Use the following table to find information to help you troubleshoot some of the more common password and other general problems that you may encounter while working with Digital Certificate Manager (DCM).
Problem | Possible Solution |
---|---|
You cannot find additional help for DCM. | In DCM, click the "?" help icon. You can also search the Information Center and external IBM® web sites on the Internet. |
Your password for the Local Certificate Authority (CA) and *SYSTEM certificate stores do not work. | Passwords are case sensitive. Be sure the caps lock is the same as it was when you assigned the password. |
You receive an error message that your password has expired when you attempt to open a certificate store. | You must change the password for the certificate store. Click the OK button to change the password. |
Your attempt to reset the password when you used the Select a Certificate Store task failed. | The reset function works only if DCM has stored the password. DCM stores the password automatically when you create a certificate store. However, if you change (or reset) the password for an Other System Certificate Store, then you must select the Automatic login option so that DCM continues to stash the password. |
Also, if you move a certificate store from one system to another, you must change the password for the certificate store on the new system to ensure that DCM stashes it automatically. To change the password, you must supply the original password for the certificate store when you open it on the new system. You cannot use the reset password option until you have opened the store with the original password and changed the password to stash it. If the password is not changed and stashed, DCM and SSL cannot automatically recover the password when it is needed for various functions. If you are moving a certificate store that you will use as an Other System Certificate Store, you must select the Automatic login option when you change the password to ensure that DCM stashes the new password for this type of certificate store. | |
Check the value assigned to the Allow new digital certificates attribute under the Work with system security option of the System Service Tools (SST). If this attribute is set to a value of 2 (No), then the certificate store password cannot be reset. You can view or change the value for this attribute by using the STRSST command and entering the Service Tools user ID and password. Then choose the Work with system security option. The Service Tools user ID is probably the QSECOFR user ID. | |
You cannot find a source for a CA certificate to receive it into your system. | Some CAs do not make their CA certificate readily available. If you cannot get the CA certificate from the CA, then contact your VAR since your VAR may have made special or monetary arrangements with the CA. |
You cannot find the *SYSTEM certificate store. | The file location of the *SYSTEM certificate must be /qibm/userdata/icss/cert/server/default.kdb. If that certificate store does not exist you need to use DCM to create the certificate store. Use the Create New Certificate Store task. |
You received an error from DCM, and the error continues to appear after you have fixed it. | Clear your browser cache. Set the cache size to 0, and end and restart the browser. |
You have a Directory Server (LDAP) problem such as certificate assignments not being shown when the information about the secure application is displayed immediately after assigning a certificate. This problem occurs more often when using iSeries™ Navigator to get to a Netscape Communications browser. Your preference for the browser cache is set to compare the document in cache to the document on the network Once per session. | Change your default preference to check the caching every time. |
When you use DCM to import a certificate signed by an external CA such as Entrust, you receive an error message that the validity period does not contain today or does not fall within its issuer's validity period. | The system is using Generalized Time format for the validity period. Wait a day and try again. Also, verify that your system has the correct value for UTC offset (dspsysval qutcoffset). If you observe Daylight Savings Time, your offset might be incorrectly set. |
You received a base 64 error when trying to import an Entrust certificate. | The certificate is listed as being a specific format such as PEM format. If the copy function of your browser does not work well you may copy extra material that does not belong with the certificate, such as blank spaces at the front of each line. If this is the case, then the certificate will not be the right format when you try to use it on the system. Some Web page designs cause this problem. Other Web pages are designed to avoid this problem. Be sure to compare the appearance of the original certificate to the results of the paste, since the pasted information must look the same. |