141 lines
9.5 KiB
HTML
141 lines
9.5 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Problems with SSL connections</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
|
||
|
<a name="rzahqproblemswithsslconnections"></a>
|
||
|
<h5 id="rzahqproblemswithsslconnections">Problems with SSL connections</h5>
|
||
|
<p>A number of different problems can occur if the Secure Socket Layer (SSL)
|
||
|
connection to the service processor is configured. See <a href="rzahqconfigseccommwithsp.htm#rzahqconfigseccommwithsp">Configure service processor SSL</a></p>
|
||
|
<p><span class="bold">The certificate is not imported into the correct i5/OS
|
||
|
certificate store.</span></p>
|
||
|
<p>If you are using the manual security mode, verify that the service processor
|
||
|
certificate authority (CA) root is in the iSeries *SYSTEM certificate store.</p>
|
||
|
<ol type="1">
|
||
|
<li>Connect to the service processor web interface.</li>
|
||
|
<li>Display the certificate. Note the certificate authority in the "Issued
|
||
|
by" field of the certificate.</li>
|
||
|
<li>Connect to the iSeries™ Digital Certificate Manager (DCM) interface to
|
||
|
determine if the CA is listed as a certificate in the *SYSTEM certificate
|
||
|
store.
|
||
|
<ol type="a">
|
||
|
<li>Determine the root CA of the Certificate that was installed in the Service
|
||
|
Processor.
|
||
|
<ol type="i">
|
||
|
<li>Connect to the Service Processor web interface with your web browser by
|
||
|
going to http://<span class="bold-italic">hostname</span> (where <span class="bold-italic">hostname</span> is the host name of the service processor) or http://<span class="bold-italic">ipaddress</span> (where <span class="bold-italic">ipaddress</span> is the IP address
|
||
|
of the service processor).</li>
|
||
|
<li>Follow your browser's help instructions to view the security certificate
|
||
|
that verified the web site's identity.</li>
|
||
|
<li>Follow your browser's help instructions to view the Certificate Hierarchy.</li>
|
||
|
<li>The highest entry in the hierarchy will be the root CA Certificate.</li>
|
||
|
<li>Note the name that is shown for the root CA certificate for use in step
|
||
|
h below.</li></ol></li>
|
||
|
<li>Connect to the iSeries Digital Certificate Manager (DCM) interface. See <a href="../rzahu/rzahudcmfirsttime.htm">Start DCM</a> in the Digital Certificate Manager
|
||
|
topic.</li>
|
||
|
<li>Click <span class="bold">Select Certificate Store</span>.</li>
|
||
|
<li>Select <span class="bold">*SYSTEM</span> and click <span class="bold">Continue</span>.</li>
|
||
|
<li>Enter the certificate store password for the *SYSTEM certificate store.</li>
|
||
|
<li>On the left pane, click <span class="bold">Fast Path</span>.</li>
|
||
|
<li>Select <span class="bold">Work with CA certificates</span> and click <span class="bold">Continue</span>.</li>
|
||
|
<li>On the <span class="bold">Work with CA Certificates</span> page, look for
|
||
|
an entry in the Certificate Authority (CA) field that matches the name of
|
||
|
the root CA Certificate that was determined in step a.</li>
|
||
|
<li>If the <span class="bold">Status</span> field for this entry is <span class="bold">Enabled</span> then the CA is properly configured.</li>
|
||
|
<li>If the <span class="bold">Status</span> field for this entry is <span class="bold">Disabled</span> then it must be enabled with the following steps:
|
||
|
<ol type="i">
|
||
|
<li>Select the radio button to the left of the Certificate Authority (CA)
|
||
|
entry that needs to be enabled.</li>
|
||
|
<li>Select the "Enable" pushbutton at the bottom of the table.</li>
|
||
|
<li>The CA is now properly configured.</li></ol></li>
|
||
|
<li>If there is not an entry in the Certificate Authority (CA) fields that
|
||
|
matches the name of the root CA Certificate that was determined in step a),
|
||
|
add the CA by doing these steps:
|
||
|
<ol type="i">
|
||
|
<li>Refer to the original e-mail that you received from the Certificate Authority
|
||
|
(CA). This e-mail should have contained the certificate (which was imported
|
||
|
into the Service Processor) and the associated trusted root certificate.</li>
|
||
|
<li>FTP the trusted root certificate to a directory in the IFS File system
|
||
|
on the iSeries and note the full path and file name.</li>
|
||
|
<li>On the left pane, select <span class="bold">Manage Certificates</span> to
