friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaih_5.4.0.1/rzaihtblshtmcconnect.htm

201 lines
14 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Troubleshooting Management Central connections" />
<meta name="abstract" content="Several factors can prevent a connection to the Management Central server. This topic contains a list of steps that you can take to troubleshoot a failed connection." />
<meta name="description" content="Several factors can prevent a connection to the Management Central server. This topic contains a list of steps that you can take to troubleshoot a failed connection." />
<meta name="DC.Relation" scheme="URI" content="rzaih1b.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzain/rzainmc.htm" />
<meta name="DC.Relation" scheme="URI" content="../experience/mcfirewallabstract.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaihtblshtmcconnect" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshooting Management Central connections</title>
</head>
<body id="rzaihtblshtmcconnect"><a name="rzaihtblshtmcconnect"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshooting Management Central connections</h1>
<div><p>Several factors can prevent a connection to the Management Central
server. This topic contains a list of steps that you can take to troubleshoot
a failed connection.</p>
<div class="section">First and foremost, make sure that the central system is running
on the highest operating system release in the network. Problems can occur
because there are clients in the network that are running an operating system
that is at a higher release than the central system.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaih1b.htm" title="To get the most out of Management Central, set up your central system and endpoint systems in a way that makes sense for your business environment. When you have finished these preliminary steps, you are ready to start working with Management Central.">Get started with Management Central</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzain/rzainmc.htm">Scenario: Secure all connections to your Management Central server with SSL</a></div>
<div><a href="../experience/mcfirewallabstract.htm">Experience report: Configuring Management Central Connections for Firewall Environments</a></div>
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="cctonavtblsht"><a name="cctonavtblsht"><!-- --></a><h2 class="topictitle2">Failed connection to the central system</h2>
<div><ol><li><span>From the PC, verify that you can ping your central system using
the name or IP address listed in iSeries™ Navigator as your central system.
If this is unsuccessful then there is something wrong with either your network,
or your DNS or host table. You must fix this before you can connect. </span></li>
<li><span>From the central system, make sure that you can ping your PC using
the IP address of your PC. If this is unsuccessful, you will not be able to
use some of the Management Central functions. For more information, see the
Information Center experience report, "Configuring Management Central Connections
for Firewall Environments".</span></li>
<li><span>Verify the central system connection. (From iSeries Navigator expand <span class="menucascade"><span class="uicontrol">My Connections</span> &gt; <span class="uicontrol">Right-click the server that
is your central system</span> &gt; <span class="uicontrol">Verify Connections</span></span>. ) If this reports any errors, click <span class="uicontrol">Details</span>.
This opens a window that displays information about what happened.</span></li>
<li><span>Use the Verify Connection function that is located under Management
Central to further trouble shoot the problem. (From iSeries Navigator right-click <span class="menucascade"><span class="uicontrol">Management Central</span> &gt; <span class="uicontrol">Verify Connection</span></span>. ) If this reports any errors, click <span class="uicontrol">Details</span>.
This opens a window that displays information about what happened.</span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="manualtrblsht"><a name="manualtrblsht"><!-- --></a><h2 class="topictitle2">What to do if you still cannot connect</h2>
<div><div class="section">If you still cannot connect use the following procedure to further
troubleshoot the problem: </div>
<ol><li class="stepexpand"><span>Verify that the Management Central server QYPSJSVR is running on
the Central System. </span><ol type="a"><li><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">My Connections</span> &gt; <span class="uicontrol">server
(that you are using as the central system)</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span> &gt; <span class="uicontrol">TCP/IP</span></span>.</span></li>
<li><span>Look at the Management Central item to see if the server is
started. If necessary, right-click Management Central under TCP/IP, and click <span class="uicontrol">Start</span>. </span></li>
<li><span>If the server still fails to start, view the job logs for possible
problems, or continue with the next items to check for some common problems
that can cause the servers not to start. </span></li>
</ol>
</li>
<li class="stepexpand"><span>Check the TCP/IP configuration on the central system. </span><ol type="a"><li><span>It is important that the Central System is able to ping itself
using both the fully qualified domain name and the short name. If pinging
either of these names fails, you will need to add the name and IP address
to either the system's host table or DNS. Make sure that the IP address used
in these pings is one that the PC can contact.</span></li>
</ol>
</li>
<li class="stepexpand"><span>If you are using SSL with Management Central, verify that it is
set up correctly. Make sure to configure your Central System, all your endpoint
systems, as well as iSeries Navigator on your PC. </span></li>
<li class="stepexpand"><span>Check the QSECOFR profile. </span><ol type="a"><li class="substepexpand"><span>Management Central requires a profile with *ALLOBJ and *SECOFR
authority enabled, and a valid password must be set so that it does not expire.
