Correct debug certs path

[worksofliam]

No description provided.

[SJLennon]

@worksofliam
So might this fix some of the debug issues on PUB400?

[worksofliam]

@SJLennon Yes, exactly that. But the server would still need to be started by an admin.

[SJLennon]

@worksofliam
So most users on PUB400 won't be able to start the debug server. But it must be possible to start it separate from the extension, so what command would Holger have to use to get it started? The more I can tell him, the easier it is for him and the quicker it gets done.
(The debug stuff is still a little confusing to me and since I can't experiment and even look at some commands I need to ask questions. Sorry...)

[worksofliam]

@SJLennon There are only two ways to start the debug service:

1. Through New Nav - though this doesn't generate certificates
2. Though the Code for IBM i debug walkthrough. This generates the certs and starts the service.

[SJLennon]

@SJLennon Yes, exactly that. But the server would still need to be started by an admin.

So after an IPL (which PUB400 does every Sunday morning), someone with advanced authority would need to bring up Code for IBM i and start the server. Or through New Nav if the certificates had been generated. To me, not having a command to start the server seems counter intuitive to the concept of automation and avoiding manual input to get the system running.

Do you know what special authority is required to start the server?

I'll check it out when released, but it seems like the current debug isn't going to work on PUB400 ☹️.
@worksofliam

[worksofliam]

@SJLennon Right, as it stands in VS Code today (before this merge) the debugger won't work. But, after this merges and releases, it might. I would think SECADM would be needed to generate certificates and start the server.

not having a command to start the server seems counter intuitive to the concept of automation

Agree. Not much I can do about that because the Debug Service is out of my control. Though, technically it can be automated through PASE (which is how we also start it)

[sebjulliand]

I'll go out on a limb here, but since we basically run a set of shell commands to start the debug service, putting them in a shell script that gets executed along with STRDBGSVR when the LPAR starts sounds like a reasonable solution.
We just need to convince the PUB400 admins to do that 😁

[SJLennon]

@sebjulliand
That sounds like a solution to explore, and it might be of use on tightly controlled systems other than PUB400. Will I be able to pick out the commands needed from IBM I OUTPUT tab? Can the script run from QSH?
If it can be made to work then I'll put it in the help at a location of your choosing.

@worksofliam
"Not much I can do about that because the Debug Service is out of my control."
I would nag the IBM Debug people if I knew where to nag--I failed to find a place on GitHub. Maybe the "ideas" site on IBM.com.

[sebjulliand]

@SJLennon I ran a fewt test and here are two scripts that can help with that.

Generate certificates and keystore script - here I assume that the server's common name is PUB400.COM and its IP 185.113.5.134

#!/QOpenSys/pkgs/bin/bash
openssl genrsa -out debug_service.key 2048;
openssl req -new -key debug_service.key -out debug_service.csr -subj '/CN=PUB400.COM';
openssl x509 -req -in debug_service.csr -signkey debug_service.key -out debug_service.crt -days 1095 -sha256 -req -extfile <(printf "subjectAltName=DNS:PUB400.COM,IP:185.113.5.134");
openssl pkcs12 -export -out debug_service.pfx -inkey debug_service.key -in debug_service.crt -password pass:PUB400.COM;

Start debug service script, assuming the keystore has been generated in /QIBM/UserData/IBMiDebugService/certs for PUB400.COM:

#!/QOpenSys/pkgs/bin/bash
export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit;
export DEBUG_SERVICE_KEYSTORE_FILE="/QIBM/UserData/IBMiDebugService/certsdebug_service.pfx";
export DEBUG_SERVICE_KEYSTORE_PASSWORD=$(DEBUG_SERVICE_KEYSTORE_PASSWORD="PUB400.COM" /QIBM/ProdData/IBMiDebugService/bin/encryptKeystorePassword.sh | /usr/bin/tail -n 1);
/QOpenSys/usr/bin/nohup /QIBM/ProdData/IBMiDebugService/bin/startDebugService.sh &
system "STRDBGSVR";

So, if we can have the PUB400 admins to generate the keystore (once) and then schedule the script above to start the debug service and debug server when the LPAR is booted, that would make debugging on PUB400 from VSCode available to everybody.

[chrjorgensen]

Maybe we can have ServiceCommander managing the service?
This would make it easier to manage the debug service start and stop.

I will look into this...

[SJLennon]

@sebjulliand Appreciate the scripting effort. Shell scripting isn't my strength...

I did some testing on PUB400 with interesting results.

I created gencerts.sh by copying and pasting from the post above.

I confirmed that there were no certificates:

-bash-5.2$ ls -alR /QIBM/UserData/IBMIDEBUGSERVICE
/QIBM/UserData/IBMIDEBUGSERVICE:
total 36
drwxr-srwx  2 qsys 0 12288 Mar  8 16:14 .
drwxr-sr-x 18 qsys 0 24576 Feb 15  2023 ..

