Debug Service Continues to Fail (Refer to issue #2110)

[Nick1497]

Type: Bug

Connect to IBM i system > Start the debug server > Attempt to start the debug service in which the issue occurs at this step. It is affecting my entire team who use this tool, we all receive the same error message as well.

Opened new issue as I did not see any option to re-open the old one. The first suggestion in #2110 was to wipe the certs and generate new ones and that did not fix the problem. The second troubleshooting step had an unrelated error message to mine. Seeing if anyone has any other suggestions.

Extension version: 2.10.1 VS Code version: Code 1.90.0 (89de5a8d4d6205e5b11647eb6a74844ca23d2573, 2024-06-04T19:33:54.889Z) OS version: Windows_NT x64 10.0.19045 Modes:

System Info

|Item|Value| |---|---| |CPUs|AMD Ryzen 5 PRO 7530U with Radeon Graphics (12 x 1996)| |GPU Status|2d_canvas: enabled
canvas_oop_rasterization: enabled_on
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_graphite: disabled_off
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: enabled| |Load (avg)|undefined| |Memory (System)|15.31GB (5.00GB free)| |Process Argv|--crash-reporter-id f363ceb0-20c6-49c7-80ad-3a25bbb3f05d| |Screen Reader|no| |VM|0%|

A/B Experiments

``` vsliv368cf:30146710 vspor879:30202332 vspor708:30202333 vspor363:30204092 vscoreces:30445986 vscod805cf:30301675 binariesv615:30325510 vsaa593cf:30376535 py29gd2263:31024239 c4g48928:30535728 azure-dev_surveyone:30548225 a9j8j154:30646983 962ge761:30959799 pythongtdpath:30769146 welcomedialog:30910333 pythonidxpt:30866567 pythonnoceb:30805159 asynctok:30898717 pythontestfixt:30902429 pythonregdiag2:30936856 pythonmypyd1:30879173 2e7ec940:31000449 pythontbext0:30879054 accentitlementst:30995554 dsvsc016:30899300 dsvsc017:30899301 dsvsc018:30899302 cppperfnew:31000557 dsvsc020:30976470 pythonait:31006305 jchc7451:31067544 chatpanelc:31048052 dsvsc021:30996838 bdiig495:31013172 pythoncenvpt:31062603 a69g1124:31058053 dvdeprecation:31068756 pythonprt:31056678 dwnewjupytercf:31046870 26j00206:31048877 ```

[sebjulliand]

Two questions for you:

• What does this query returns when run on your system?

  With JAVA_PTF_GROUP as (
  SELECT PTF_GROUP_TARGET_RELEASE OS,
  Case PTF_GROUP_TARGET_RELEASE
  When 'V7R4M0' Then 'SF99665'
  When 'V7R3M0' Then 'SF99725'
  When 'V7R2M0' Then 'SF99716'
  When 'V7R1M0' Then 'SF99572' End PTF_GROUP
  FROM QSYS2.GROUP_PTF_INFO
  WHERE PTF_GROUP_DESCRIPTION = 'TECHNOLOGY REFRESH'
  AND PTF_GROUP_STATUS = 'INSTALLED'
  LIMIT 1)
  Select Max(OS) OS,
  PTF_GROUP_NAME,
  Max(PTF_GROUP_LEVEL) "CURRENT LEVEL"
  From  QSYS2.GROUP_PTF_INFO
  Inner Join JAVA_PTF_GROUP On PTF_GROUP = PTF_GROUP_NAME
  Group by PTF_GROUP_NAME;

• What's the output of java -version when run in batch?

[Nick1497]

• Return of query:

• The system is running 11.0.8 but JAVA_HOME that the debugger is referencing is java version 1.8.0_341

[Nick1497]

This links seems like it may be useful https://www.ibm.com/support/pages/support-hmacpbesha256-algorithm-app-connect-enterprise. Will investigate this to see if it will assist.

[sebjulliand]

I looked into this a bit and every time, it boils down to "Java doesn't support this algorithm". I would understand if the keystore was generated by Java, but we use openssl to generate it; and it worked fine on every LPAR I tried it on (i.e. Java 8 had no issue opening the keystore).

What's the output of these commands for you?

openssl version

which openssl

[Nick1497]

Our test system is down for the next 3 days. Will check this out when it is back up.

[mkwan01]

IBM i Debug v2.0.1 was just released. Debug v2 uses Java 11 instead of Java 8. This Java 8 specific error is unlikely to happen in Java 11.

[Nick1497]

Nice, when the system is back up I will give this a go! Updates to come.

[Nick1497]

I've updated to IBM i Debug v2.0.1 but, when I boot up the system and such the debugger still says 1.0.0:

Any way to get it to use the new version?

[sebjulliand]

I've updated to IBM i Debug v2.0.1 but, when I boot up the system and such the debugger still says 1.0.0:

Any way to get it to use the new version?

You need to install the host update too to get Debugger v2.

And now that I think about it, the debug service configuration will have to be updated to use Java 11, too.

[Nick1497]

Noted, I will look into getting the new PTF next week, and will also change the debugger config. Updates to come.

[sebjulliand]

Noted, I will look into getting the new PTF next week, and will also change the debugger config. Updates to come.

Nice! To update the configuration, open it from the Debugger view:

Then scroll down and update the JAVA_HOME variable Change it to:

JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk11/64bit

Save the configuration and you should be good to go. Alternatively, you can delete the existing certificate and let Code for IBM i create a new one; it will update the configuration as well.

[Nick1497]

@sebjulliand to answer your question:

