friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqproblemswithsslconnections.htm

141 lines
9.5 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Problems with SSL connections</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
<a name="rzahqproblemswithsslconnections"></a>
<h5 id="rzahqproblemswithsslconnections">Problems with SSL connections</h5>
<p>A number of different problems can occur if the Secure Socket Layer (SSL)
connection to the service processor is configured. See <a href="rzahqconfigseccommwithsp.htm#rzahqconfigseccommwithsp">Configure service processor SSL</a></p>
<p><span class="bold">The certificate is not imported into the correct i5/OS
certificate store.</span></p>
<p>If you are using the manual security mode, verify that the service processor
certificate authority (CA) root is in the iSeries *SYSTEM certificate store.</p>
<ol type="1">
<li>Connect to the service processor web interface.</li>
<li>Display the certificate. Note the certificate authority in the &quot;Issued
by&quot; field of the certificate.</li>
<li>Connect to the iSeries&trade; Digital Certificate Manager (DCM) interface to
determine if the CA is listed as a certificate in the *SYSTEM certificate
store.
<ol type="a">
<li>Determine the root CA of the Certificate that was installed in the Service
Processor.
<ol type="i">
<li>Connect to the Service Processor web interface with your web browser by
going to http://<span class="bold-italic">hostname</span> (where <span class="bold-italic">hostname</span> is the host name of the service processor) or http://<span class="bold-italic">ipaddress</span> (where <span class="bold-italic">ipaddress</span> is the IP address
of the service processor).</li>
<li>Follow your browser's help instructions to view the security certificate
that verified the web site's identity.</li>
<li>Follow your browser's help instructions to view the Certificate Hierarchy.</li>
<li>The highest entry in the hierarchy will be the root CA Certificate.</li>
<li>Note the name that is shown for the root CA certificate for use in step
h below.</li></ol></li>
<li>Connect to the iSeries Digital Certificate Manager (DCM) interface. See <a href="../rzahu/rzahudcmfirsttime.htm">Start DCM</a> in the Digital Certificate Manager
topic.</li>
<li>Click <span class="bold">Select Certificate Store</span>.</li>
<li>Select <span class="bold">*SYSTEM</span> and click <span class="bold">Continue</span>.</li>
<li>Enter the certificate store password for the *SYSTEM certificate store.</li>
<li>On the left pane, click <span class="bold">Fast Path</span>.</li>
<li>Select <span class="bold">Work with CA certificates</span> and click <span class="bold">Continue</span>.</li>
<li>On the <span class="bold">Work with CA Certificates</span> page, look for
an entry in the Certificate Authority (CA) field that matches the name of
the root CA Certificate that was determined in step a.</li>
<li>If the <span class="bold">Status</span> field for this entry is <span class="bold">Enabled</span> then the CA is properly configured.</li>
<li>If the <span class="bold">Status</span> field for this entry is <span class="bold">Disabled</span> then it must be enabled with the following steps:
<ol type="i">
<li>Select the radio button to the left of the Certificate Authority (CA)
entry that needs to be enabled.</li>
<li>Select the "Enable" pushbutton at the bottom of the table.</li>
<li>The CA is now properly configured.</li></ol></li>
<li>If there is not an entry in the Certificate Authority (CA) fields that
matches the name of the root CA Certificate that was determined in step a),
add the CA by doing these steps:
<ol type="i">
<li>Refer to the original e-mail that you received from the Certificate Authority
(CA). This e-mail should have contained the certificate (which was imported
into the Service Processor) and the associated trusted root certificate.</li>
<li>FTP the trusted root certificate to a directory in the IFS File system
on the iSeries and note the full path and file name.</li>
<li>On the left pane, select <span class="bold">Manage Certificates</span> to
display a list of tasks.</li>
<li>From the task list, select <span class="bold">Import certificate</span>.</li>
<li>Select <span class="bold">Certificate Authority (CA)</span> as the certificate
type and click <span class="bold">Continue</span>.</li>
<li>Specify the fully qualified path and file name for the CA certificate
file and click <span class="bold">Continue</span>. A message displays that either
confirms that the import process succeeded or provide error information if
the process failed.</li>
<li>The CA is now properly configured.</li></ol></li></ol></li></ol>
<p><span class="bold">The service processor configuration is not initialized.</span></p>
<p>If you are using the automatic security mode, the service processor configuration
must be initialized after the automatic security mode is configured.</p>
<p>Do the following steps:</p>
<ul>
<li>If this is the first time that the remote system service processor is
being initialized, then follow the procedure described in <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> to
initialize a new service processor.</li>
<li>If the remote system service processor has previously been initialized,
then follow the procedure described in <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> to synchronize
the user, password, and certificate from the remote system service processor
to the service processor configuration.</li></ul>
<p><span class="bold">The service processor certificate identifier is not recognized.</span></p>
<p>If you are using manual security, verify that the service processor's certificate
field matches the service processor certificate identifier configured in the
service processor configuration.</p>
<ol type="1">
<li>Display the service processor configuration (see <a href="rzahqdisplayspconfprops.htm#rzahqdisplayspconfprops">Display service processor configuration properties</a>)
and click the <span class="bold">Security</span> tab. Note the values for service
processor certificate identifier component and compare value. The component
values map to a certificate field as follows:
<ul>
<li>Common name - Issued to (Subject) Common Name (CN)</li>
<li>E-mail address - Issued to (Subject) (E)</li>
<li>Organizational unit - Issued to (Subject) Organizational Unit (OU)</li></ul></li>
<li>Access the service processor's web interface.</li>
<li>View the service processor security certificate.</li>
<li>Compare the certificate fields to the compare values shown in the service
processor configuration.</li>
<li>If these values do not match, see use the method described in <a href="rzahqchangespprops.htm#rzahqchangespprops">Change service processor configuration properties</a> to
enter the correct value. Then see <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> for information
about how to synchronize the certificate from the remote system service processor
to the service processor configuration.</li></ol>
<a name="wq453"></a>
<div class="notetitle" id="wq453">Note:</div>
<div class="notebody">In the service processor configuration, you can specify that
you do not want to use the service processor certificate.</div>
<p><span class="bold">The service processor does not support SSL.</span></p>
<ul>
<li>If a secure connection is not required, then see <a href="rzahqchangespprops.htm#rzahqchangespprops">Change service processor configuration properties</a>.
On the <span class="bold">Security</span> tab, select the <span class="bold">Do not use a certificate (requires physical security)</span> option and save
the changes.</li>
<li>Verify that your service processor supports SSL.
<ol type="1">
<li>See <a href="rzahqspdiscovery.htm#rzahqspdiscovery">Remote server and service processor discovery</a>.</li>
<li>If your service processor is SSL capable, contact your service representative
to determine if a firmware or hardware update will be necessary to add SSL
support.</li></ol></li></ul><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue Copy Permalink