I ran gencerts.sh:

-bash-5.2$ gencerts.sh
Certificate request self-signature ok
subject=CN = PUB400.COM

But no certificates were generated:

-bash-5.2$ ls -alR /QIBM/UserData/IBMIDEBUGSERVICE
/QIBM/UserData/IBMIDEBUGSERVICE:
total 36
drwxr-srwx  2 qsys 0 12288 Mar  8 16:14 .
drwxr-sr-x 18 qsys 0 24576 Feb 15  2023 ..

In Code for IBM i I ran IBM i Debug: Setup Remote Certificates.
Certificates were generated:

-bash-5.2$ ls -alR /QIBM/UserData/IBMIDEBUGSERVICE
/QIBM/UserData/IBMIDEBUGSERVICE:
total 44
drwxr-srwx  3 qsys    0 12288 Mar  8 16:19 .
drwxr-sr-x 18 qsys    0 24576 Feb 15  2023 ..
drwxr-sr-x  3 lennons 0  8192 Mar  8 16:19 bin

/QIBM/UserData/IBMIDEBUGSERVICE/bin:
total 28
drwxr-sr-x 3 lennons 0  8192 Mar  8 16:19 .
drwxr-srwx 3 qsys    0 12288 Mar  8 16:19 ..
drwxr-sr-x 2 lennons 0  8192 Mar  8 16:19 certs

/QIBM/UserData/IBMIDEBUGSERVICE/bin/certs:
total 72
drwxr-sr-x 2 lennons 0 8192 Mar  8 16:19 .
drwxr-sr-x 3 lennons 0 8192 Mar  8 16:19 ..
-rw-r--r-- 1 lennons 0 1131 Mar  8 16:19 debug_service.crt
-rw-r--r-- 1 lennons 0  891 Mar  8 16:19 debug_service.csr
-rw------- 1 lennons 0 1704 Mar  8 16:19 debug_service.key
-rw------- 1 lennons 0 2547 Mar  8 16:19 debug_service.pfx
-rw------- 1 lennons 0 1708 Mar  8 16:19 debug_service_ca.key
-rw-r--r-- 1 lennons 0 1115 Mar  8 16:19 debug_service_ca.pem
-rw-r--r-- 1 lennons 0   41 Mar  8 16:19 debug_service_ca.srl

Emptied IBMIDEBUGSERVICE and ran the script commands one at a time:

-bash-5.2$ openssl genrsa -out debug_service.key 2048;
-bash-5.2$ openssl req -new -key debug_service.key -out debug_service.csr -subj '/CN=PUB400.COM';
-bash-5.2$ openssl x509 -req -in debug_service.csr -signkey debug_service.key -out debug_service.crt -days 1095 -sha256 -req -extfile <(printf "subjectAltName=DNS:PUB400.COM,IP:185.113.5.134");
Certificate request self-signature ok
subject=CN = PUB400.COM
-bash-5.2$ openssl pkcs12 -export -out debug_service.pfx -inkey debug_service.key -in debug_service.crt -password pass:PUB400.COM
;

But still no certs. Anything else I can do?

[chrjorgensen]

@SJLennon What is the working directory (you see that using the pwd command) when you run the script or the openssl commands? The certificates will be created in this directory, since neither change or specify a directory like /QIBM/UserData/IBMIDEBUGSERVICE/bin/certs.

You probably have the certificate files from your tests in your home directory...

You could run cd /QIBM/UserData/IBMIDEBUGSERVICE/bin/certs before the script or openssl commands to make the files be stored in that directory.

Btw, remember to change the mode of the certificate files after creation - your profile will be the owner and no-one else may read all the files. You change this by running chmod 777 <file> to set the file to be writable for all users.

[SJLennon]

@chrjorgensen
You are exactly right--the certs ended up in my home directory-- thanks. Don't use this stuff enough so I didn't think of that but I "live and learn" and hopefully remember.

Regarding the mode, considering that I am thinking about tightly locked down machines, like PUB400.COM.

On PUB400, the IBMIDEBUGSERVICE directory is owned by QSYS, so I guess it was created by IBM, with this authority, and anyone can write to it, but can't delete it.
drwxr-srwx 3 qsys 0 12288 Mar 9 19:52 IBMIDEBUGSERVICE

Certificates currently generated by Code for IBM i have the authorities that look like this, which is different from chmod 777.

