Use the following table to find information to help you troubleshoot some of the more common certificate store and key database problems you may encounter while working with Digital Certificate Manager (DCM).
| Problem | Possible Solution |
|---|---|
| The system has not found the key database, or has found it to be invalid. | Check your password and file name for typographical errors. Be sure that the path is included with the file name, including the leading forward slash. |
| Key database creation failed or Create a Local CA creation fails. | Check for a file name conflict. The conflict may exist
in a different file than the one for which you asked. DCM attempts to protect
user data in the directories that it creates, even if those files keep DCM
from successfully creating files when it needs to. Resolve this by copying
all of the conflicting files to a different directory and, if possible, use
DCM functions to delete the corresponding files. If you cannot use DCM to
accomplish this, manually delete the files from the original integrated file
system directory where they were conflicting with DCM. Ensure that you record
exactly which files you move and where you move them. The copies allow you
to recover the files if you find that you still need them. You need to create
a new Local CA after moving the following files:
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.KDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.RDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH .OLD /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POL /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.BAK /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STHBAK /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.STH /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TXT /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.BAK /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLTMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLBAK /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CACRT /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CATMP /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CABAK /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CLIENT/*.USRCRT You need
to create a new *SYSTEM certificate store and system certificate after moving
the following files:
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.RDB /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH.OLD /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STHBAK /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TEMP.STH /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TXT /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.SGN /QIBM/USERDATA/ICSS/CERT/SERVER/SGN.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/SGN.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/EXPSRV.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/EXPSGN.TMP |
| You may be missing a prerequisite licensed program (LPP) that DCM requires be installed. Check the list of DCM prerequisites and ensure that all licensed programs are installed properly. | |
| The system does not accept a CA text file that was transferred in binary mode from another system. It does accept the file when it is transferred in American National Standard Code for Information Interchange (ASCII). | Key rings and key databases are binary and, therefore, different. You must use File Transfer Protocol (FTP) in ASCII mode for CA text files and FTP in binary mode for binary files, such as files with these extensions: .kdb, .kyr, .sth, .rdb, and so forth. |
| You cannot change the password of a key database. A certificate in the key database is no longer valid. | After verifying that an incorrect password is not the problem, find and delete the invalid certificate or certificates from the certificate store, and then try to change the password. If you have expired certificates in your certificate store, the expired certificates are no longer valid. Since the certificates are not valid, the password change function for the certificate store may not allow the password to be changed and the encryption process will not encrypt the private keys of the expired certificate. This keeps the password change from occurring, and the system may report that certificate store corruption is one of the reasons. You must remove the invalid (expired) certificates from the certificate store. |
| You need to use certificates for an Internet user and therefore need to use validation lists, but DCM does not provide functions for validation lists. | Business partners who are writing applications to use validation lists must write their code to associate the validation list with their application as expected. They must also write the code that determines when the Internet user's identity is appropriately validated so that the certificate can be added to the validation list. Review the Information Center topic for the QsyAddVldlCertificate API. Consult the HTTP Server for iSeries™ documentation for help with configuring a secure HTTP server instance to use the validation list. |