ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhapperr.htm

346 lines
24 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Application connection problems and recovery" />
<meta name="abstract" content="You may encounter these messages when applications use network authentication service." />
<meta name="description" content="You may encounter these messages when applications use network authentication service." />
<meta name="DC.Relation" scheme="URI" content="rzakhtrouble.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhapperr" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Application connection problems and recovery</title>
</head>
<body id="rzakhapperr"><a name="rzakhapperr"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Application connection problems and recovery</h1>
<div><p>You may encounter these messages when applications use network
authentication service.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="rows"><caption>Table 1. Common
errors in Kerberos-enabled i5/OS™ interfaces</caption><thead align="left"><tr><th valign="top" width="50%" class="firstcol" id="d0e23">Problem</th>
<th valign="top" width="50%" id="d0e25">Recovery</th>
</tr>
</thead>
<tbody><tr><th valign="top" width="50%" class="firstcol" id="d0e29" headers="d0e23 ">You receive this error: Unable to obtain name of default
credentials cache.</th>
<td valign="top" width="50%" headers="d0e29 d0e25 ">Determine if the user signed on to the iSeries™ has
a directory in the /home directory. If the directory for the user does not
exist, <a href="rzakhhome.htm#rzakhhome">create a home directory</a> for
the credentials cache.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e40" headers="d0e23 ">CPD3E3F Network Authentication Service error &amp;2 occurred.</th>
<td valign="top" width="50%" headers="d0e40 d0e25 ">See the specific recovery information that corresponds
with this message.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e45" headers="d0e23 ">DRDA/DDM connection fails on an iSeries system that previously connected.</th>
<td valign="top" width="50%" headers="d0e45 d0e25 ">Check to see if the default realm specified during network
authentication service configuration exists. If a default realm and Kerberos
server have not been configured, the network authentication service configuration
is incorrect and DRDA/DDM connections will fail. To recover from this error,
you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
realm specified in the network authentication service configuration.</li>
</ol>
</li>
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
service specifying the default realm and Kerberos server that you created
in Step 1.</li>
<li>Configure iSeries Access
for Windows<sup>®</sup> applications
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
for Windows applications,
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
</ol>
</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e85" headers="d0e23 ">QFileSvr.400 connection fails on an iSeries system
that previously connected.</th>
<td valign="top" width="50%" headers="d0e85 d0e25 ">Check to see if the default realm specified during network
authentication service configuration exists. If a default realm and Kerberos
server have not been configured, the network authentication service configuration
is incorrect and QFileSvr.400 connections will fail. To recover from this
error, you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
realm specified in the network authentication service configuration.</li>
</ol>
</li>
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li>Configure a default realm and Kerberos server on a secure system on the
network. See the documentation that corresponds with that system. </li>
<li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
service specifying the default realm and Kerberos server that you create in
Step 1.</li>
<li>Configure iSeries Access
for Windows applications
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
for Windows applications,
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
</ol>
</li>
</ol>
</td>
</tr>
<tr><th colspan="2" valign="top" class="firstcol" id="d0e127" headers="d0e23 d0e25 ">&nbsp;</th>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e129" headers="d0e23 ">CWBSY1011 Kerberos client credentials not found.</th>
<td valign="top" width="50%" headers="d0e129 d0e25 ">The user does not have a ticket granting ticket (TGT).
This connection error occurs on the client PC when a user does not log into
a Windows 2000
domain. To recover from this error log into the Windows 2000 domain.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e140" headers="d0e23 ">Error occurred while verifying connection settings. URL
does not have host. <strong>Note:</strong> This error occurs when you are using Enterprise
Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e140 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">General</span> page, validate that the administrator's
distinguished name and password match those you entered during EIM configuration.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e179" headers="d0e23 ">Error occurred while changing local directory server configuration.
GLD0232: Configuration cannot contain overlapping suffixes. <strong>Note:</strong> This
error occurs when you are using Enterprise Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e179 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
and reconfigure EIM.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e221" headers="d0e23 ">Error occurred while verifying connection settings. Exception
occurred calling an iSeries program. The called program is eimConnect.
Details are: com.ibm.as400.data.PcmlException. <strong>Note:</strong> This error occurs
when you are using Enterprise Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e221 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
and reconfigure EIM.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e266" headers="d0e23 ">Kerberos ticket from remote system cannot be authenticated. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e266 d0e25 ">Verify that Kerberos in configured properly on all your
systems. This error may indicate a security violation. Try the request again,
if the problem persists contact service.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e273" headers="d0e23 ">Cannot retrieve Kerberos service ticket. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e273 d0e25 ">Verify that the Kerberos principal krbsvr400/iSeries
fully qualified host name@REALM is in the Kerberos server as well as the keytab
file for each of your systems. To verify if Kerberos principal is entered
in the Kerberos server, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
To verify if the Kerberos service principal names is entered in the keytab
file. See <a href="rzakhkkeytab.htm#rzakhkkeytab">Manage keytab files</a> for details.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e286" headers="d0e23 ">Kerberos principal is not in trusted group. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e286 d0e25 ">Add the Kerberos principal for the system that is trying
to connect to this system to your trusted group file. To recover from this
error, complete the following:<ol><li><a href="rzakhkerberosscenario_setcentralsystem.htm#rzakhkerberosscenario_setcentralsystem">Set</a> the
central system to use Kerberos authentication.</li>
<li><a href="rzakhkerberosscenario_collectsystemvalues.htm#rzakhkerberosscenario_collectsystemvalues">Collect</a> system
values inventory.</li>
<li><a href="rzakhkerberosscenario_compareandupdatekerberos.htm#rzakhkerberosscenario_compareandupdatekerberos">Compare</a> and
update.</li>
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
Central servers on the central system and the target systems.</li>
<li><a href="rzakhkerberosscenario_addkerberosserviceprincipal.htm#rzakhkerberosscenario_addkerberosserviceprincipal">Add</a> Kerberos
service principal to the trusted group file for all endpoint systems.</li>
<li><a href="rzakhkerberosscenario_allowtrustedconnections.htm">Allow</a> trusted
connections.</li>
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
Central servers on the central system and the target systems.</li>
<li><a href="rzakhkerberosscenario_testauthenticationon.htm#rzakhkerberosscenario_testauthenticationon">Test</a> authentication
on Management Central servers.</li>
</ol>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="rows"><caption>Table 2. Common
errors in Kerberos-enabled i5/OS interfaces</caption><thead align="left"><tr><th valign="top" width="50%" class="firstcol" id="d0e336">Problem</th>
<th valign="top" width="50%" id="d0e338">Recovery</th>
</tr>
</thead>
<tbody><tr><th valign="top" width="50%" class="firstcol" id="d0e342" headers="d0e336 ">You receive this error: Unable to obtain name of default
credentials cache.</th>
<td valign="top" width="50%" headers="d0e342 d0e338 ">Determine if the user signed on to the iSeries has
a directory in the /home directory. If the directory for the user does not
exist, <a href="rzakhhome.htm#rzakhhome">create a home directory</a> for
the credentials cache.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e353" headers="d0e336 ">CPD3E3F Network Authentication Service error &amp;2 occurred.</th>
<td valign="top" width="50%" headers="d0e353 d0e338 ">See the specific recovery information that corresponds
with this message.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e358" headers="d0e336 ">DRDA/DDM connection fails on an iSeries system that previously connected.</th>
<td valign="top" width="50%" headers="d0e358 d0e338 ">Check to see if the default realm specified during network
authentication service configuration exists. If a default realm and Kerberos
server have not been configured, the network authentication service configuration
is incorrect and DRDA/DDM connections will fail. To recover from this error,
you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
realm specified in the network authentication service configuration.</li>
</ol>
</li>
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
service specifying the default realm and Kerberos server that you created
in Step 1.</li>
<li>Configure iSeries Access
for Windows applications
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
for Windows applications,
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
</ol>
</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e398" headers="d0e336 ">QFileSvr.400 connection fails on an iSeries system
that previously connected.</th>
<td valign="top" width="50%" headers="d0e398 d0e338 ">Check to see if the default realm specified during network
authentication service configuration exists. If a default realm and Kerberos
server have not been configured, the network authentication service configuration
is incorrect and QFileSvr.400 connections will fail. To recover from this
error, you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
realm specified in the network authentication service configuration.</li>
</ol>
</li>
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li>Configure a default realm and Kerberos server on a secure system on the
network. See the documentation that corresponds with that system. </li>
<li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
service specifying the default realm and Kerberos server that you create in
Step 1.</li>
<li>Configure iSeries Access
for Windows applications
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
for Windows applications,
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
</ol>
</li>
</ol>
</td>
</tr>
<tr><th colspan="2" valign="top" class="firstcol" id="d0e440" headers="d0e336 d0e338 ">&nbsp;</th>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e442" headers="d0e336 ">CWBSY1011 Kerberos client credentials not found.</th>
<td valign="top" width="50%" headers="d0e442 d0e338 ">The user does not have a ticket granting ticket (TGT).