-bash-5.2$ ls -l /QIBM/UserData/IBMIDEBUGSERVICE/bin
total 8
drwxr-sr-x 2 lennons 0 8192 Mar  9 19:52 certs
-bash-5.2$ ls -l /QIBM/UserData/IBMIDEBUGSERVICE/bin/certs
total 56
-rw-r--r-- 1 lennons 0 1131 Mar  9 19:52 debug_service.crt
-rw-r--r-- 1 lennons 0  891 Mar  9 19:52 debug_service.csr
-rw------- 1 lennons 0 1704 Mar  9 19:52 debug_service.key
-rw------- 1 lennons 0 2547 Mar  9 19:52 debug_service.pfx
-rw------- 1 lennons 0 1704 Mar  9 19:52 debug_service_ca.key
-rw-r--r-- 1 lennons 0 1115 Mar  9 19:52 debug_service_ca.pem
-rw-r--r-- 1 lennons 0   41 Mar  9 19:52 debug_service_ca.srl

I'm wondering if maybe these authorities are being changed in 2.9.0 and if there should be some documentation produced for tightly controlled machine with multiple users.

This script now creates certs for me:

#!/QOpenSys/pkgs/bin/bash
mkdir -p /QIBM/UserData/IBMIDEBUGSERVICE/bin/certs
cd /QIBM/UserData/IBMIDEBUGSERVICE/bin/certs
openssl genrsa -out debug_service.key 2048;
openssl req -new -key debug_service.key -out debug_service.csr -subj '/CN=PUB400.COM';
openssl x509 -req -in debug_service.csr -signkey debug_service.key -out debug_service.crt -days 1095 -sha256 -req -extfile <(printf "subjectAltName=DNS:PUB400.COM,IP:185.113.5.134");
openssl pkcs12 -export -out debug_service.pfx -inkey debug_service.key -in debug_service.crt -password pass:PUB400.COM;
chmod 777 *

Now on to get the debug server started.

[chrjorgensen]

I've contacted Holger Scherer, the great guy and IBM Champion behind PUB400, if we could have the debug service running on PUB400 and are now waiting for his answer.

There's no longer any need for anyone to make certificates or start the debug server - it will all be fixed when Holger hopefully have agreed to my request and we have the debug service up and running with the correct certificates... 🙏

[sebjulliand]

I've contacted Holger Scherer, the great guy and IBM Champion behind PUB400, if we could have the debug service running on PUB400 and are now waiting for his answer.

There's no longer any need for anyone to make certificates or start the debug server - it will all be fixed when Holger hopefully have agreed to my request and we have the debug service up and running with the correct certificates... 🙏

Awesome! Thank you very much @chrjorgensen !

[SJLennon]

@chrjorgensen
Great!!! I, and others, have asked Holger about debug before, but he's (understandably) quite busy and IBM hasn't provided a lot of documentation or advise on debug setup and security.

Questions:

1. Presumably this require Code for IBM i 2.9.0?
2. Will Holger still need to restart the debug server after the Sunday IPL?

Thanks for making the effort.

[chrjorgensen]

@SJLennon

Presumably this require Code for IBM i 2.9.0?

No, it should work for all Code for IBM i versions with code for the IBM i debugger extension - which versions I'm not sure, but maybe @worksofliam can answer?

Will Holger still need to restart the debug server after the Sunday IPL?

The debug server is started as part of the IPL - so no manual intervention is required. We only need the debug service to be started as well as part of the IPL.

[sebjulliand]

The debug server is started as part of the IPL - so no manual intervention is required.

I'd double check that as it is not running right now.

[chrjorgensen]

Sorry, my mistake - I double-checked and the server running is the debug hub (strtcpsvr *dbg), used for the Graphical System Debugger, on port 4026 served by job QTESDBGHUB. The debug server (strdbgsrv) is running on port 3825 served by job QB5ROUTER.

The debug servers and service really ARE confusing... 😞

I will talk to Holger about having the debug server started at IPL as well...

[sebjulliand]

The debug servers and service really ARE confusing... 😞

Right! But we'll try to ease this with that debug server/service status PR 😉

[worksofliam]

@SJLennon @chrjorgensen

Presumably this require Code for IBM i 2.9.0?

In theory this should work in 2.8.0 assuming the path is pointing to the correct place in the Connection Settings.

[SJLennon]

I've contacted Holger Scherer, the great guy and IBM Champion behind PUB400, if we could have the debug service running on PUB400 and are now waiting for his answer.

@chrjorgensen
Did you ever get a response from Holger? I just tried debug and it looks like the debug server/service isn't running. I get this:

So maybe the port isn't open.

Though I do seem to have started a QB5ROUTER job:

 Job 108399/LENNONS/QB5ROUTER started on 04/04/24 at 14:14:21 in subsystem
   QUSRWRK in QSYS. Job entered system on 04/04/24 at 14:14:21.           
 Job 108399/LENNONS/QB5ROUTER submitted.  

Anything I can do/provide to help? Should I need to create a new issue for this?

Debug is indeed confusing (on PUB400)..