Problems with SSL connections

A number of different problems can occur if the Secure Socket Layer (SSL) connection to the service processor is configured. See Configure service processor SSL

The certificate is not imported into the correct i5/OS certificate store.

If you are using the manual security mode, verify that the service processor certificate authority (CA) root is in the iSeries *SYSTEM certificate store.

1. Connect to the service processor web interface.
2. Display the certificate. Note the certificate authority in the "Issued by" field of the certificate.
3. Connect to the iSeries™ Digital Certificate Manager (DCM) interface to determine if the CA is listed as a certificate in the *SYSTEM certificate store.
   1. Determine the root CA of the Certificate that was installed in the Service Processor.
      1. Connect to the Service Processor web interface with your web browser by going to http://hostname (where hostname is the host name of the service processor) or http://ipaddress (where ipaddress is the IP address of the service processor).
      2. Follow your browser's help instructions to view the security certificate that verified the web site's identity.
      3. Follow your browser's help instructions to view the Certificate Hierarchy.
      4. The highest entry in the hierarchy will be the root CA Certificate.
      5. Note the name that is shown for the root CA certificate for use in step h below.
   2. Connect to the iSeries Digital Certificate Manager (DCM) interface. See Start DCM in the Digital Certificate Manager topic.
   3. Click Select Certificate Store.
   4. Select *SYSTEM and click Continue.
   5. Enter the certificate store password for the *SYSTEM certificate store.
   6. On the left pane, click Fast Path.
   7. Select Work with CA certificates and click Continue.
   8. On the Work with CA Certificates page, look for an entry in the Certificate Authority (CA) field that matches the name of the root CA Certificate that was determined in step a.
   9. If the Status field for this entry is Enabled then the CA is properly configured.
   10. If the Status field for this entry is Disabled then it must be enabled with the following steps:
       1. Select the radio button to the left of the Certificate Authority (CA) entry that needs to be enabled.
       2. Select the "Enable" pushbutton at the bottom of the table.
       3. The CA is now properly configured.
   11. If there is not an entry in the Certificate Authority (CA) fields that matches the name of the root CA Certificate that was determined in step a), add the CA by doing these steps:
       1. Refer to the original e-mail that you received from the Certificate Authority (CA). This e-mail should have contained the certificate (which was imported into the Service Processor) and the associated trusted root certificate.
       2. FTP the trusted root certificate to a directory in the IFS File system on the iSeries and note the full path and file name.
       3. On the left pane, select Manage Certificates to display a list of tasks.
       4. From the task list, select Import certificate.
       5. Select Certificate Authority (CA) as the certificate type and click Continue.
       6. Specify the fully qualified path and file name for the CA certificate file and click Continue. A message displays that either confirms that the import process succeeded or provide error information if the process failed.
       7. The CA is now properly configured.

The service processor configuration is not initialized.

If you are using the automatic security mode, the service processor configuration must be initialized after the automatic security mode is configured.

Do the following steps:

• If this is the first time that the remote system service processor is being initialized, then follow the procedure described in Initialize a service processor to initialize a new service processor.
• If the remote system service processor has previously been initialized, then follow the procedure described in Initialize a service processor to synchronize the user, password, and certificate from the remote system service processor to the service processor configuration.

The service processor certificate identifier is not recognized.

If you are using manual security, verify that the service processor's certificate field matches the service processor certificate identifier configured in the service processor configuration.

1. Display the service processor configuration (see Display service processor configuration properties) and click the Security tab. Note the values for service processor certificate identifier component and compare value. The component values map to a certificate field as follows:
   • Common name - Issued to (Subject) Common Name (CN)
   • E-mail address - Issued to (Subject) (E)
   • Organizational unit - Issued to (Subject) Organizational Unit (OU)
2. Access the service processor's web interface.
3. View the service processor security certificate.
4. Compare the certificate fields to the compare values shown in the service processor configuration.
5. If these values do not match, see use the method described in Change service processor configuration properties to enter the correct value. Then see Initialize a service processor for information about how to synchronize the certificate from the remote system service processor to the service processor configuration.

The service processor does not support SSL.

• If a secure connection is not required, then see Change service processor configuration properties. On the Security tab, select the Do not use a certificate (requires physical security) option and save the changes.
• Verify that your service processor supports SSL.
  1. See Remote server and service processor discovery.
  2. If your service processor is SSL capable, contact your service representative to determine if a firmware or hardware update will be necessary to add SSL support.