This connection error occurs on the client PC when a user does not log into
a Windows 2000
domain. To recover from this error log into the Windows 2000 domain.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e453" headers="d0e336 ">Error occurred while verifying connection settings. URL
does not have host. <strong>Note:</strong> This error occurs when you are using Enterprise
Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e453 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">General</span> page, validate that the administrator's
distinguished name and password match those you entered during EIM configuration.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e492" headers="d0e336 ">Error occurred while changing local directory server configuration.
GLD0232: Configuration cannot contain overlapping suffixes. <strong>Note:</strong> This
error occurs when you are using Enterprise Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e492 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
and reconfigure EIM.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e534" headers="d0e336 ">Error occurred while verifying connection settings. Exception
occurred calling an iSeries program. The called program is eimConnect.
Details are: com.ibm.as400.data.PcmlException. <strong>Note:</strong> This error occurs
when you are using Enterprise Identity Mapping (EIM).</th>
<td valign="top" width="50%" headers="d0e534 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol"><var class="varname">ibm-eim</var>DomainName</span> entries
and reconfigure EIM.</li>
</ol>
</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e581" headers="d0e336 ">Kerberos ticket from remote system cannot be authenticated. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e581 d0e338 ">Verify that Kerberos in configured properly on all your
systems. This error may indicate a security violation. Try the request again,
if the problem persists contact service.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e588" headers="d0e336 ">Cannot retrieve Kerberos service ticket. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e588 d0e338 ">Verify that the Kerberos principal krbsvr400/iSeries
fully qualified host name@REALM is in the Kerberos server as well as the keytab
file for each of your systems. To verify if Kerberos principal
is entered in the Kerberos server, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
To verify if the Kerberos service principal names is entered in the keytab
file. See <a href="rzakhkkeytab.htm#rzakhkkeytab">Manage keytab files</a> for details.</td>
</tr>
<tr><th valign="top" width="50%" class="firstcol" id="d0e601" headers="d0e336 ">Kerberos principal is not in trusted group. <div class="note"><span class="notetitle">Note:</span> This
error occurs when you are configuring Management Central systems to use Kerberos
authentication. </div>
</th>
<td valign="top" width="50%" headers="d0e601 d0e338 ">Add the Kerberos principal for the system that is trying
to connect to this system to your trusted group file. To recover from this
error, complete the following:<ol><li><a href="rzakhkerberosscenario_setcentralsystem.htm#rzakhkerberosscenario_setcentralsystem">Set</a> the
central system to use Kerberos authentication.</li>
<li><a href="rzakhkerberosscenario_collectsystemvalues.htm#rzakhkerberosscenario_collectsystemvalues">Collect</a> system
values inventory.</li>
<li><a href="rzakhkerberosscenario_compareandupdatekerberos.htm#rzakhkerberosscenario_compareandupdatekerberos">Compare</a> and
update.</li>
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
Central servers on the central system and the target systems.</li>
<li><a href="rzakhkerberosscenario_addkerberosserviceprincipal.htm#rzakhkerberosscenario_addkerberosserviceprincipal">Add</a> Kerberos
service principal to the trusted group file for all endpoint systems.</li>
<li><a href="rzakhkerberosscenario_allowtrustedconnections.htm">Allow</a> trusted
connections.</li>
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
Central servers on the central system and the target systems.</li>
<li><a href="rzakhkerberosscenario_testauthenticationon.htm#rzakhkerberosscenario_testauthenticationon">Test</a> authentication
on Management Central servers.</li>
</ol>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhtrouble.htm" title="This section provides links to troubleshooting information about common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.">Troubleshoot</a></div>
</div>
</div>
</body>
</html>