Atempt to generate debug certificates disables logon to IBM i

[androidgene]

Type: Bug

Taking the option to Generate certificates from the "Setup the debug service on IBM i" in the Welcome page causes the user profile to be disabled and no longer able to logon.

Not connected to 192.168.XXX.XXX! Check your credentials (All configured authentication methods failed).

Extension version: 2.9.0 VS Code version: Code 1.88.1 (e170252f762678dec6ca2cc69aba1570769a5d39, 2024-04-10T17:41:02.734Z) OS version: Windows_NT x64 10.0.22631 Modes:

System Info

Item	Value
CPUs	Intel(R) Core(TM) i5-9500 CPU @ 3.00GHz (6 x 3000)
GPU Status	2d_canvas: enabled canvas_oop_rasterization: enabled_on direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_graphite: disabled_off video_decode: enabled video_encode: enabled vulkan: disabled_off webgl: enabled webgl2: enabled webgpu: enabled
Load (avg)	undefined
Memory (System)	15.79GB (3.16GB free)
Process Argv	--crash-reporter-id 436e760e-4365-416b-8a6a-0886a54a5fef
Screen Reader	no
VM	0%

A/B Experiments

vsliv368cf:30146710
vspor879:30202332
vspor708:30202333
vspor363:30204092
vscoreces:30445986
vscod805:30301674
binariesv615:30325510
vsaa593:30376534
py29gd2263:31024239
c4g48928:30535728
azure-dev_surveyone:30548225
a9j8j154:30646983
962ge761:30959799
pythongtdpath:30769146
welcomedialogc:30910334
pythonidxpt:30866567
pythonnoceb:30805159
asynctok:30898717
pythontestfixt:30902429
pythonregdiag2:30936856
pyreplss1:30897532
pythonmypyd1:30879173
pythoncet0:30885854
h48ei257:31000450
pythontbext0:30879054
accentitlementsc:30995553
dsvsc016:30899300
dsvsc017:30899301
dsvsc018:30899302
cppperfnew:31000557
d34g3935:30971562
fegfb526:30981948
bg6jg535:30979843
ccp2r6:30993542
dsvsc020:30976470
pythonait:31006305
gee8j676:31009558
chatpanelt:31018789
dsvsc021:30996838
9c06g630:31013171
pythoncenvptcf:31022791

[sebjulliand]

The next release will help with the certificate generation, even though it seems odd that it disables a profile that was able to connect in the first place. If you can, share your Code for IBM i output after you tried to generate the certificate.

[androidgene]

It knocks me off the system and Code for i is not available in the output when I try to logon

On Tue, Apr 23, 2024, 3:20 AM Sébastien Julliand @.***> wrote:

The next release will help with the certificate generation, even though it seems odd that it disables a profile that was able to connect in the first place. If you can, share your Code for IBM i output after you tried to generate the certificate.

— Reply to this email directly, view it on GitHub https://github.com/codefori/vscode-ibmi/issues/2001#issuecomment-2071705431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC2JTPLGZBFOUEG4VAF23PLY6YKVJAVCNFSM6AAAAABGTPQ3PKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZRG4YDKNBTGE . You are receiving this because you authored the thread.Message ID: @.***>

[androidgene]

Output: Extension Host 2024-04-23 07:53:33.344 [info] Extension host with pid 15728 started 2024-04-23 07:53:33.344 [info] ExtensionService#_doActivateExtension bitlang.cobol, startup: false, activationEvent: 'onFileSystem:file' 2024-04-23 07:53:33.375 [info] ExtensionService#_doActivateExtension vscode.git-base, startup: true, activationEvent: '', root cause: vscode.git 2024-04-23 07:53:33.378 [info] ExtensionService#_doActivateExtension wayou.vscode-todo-highlight, startup: true, activationEvent: '' 2024-04-23 07:53:33.384 [info] ExtensionService#_doActivateExtension vscode.git, startup: true, activationEvent: '' 2024-04-23 07:53:33.462 [info] ExtensionService#_doActivateExtension vscode.github, startup: true, activationEvent: '' 2024-04-23 07:53:33.567 [info] Eager extensions activated 2024-04-23 07:53:33.572 [info] ExtensionService#_doActivateExtension vscode.debug-auto-launch, startup: false, activationEvent: 'onStartupFinished' 2024-04-23 07:53:33.576 [info] ExtensionService#_doActivateExtension vscode.merge-conflict, startup: false, activationEvent: 'onStartupFinished' 2024-04-23 07:53:33.582 [info] ExtensionService#_doActivateExtension halcyontechltd.vscode-ibmi-walkthroughs, startup: false, activationEvent: 'onStartupFinished', root cause: halcyontechltd.code-for-ibmi 2024-04-23 07:53:33.584 [info] ExtensionService#_doActivateExtension usernamehw.errorlens, startup: false, activationEvent: 'onStartupFinished' 2024-04-23 07:53:33.603 [info] ExtensionService#_doActivateExtension halcyontechltd.code-for-ibmi, startup: false, activationEvent: 'onStartupFinished' 2024-04-23 07:53:34.234 [info] ExtensionService#_doActivateExtension vscode.json-language-features, startup: false, activationEvent: 'onLanguage:jsonc' 2024-04-23 07:53:34.265 [info] ExtensionService#_doActivateExtension vscode.typescript-language-features, startup: false, activationEvent: 'onLanguage:jsonc' 2024-04-23 07:53:34.284 [info] ExtensionService#_doActivateExtension vscode.emmet, startup: false, activationEvent: 'onLanguage' 2024-04-23 07:53:34.335 [info] ExtensionService#_doActivateExtension halcyontechltd.vscode-db2i, startup: false, activationEvent: 'onStartupFinished' 2024-04-23 07:53:47.583 [info] ExtensionService#_doActivateExtension GrapeCity.gc-excelviewer, startup: false, activationEvent: 'onLanguage:plaintext' 2024-04-23 07:56:44.087 [info] ExtensionService#_doActivateExtension vscode.extension-editing, startup: false, activationEvent: 'onLanguage:json' 2024-04-23 07:56:44.127 [info] ExtensionService#_doActivateExtension vscode.npm, startup: false, activationEvent: 'onLanguage:json' 2024-04-23 09:27:01.048 [info] ExtensionService#_doActivateExtension vscode.simple-browser, startup: false, activationEvent: 'onOpenExternalUri:https' 2024-04-23 10:38:14.731 [info] ExtensionService#_doActivateExtension vscode.github-authentication, startup: false, activationEvent: 'onAuthenticationRequest:github' 2024-04-23 11:21:00.875 [info] ExtensionService#_doActivateExtension vscode.markdown-language-features, startup: false, activationEvent: 'onLanguage:markdown' 2024-04-23 11:21:01.637 [info] ExtensionService#_doActivateExtension vscode.markdown-math, startup: false, activationEvent: 'api', root cause: vscode.markdown-language-features

Output: Window 2024-04-23 07:53:32.854 [info] Started local extension host with pid 15728. 2024-04-23 07:53:35.372 [info] [perf] Render performance baseline is 39ms 2024-04-23 08:24:57.276 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 09:27:01.621 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 09:27:14.290 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 10:38:14.837 [error] Cannot read properties of undefined (reading 'accessToken'): TypeError: Cannot read properties of undefined (reading 'accessToken') at b.h (vscode-file://vscode-app/c:/Users/GeneB/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/workbench.desktop.main.js:1693:21270) at b.j (vscode-file://vscode-app/c:/Users/GeneB/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/workbench.desktop.main.js:1693:22006) at u.value (vscode-file://vscode-app/c:/Users/GeneB/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/workbench.desktop.main.js:1693:21027) 2024-04-23 10:52:58.959 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 10:55:45.949 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:18:25.618 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:19:15.252 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:21:11.007 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:29:58.587 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:37:20.096 [warning] Settings pattern "application." doesn't match any settings 2024-04-23 11:39:43.162 [warning] Settings pattern "application.*" doesn't match any settings

[androidgene]

The certs directory is not created. What is changed on the system that could be broken because of this?

[sebjulliand]

At this point, since the new debug configuration process is out, you should try to clean it up and start from scratch.

1. Delete the /QIBM/UserData/IBMiDebugService/certs
2. Hove over your connection name in the status bar at the bottom and click on the Debugger item
3. The Debug Service item should be in error and complain the certificate is not found. Click on the button on the right to generate a new one.

If there is any error during the process, share your Code for IBM i output content here.

[androidgene]

1. /QIBM/UserData/IBMiDebugService/certs does not exist.
2. There is no connection name as the Code for IBM i fails
   Not connected to 192.168.36.187! Check your credentials (All configured authentication methods failed).
3. code for IBM i is not avalable in the list in Output

What are my options? I have already tried uninstalling and reinstalling VS Code.

Does anyone know if there is any setting or configuration on the IBM i that would cause this?

[SJLennon]

@androidgene How about creating another connection and seeing if you can connect with it? No much is going to work until you manage to connect to your IBM i.

Connecting with a password? If not, try using a password in the new connection. Passwords are case sensitive. And avoid special characters in your password.. See CCSID: https://codefori.github.io/docs/tips/ccsid/.

[sebjulliand]

Re-Enable your user (ask the nearest friendly admin), and then connect. You'll need *ALLOBJ to configure the debug service though, so maybe an admin can help you out with that too.