I looked into this a bit and every time, it boils down to "Java doesn't support this algorithm". I would understand if the keystore was generated by Java, but we use openssl to generate it; and it worked fine on every LPAR I tried it on (i.e. Java 8 had no issue opening the keystore).

What's the output of these commands for you?

openssl version

which openssl

Openssl version: OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

which openssl: /QOpenSys/usr/bin/openssl

Our system hardware was upgraded and there has been some issues, so for the time being I am not able to apply the new PTF to allow me to use the new debugger (2.0). Would be nice if I could get version 1.0 working while I wait.

[sebjulliand]

Maybe the output from which openssl is a good hint. Your openssl version seems OK but which points to /QOpenSys/usr/bin instead of /QOpenSys/pkgs/bin.

Can you check your PATH variable?

echo $PATH

I assume that /QOpenSys/usr/bin must appear before /QOpenSys/pkgs/bin. If it's the case, then try to put /QOpenSys/pkgs/bin in first position in the .bashrc file in your home directory.

Then re-open a shell session and check that which openssl answers /QOpenSys/pkgs/bin/openssl this time. Then generate the certificate again.

If it still doesn't work, I'll have one more trick up my sleeve (or maybe two...).

[Nick1497]

echo $PATH ouput: /usr/bin:.:/QOpenSys/usr/bin

And when I check my .bashrc in the following directory /home/myProfileName it has the current contents:

Generated by Code for IBM i export PATH=/QOpenSys/pkgs/bin:$PATH

So it seems like it is already setup how it should be?

[sebjulliand]

Try this now:

• Download this zip: code-for-ibmi-2.11.4-dev.0.vsix.zip

• Unzip it

• Install the vsix found inside. It's a special build that includes the -legacy flag when openssl is invoked to generate the PKCS12 file.

• Connect to your LPAR

• Delete any existing certificate

• Generate a new one

• Start the debug service

I tried it on my system and it worked (with or without the -legacy flag). Let me know how it goes for you after you generated a certificate with this 2.11.4-dev.0 build.

[Nick1497]

I installed the vsix file and removed the certificates. When trying to re-generate them I get this error (where the blacked out portion is the DNS for our system):

[sebjulliand]

After having a close look, it turns out your PATH makes you use openssl provided by yum instead of /QOpenSys/usr/bin/openssl. This causes some issues, obviously 😅

Here is another vsix generated from this PR: https://github.com/codefori/vscode-ibmi/pull/2151 code-for-ibmi-2.11.5-dev.0.vsix.zip

It will force the use of /QOpenSys/usr/bin/openssl when generating the certificates. This should take care of your issue once and for all.

Let me know how it goes!

[Nick1497]

Installed it and while the certificates could be generated this time. The original error still persists (I do enjoy how you added the output of the error message to VS Code!):

[sebjulliand]

I'll need to check two thing related to your environment:

• The content of your /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/java.security file
• The output of the env command when run in a PASE terminal

Also, while we're at it, from a PASE terminal, run this:

/QOpenSys/usr/bin/openssl genrsa -out test_cert.key 2048 && /QOpenSys/usr/bin/openssl req -new -key test_cert.key -out test_cert.csr -subj '/CN=localhost' && /QOpenSys/usr/bin/openssl x509 -req -in test_cert.csr -signkey test_cert.key -out test_cert.crt -days 1095 -sha256 -req && /QOpenSys/usr/bin/openssl pkcs12 -export -out test_keystore.pfx -inkey test_cert.key -in test_cert.crt  -password pass:password && rm test_cert.*

This will create a test_keystore.pfx file in the current directory on the IFS. Please retrieve it, put it in a zip file and attach it in a reply.

Thanks!

[Nick1497]

Java Security Contents.pdf

Env Command: (blacked out company/personal info) test_keystore.zip

[Nick1497]

Any updates on this @sebjulliand?

[sebjulliand]

No...I compared your file with the ones I have on two LPAR running the service and couldn't spot any difference. Nothing useful in the env output either.

The only thing I can say is that on the 7.3 box that runs the service, current level is 28 - yours is 27:

If you can, ask to update SF99725 to the latest level. It shouldn't hurt and it may solve this issue.

[sebjulliand]

Also, if you can, attach these files if they exist.

Debug service log: /QIBM/UserData/IBMIDEBUGSERVICE/DebugService_log.txt

Debug service Eclipse instance log: /QIBM/UserData/IBMIDEBUGSERVICE/startDebugService_workspace/.metadata/.log

Thanks!

[Nick1497]

I will look into upgrading the version you mentioned. I did not see anything for the Debug Service Log but here is the other .log file: .log

[Nick1497]

Yeah our team can't really apply any PTFs right now, so upgrading the version won't be possible currently. When we are able to apply PTFs I will get the ones that allow me to use V2 of the debugger.