|
||
|
display a list of tasks.</li>
|
||
|
<li>From the task list, select <span class="bold">Import certificate</span>.</li>
|
||
|
<li>Select <span class="bold">Certificate Authority (CA)</span> as the certificate
|
||
|
type and click <span class="bold">Continue</span>.</li>
|
||
|
<li>Specify the fully qualified path and file name for the CA certificate
|
||
|
file and click <span class="bold">Continue</span>. A message displays that either
|
||
|
confirms that the import process succeeded or provide error information if
|
||
|
the process failed.</li>
|
||
|
<li>The CA is now properly configured.</li></ol></li></ol></li></ol>
|
||
|
<p><span class="bold">The service processor configuration is not initialized.</span></p>
|
||
|
<p>If you are using the automatic security mode, the service processor configuration
|
||
|
must be initialized after the automatic security mode is configured.</p>
|
||
|
<p>Do the following steps:</p>
|
||
|
<ul>
|
||
|
<li>If this is the first time that the remote system service processor is
|
||
|
being initialized, then follow the procedure described in <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> to
|
||
|
initialize a new service processor.</li>
|
||
|
<li>If the remote system service processor has previously been initialized,
|
||
|
then follow the procedure described in <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> to synchronize
|
||
|
the user, password, and certificate from the remote system service processor
|
||
|
to the service processor configuration.</li></ul>
|
||
|
<p><span class="bold">The service processor certificate identifier is not recognized.</span></p>
|
||
|
<p>If you are using manual security, verify that the service processor's certificate
|
||
|
field matches the service processor certificate identifier configured in the
|
||
|
service processor configuration.</p>
|
||
|
<ol type="1">
|
||
|
<li>Display the service processor configuration (see <a href="rzahqdisplayspconfprops.htm#rzahqdisplayspconfprops">Display service processor configuration properties</a>)
|
||
|
and click the <span class="bold">Security</span> tab. Note the values for service
|
||
|
processor certificate identifier component and compare value. The component
|
||
|
values map to a certificate field as follows:
|
||
|
<ul>
|
||
|
<li>Common name - Issued to (Subject) Common Name (CN)</li>
|
||
|
<li>E-mail address - Issued to (Subject) (E)</li>
|
||
|
<li>Organizational unit - Issued to (Subject) Organizational Unit (OU)</li></ul></li>
|
||
|
<li>Access the service processor's web interface.</li>
|
||
|
<li>View the service processor security certificate.</li>
|
||
|
<li>Compare the certificate fields to the compare values shown in the service
|
||
|
processor configuration.</li>
|
||
|
<li>If these values do not match, see use the method described in <a href="rzahqchangespprops.htm#rzahqchangespprops">Change service processor configuration properties</a> to
|
||
|
enter the correct value. Then see <a href="rzahqinitsp.htm#rzahqinitsp">Initialize a service processor</a> for information
|
||
|
about how to synchronize the certificate from the remote system service processor
|
||
|
to the service processor configuration.</li></ol>
|
||
|
<a name="wq453"></a>
|
||
|
<div class="notetitle" id="wq453">Note:</div>
|
||
|
<div class="notebody">In the service processor configuration, you can specify that
|
||
|
you do not want to use the service processor certificate.</div>
|
||
|
<p><span class="bold">The service processor does not support SSL.</span></p>
|
||
|
<ul>
|
||
|
<li>If a secure connection is not required, then see <a href="rzahqchangespprops.htm#rzahqchangespprops">Change service processor configuration properties</a>.
|
||
|
On the <span class="bold">Security</span> tab, select the <span class="bold">Do not use a certificate (requires physical security)</span> option and save
|
||
|
the changes.</li>
|
||
|
<li>Verify that your service processor supports SSL.
|
||
|
<ol type="1">
|
||
|
<li>See <a href="rzahqspdiscovery.htm#rzahqspdiscovery">Remote server and service processor discovery</a>.</li>
|
||
|
<li>If your service processor is SSL capable, contact your service representative
|
||
|
to determine if a firmware or hardware update will be necessary to add SSL
|
||
|
support.</li></ol></li></ul><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|