[androidgene]

I have two profiles for the IBM i, both are disabled for VS Code, but both connect through RDi and ACS using SSL.
I'm afraid *ALLOBJ is out of the question on our system. Only the Security Officer profile has that and no one else is getting the password or the authority.

[androidgene]

I've already tried creating another connection. To the other partition (production) it works, but the one I tried to install debug to connect to (development) does not.

[SJLennon]

@androidgene

So, to reiterate the problem:

1. On your production system Code for i works, you can connect, and you can setup for debug.

2. On your development system when you try to create a connection with Code for i you cannot get past the debug setup, and your user profile gets disabled.

Is this correct?

If so, then there is something different between the two systems. Trick if finding out what is different, so Code for i can catch whatever problem there is.

There is a "Debug" section in the documentation (https://codefori.github.io/docs/developing/debug/) and it has a section "Generating certificates". Check the difference in the two machines as mentioned there.

3. When you create a connection to development, and ignore the offer to set up debugging, does your connection get created and your profile remains enabled?

*ALLOBJ: You personally don't need *ALLOBJ authority. But someone who has it needs to start the debug service. And restart it after an IPL or if it is somehow stopped. This is covered under "Starting the Debug Service outside of Code for IBM i".

[androidgene]

I haven't tried to setrup debug on the Production system. Both of my profile connections were disabled on the Development system when I tried to setup debug. I have not found a significant difference between the partitions, other than the fact that only Development has source files. I have been unable to create a connection to Development since attempting to setup debug. I am able to start debug on both partitions in RDi and from the command line.

[SJLennon]

@androidgene

I'm still confused about your current status:

I have been unable to create a connection to Development since attempting to setup debug. I am able to start debug on both partitions in RDi and from the command line.

From the above, since you can start RDi, I deduce that your profile is not disabled on Development,. Correct? If so, then I ask 3. above again:

When you create a new Code for i connection to development, and ignore the offer to set up debugging, does your connection get created and your profile remain enabled?

[androidgene]

My connection,using my password, to the IBM i through VS Code is what is disabled for the user profile. For a while I was able to connect using my second profile and password. When I tried to setup debug though, that connection was disabled in VS Code as well.

[sebjulliand]

At this point, we can put the debug service configuration aside since *ALLOBJ is out of the question. What you need to do now is contact your sys admins so they can enable your profiles on the development LPAR. Then you'll be able to connect through Code for IBM i again (maybe make sure the password you defined there is correct...fill it in again just to be sure).

I still wonder how trying to generate the certificates could disable your profile though...is there any Exit Program on your LPAR that would do that to prevent unwanted PASE command from running?!

Now, debugging will not require any special authority, whether it's from 5250, RDi or VSCode. Both RDi and VSCode require one or two services to be running though. RDi requires the Debug Server to be running and VSCode requires the Debug Server and Debug Service to be running.

In your case, I assume the Debug Server is already running since you can debug from RDi. Someone with enough authority started STRDBGSVR (or it's configured to start with the LPAR which is the best). The Debug Service needs to be configured and started by someone with *ALLOBJ. The best course of action for you is to get a Security Officer to run the configuration process from VSCode and then start the service. Once it's started, anyone will be able to debug from VSCode. You can also ask your sys admins to make the service starts with the LPAR using the SBMJOB command described here: https://codefori.github.io/docs/developing/debug/#starting-the-debug-service-outside-of-code-for-ibm-i

[androidgene]

I was able to create a user id on Pub400.com. Then I was able to connect through VS Code to Pub400.com.

[androidgene]

I'm now getting the error: connection lost before handshake

What does this mean? I have already started the SSHD on the IBM i.

[sebjulliand]

Are you able to connect to this IBM i using an external SSH client? (like PuTTY)

[androidgene]

It won't accept the password, I get access denied. ACS uses SSL connections and the password works there. It also worked in VS Code before I tried to generate the debug certificates. So I know it's good. Could trying to generate the debug certificates have changed something on the IBM i?

[sebjulliand]

Not accepting the password doesn't sound so good to me. Unless you meant you connected through SSH from ACS (not SSL - that is just a mean of securing the Telnet connection for the emulator), it's more likely that the SSH server may have issues here. Especially if PuTTY is not connecting either. Generating the debug certificate basically calls the openssl command to generate files...not something that could disrupt your profile or connection, unless there is something special about your LPAR. Are your colleagues able to connect using Code for IBM i?

[androidgene]

No one else is using it yet. Sorry, I mistyped, it is SSH.

[androidgene]

What should I check on the LPAR to see if that is the problem?

[chrjorgensen]

@androidgene Please confirm you can log in to the server using a SSH client like PuTTY or MobaXterm or similar - there is no point in looking at Code for IBM i before the SSH connection is working.

[androidgene]

This can be closed. Due to the inability to connect to the IBM i, this software is useless to me and will be deleted.