friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu6aatroubledatabase.htm

151 lines
8.9 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Troubleshoot certificate store and key database problems" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu666dcmtroubleshooting.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu6aa-troubledatabase" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot certificate store and key database problems</title>
</head>
<body id="rzahu6aa-troubledatabase"><a name="rzahu6aa-troubledatabase"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot certificate store and key database problems</h1>
<div><div class="section"><p>Use the following table to find information to help you troubleshoot
some of the more common certificate store and key database problems you may
encounter while working with Digital Certificate Manager (DCM).</p>
</div>
<div class="section"><div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th valign="top" width="47.474747474747474%" id="d0e22"><span class="uicontrol">Problem</span></th>
<th valign="top" width="52.52525252525253%" id="d0e25"><span class="uicontrol">Possible Solution</span></th>
</tr>
</thead>
<tbody><tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">The system has not found the key database, or has found
it to be invalid.</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">Check your password and file name for typographical
errors. Be sure that the path is included with the file name, including the
leading forward slash.</td>
</tr>
<tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">Key database creation failed or Create a Local CA creation
fails.</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">Check for a file name conflict. The conflict may exist
in a different file than the one for which you asked. DCM attempts to protect
user data in the directories that it creates, even if those files keep DCM
from successfully creating files when it needs to. <div class="p">Resolve this by copying
all of the conflicting files to a different directory and, if possible, use
DCM functions to delete the corresponding files. If you cannot use DCM to
accomplish this, manually delete the files from the original integrated file
system directory where they were conflicting with DCM. Ensure that you record
exactly which files you move and where you move them. The copies allow you
to recover the files if you find that you still need them. You need to create
a new Local CA after moving the following files: <pre>/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KDB
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.KDB
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.RDB
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH .OLD
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POL
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.BAK
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STHBAK
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.STH
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TXT
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.BAK
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TMP
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLTMP
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLBAK
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CACRT
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CATMP
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CABAK
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CLIENT/*.USRCRT</pre>
</div>
<div class="p">You need
to create a new *SYSTEM certificate store and system certificate after moving
the following files: <pre>/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.BAK
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.RDB
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH.OLD
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STHBAK
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TMP
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TEMP.STH
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TMP
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV.BAK
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TXT
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV.SGN
/QIBM/USERDATA/ICSS/CERT/SERVER/SGN.TMP
/QIBM/USERDATA/ICSS/CERT/SERVER/SGN.BAK
/QIBM/USERDATA/ICSS/CERT/SERVER/EXPSRV.TMP
/QIBM/USERDATA/ICSS/CERT/SERVER/EXPSGN.TMP</pre>
</div>
</td>
</tr>
<tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">&nbsp;</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">You may be missing a prerequisite licensed program (LPP)
that DCM requires be installed. Check the list of <a href="rzahurzahureqdcmrequirements.htm#rzahureq_dcm_requirements">DCM
prerequisites</a> and ensure that all licensed programs are installed properly.</td>
</tr>
<tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">The system does not accept a CA text file that was transferred
in binary mode from another system. It does accept the file when it is transferred
in American National Standard Code for Information Interchange (ASCII).</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">Key rings and key databases are binary and, therefore,
different. You must use File Transfer Protocol (FTP) in ASCII mode for CA
text files and FTP in binary mode for binary files, such as files with these
extensions: <samp class="codeph">.kdb</samp>, <samp class="codeph">.kyr</samp>, <samp class="codeph">.sth</samp>, <samp class="codeph">.rdb</samp>,
and so forth.</td>
</tr>
<tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">You cannot change the password of a key database. A
certificate in the key database is no longer valid.</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">After verifying that an incorrect password is not the
problem, find and delete the invalid certificate or certificates from the
certificate store, and then try to change the password. If you have expired
certificates in your certificate store, the expired certificates are no longer
valid. Since the certificates are not valid, the password change function
for the certificate store may not allow the password to be changed and the
encryption process will not encrypt the private keys of the expired certificate.
This keeps the password change from occurring, and the system may report that
certificate store corruption is one of the reasons. You must remove the invalid
(expired) certificates from the certificate store. </td>
</tr>
<tr><td valign="top" width="47.474747474747474%" headers="d0e22 ">You need to use certificates for an Internet user and
therefore need to use validation lists, but DCM does not provide functions
for validation lists.</td>
<td valign="top" width="52.52525252525253%" headers="d0e25 ">Business partners who are writing applications to use
validation lists must write their code to associate the validation list with
their application as expected. They must also write the code that determines
when the Internet user's identity is appropriately validated so that the certificate
can be added to the validation list. Review the Information Center topic for
the <a href="../apis/qsyaddvc.htm">QsyAddVldlCertificate</a> API.
Consult the <a href="../rzaie/rzaiemain.htm">HTTP
Server for iSeries™</a> documentation
for help with configuring a secure HTTP server instance to use the validation
list.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu666dcmtroubleshooting.htm" title="Review this information to learn how to resolve some of the more common errors that you may experience when using DCM.">Troubleshoot DCM</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink