vsix.zip

It will force the use of /QOpenSys/usr/bin/openssl when generating the certificates. This should take care of your issue once and for all.

Let me know how it goes!

[Nick1497]

Installed it and while the certificates could be generated this time. The original error still persists (I do enjoy how you added the output of the error message to VS Code!):

[sebjulliand]

I'll need to check two thing related to your environment:

• The content of your /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/java.security file
• The output of the env command when run in a PASE terminal

Also, while we're at it, from a PASE terminal, run this:

/QOpenSys/usr/bin/openssl genrsa -out test_cert.key 2048 && /QOpenSys/usr/bin/openssl req -new -key test_cert.key -out test_cert.csr -subj '/CN=localhost' && /QOpenSys/usr/bin/openssl x509 -req -in test_cert.csr -signkey test_cert.key -out test_cert.crt -days 1095 -sha256 -req && /QOpenSys/usr/bin/openssl pkcs12 -export -out test_keystore.pfx -inkey test_cert.key -in test_cert.crt  -password pass:password && rm test_cert.*

This will create a test_keystore.pfx file in the current directory on the IFS. Please retrieve it, put it in a zip file and attach it in a reply.

Thanks!

[Nick1497]

Java Security Contents.pdf

Env Command: (blacked out company/personal info)


test_keystore.zip

[Nick1497]

Any updates on this @sebjulliand?

[sebjulliand]

No...I compared your file with the ones I have on two LPAR running the service and couldn't spot any difference.
Nothing useful in the env output either.

The only thing I can say is that on the 7.3 box that runs the service, current level is 28 - yours is 27:

If you can, ask to update SF99725 to the latest level. It shouldn't hurt and it may solve this issue.

[sebjulliand]

Also, if you can, attach these files if they exist.

Debug service log:
/QIBM/UserData/IBMIDEBUGSERVICE/DebugService_log.txt

Debug service Eclipse instance log:
/QIBM/UserData/IBMIDEBUGSERVICE/startDebugService_workspace/.metadata/.log

Thanks!

[Nick1497]

I will look into upgrading the version you mentioned. I did not see anything for the Debug Service Log but here is the other .log file: .log

[Nick1497]

Yeah our team can't really apply any PTFs right now, so upgrading the version won't be possible currently. When we are able to apply PTFs I will get the ones that allow me to use V2 of the debugger.