Troubleshooting Management Central connections

Failed connection to the central system

From the PC, verify that you can ping your central system using the name or IP address listed in iSeries™ Navigator as your central system. If this is unsuccessful then there is something wrong with either your network, or your DNS or host table. You must fix this before you can connect.
From the central system, make sure that you can ping your PC using the IP address of your PC. If this is unsuccessful, you will not be able to use some of the Management Central functions. For more information, see the Information Center experience report, "Configuring Management Central Connections for Firewall Environments".
Verify the central system connection. (From iSeries Navigator expand My Connections > Right-click the server that is your central system > Verify Connections. ) If this reports any errors, click Details. This opens a window that displays information about what happened.
Use the Verify Connection function that is located under Management Central to further trouble shoot the problem. (From iSeries Navigator right-click Management Central > Verify Connection. ) If this reports any errors, click Details. This opens a window that displays information about what happened.

What to do if you still cannot connect

If you still cannot connect use the following procedure to further troubleshoot the problem:

Verify that the Management Central server QYPSJSVR is running on the Central System.
1. In iSeries Navigator, expand My Connections > server (that you are using as the central system) > Network > Servers > TCP/IP.
2. Look at the Management Central item to see if the server is started. If necessary, right-click Management Central under TCP/IP, and click Start.
3. If the server still fails to start, view the job logs for possible problems, or continue with the next items to check for some common problems that can cause the servers not to start.
Check the TCP/IP configuration on the central system.
1. It is important that the Central System is able to ping itself using both the fully qualified domain name and the short name. If pinging either of these names fails, you will need to add the name and IP address to either the system's host table or DNS. Make sure that the IP address used in these pings is one that the PC can contact.
If you are using SSL with Management Central, verify that it is set up correctly. Make sure to configure your Central System, all your endpoint systems, as well as iSeries Navigator on your PC.
Check the QSECOFR profile.
1. Management Central requires a profile with *ALLOBJ and *SECOFR authority enabled, and a valid password must be set so that it does not expire.
  Important: You must make this change via the character-based interface, otherwise the server might not be able to read the file.
  
  By default, Management Central uses the QSECOFR profile. Thus if this default has not been changed, then you can enable QSECOFR and set the password to never expire. (If you choose not to set the password to never expire then you must be diligent about keeping the password active. This is done by always changing the current password before it expires. ) If you are using a customized profile other than QSECOFR then enable it and set the password to never expire. To change QSECOFR, open the properties file: "/QIBM/UserData/OS400/MGTC/config/McConfig.properties". Change the parameter "QYPSJ_SYSTEM_ID = QSECOFR" to "QYPSJ_SYSTEM_ID = YOURPROFILE" (where YOURPROFILE is the profile name replacing QSECOFR).
2. Or you can run
```
CALL PGM(QSYS/QYPSCONFIG) PARM(xxxx 'yyyy') 
```
  where xxxx is QYPSJ_SYSTEM_ID and yyyy is the name of the profile to be used.
If both of the Management Central servers on the central system are started successfully and you've done the above troubleshooting, but you still can't connect from iSeries Navigator, then most likely the problem is either TCP/IP configuration related, or firewall related. In either case, use the Configuring Management Central Connections for Firewall Environments experience report to troubleshoot this problem. A few important notes are listed below:
- The Central System needs to be able to initiate a connection with iSeries Navigator on the PC, so it is important that the Central System can ping the IP address of the PC.
- The PC needs to be able to initiate a connection with iSeries Navigator that is using the following IPs:
  - The name or IP being used as the central system name in iSeries Navigator (the name of the system under my connections).
  - The IP address that the central system gets when it pings itself.
  Note: The initial connection to the central system uses the name or IP specified in iSeries Navigator for the central system. However during this initial connection, the central system discovers its own IP address and sends that IP to the PC. The PC uses that IP address for all further communications. The ports that Management Central uses need to be open in any firewalls that are being used.

Failed connection from PC to the central system

Right-click Management Central and run Verify Connection.
Make sure that the single socket layer (SSL) for the Management Central servers is turned on. Look in /qibm/userdata/os400/mgtc/config/McConfig.properties and confirm that QYPS_SSL>1 or QYPS_AUTH_LEVEL>1. If you change these values, remember to restart the Management Central servers.
If you are running OS/400^® V5R2, did the QYPSSRV job fail to start? If it failed to start then the Digital Certificate Manager (DCM) configuration was not done correctly. Make sure that you have assigned your certificate the Management Central Application identification as well as the host server IDs.
Is there a padlock icon next to the central system? If not, then the client is not using SSL to connect. Under My Connections, right-click the central system, go to the Secure Sockets tab, and then choose to use SSL. Then click OK. You must close iSeries Navigator and restart it before this value takes affect.
On that same Secure Sockets tab as mentioned in step 3, there is a button to Download the CA to your PC. Make sure that you have done this, using the operating system that you CREATED the CA on (not necessarily the central system).
On the same Secure Sockets tab mentioned in the above bullet, there is a Verify SSL Connection. Run this and look at the results.
If you are running OS/400 V5R2 verify that the file QIBM\ProdData\OS400\Java400\jdk\lib\security\java.security has the following properties defined as these can cause a connection problem.
- os400.jdk13.jst.factories=true
- ssl.SocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
If you are running OS/400 V5R2 on the client, on your PC, look at c:\Documents and Settings\All Users\Documents\ibm\client access\classes\com\ibm\as400\access\KeyRing.class. Is it size 0? If so, delete the file and download the Certificate Authority.

Failed connection from central system to endpoint

In addition to following the steps for troubleshooting a failed connection from the PC to the central system, you should also view the job log on the central system. It should give a reason for why the connection was rejected. (For example: (CPFB918) Connection to system mysystem.mydomain.com rejected. Authentication level 0. Reason Code 99. This means that the SSL is not active for the endpoint. Instead, it is at authentication level 0.) You can find the meanings for negative reason codes in /QSYS.LIB/QSYSINC.LIB/H.FILE/SSL.MBR.

Note: Endpoint systems do not require a padlock.

Additional considerations

Firewall considerations

All communication is TCP initiated from the PC to the central system. You can specify the exact port to use by adding the following line to the C:\MgmtCtrl.properties file:

QYPSJ_LOCAL_PORT=xxxx

where xxxx is the port number. The port number should be greater than 1024 and less than 65535. Additionally, the port number must not be used by another application on the PC. The port must be open through the firewall. Should the firewall require it, all sockets must be open.