</span> <div class="important"><span class="importanttitle">Important:</span> You must make this change via the character-based
interface, otherwise the server might not be able to read the file.</div>
<blockquote>By
default, Management Central uses the QSECOFR profile. Thus if this default
has not been changed, then you can enable QSECOFR and set the password to
never expire. (If you choose not to set the password to never expire then
you must be diligent about keeping the password active. This is done by always
changing the current password <strong>before</strong> it expires. ) If you are using
a customized profile other than QSECOFR then enable it and set the password
to never expire. To change QSECOFR, open the properties file: "/QIBM/UserData/OS400/MGTC/config/McConfig.properties".
Change the parameter "QYPSJ_SYSTEM_ID = QSECOFR" to "QYPSJ_SYSTEM_ID = YOURPROFILE"
(where YOURPROFILE is the profile name replacing QSECOFR).</blockquote>
</li>
<li class="substepexpand"><span>Or you can run</span> <pre>CALL PGM(QSYS/QYPSCONFIG) PARM(xxxx 'yyyy') </pre>
where xxxx is QYPSJ_SYSTEM_ID and yyyy is the name of the profile
to be used.</li>
</ol>
</li>
<li class="stepexpand"><span>If both of the Management Central servers on the central system
are started successfully and you've done the above troubleshooting, but you
still can't connect from iSeries Navigator, then most likely the problem is
either TCP/IP configuration related, or firewall related. In either case,
use the Configuring Management Central Connections for Firewall Environments
experience report to troubleshoot this problem. A few important notes are
listed below: </span> <ul><li>The Central System needs to be able to initiate a connection with iSeries Navigator
on the PC, so it is important that the Central System can ping the IP address
of the PC. </li>
<li>The PC needs to be able to initiate a connection with iSeries Navigator
that is using the following IPs: <ul><li>The name or IP being used as the central system name in iSeries Navigator
(the name of the system under my connections). </li>
<li>The IP address that the central system gets when it pings itself.</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> The initial connection to the central system uses the name or IP
specified in iSeries Navigator
for the central system. However during this initial connection, the central
system discovers its own IP address and sends that IP to the PC. The PC uses
that IP address for all further communications. The ports that Management
Central uses need to be open in any firewalls that are being used.</div>
</li>
</ul>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="pctocstrblsht"><a name="pctocstrblsht"><!-- --></a><h2 class="topictitle2">Failed connection from PC to the central system</h2>
<div><ol><li class="stepexpand"><span>Right-click Management Central and run Verify Connection. </span></li>
<li class="stepexpand"><span>Make sure that the single socket layer (SSL) for the Management
Central servers is turned on. Look in /qibm/userdata/os400/mgtc/config/McConfig.properties
and confirm that QYPS_SSL&gt;1 or QYPS_AUTH_LEVEL&gt;1. If you change these values,
remember to restart the Management Central servers.</span></li>
<li class="stepexpand"><span>If you are running OS/400<sup>®</sup> V5R2, did the QYPSSRV job fail
to start? If it failed to start then the Digital Certificate Manager (DCM)
configuration was not done correctly. Make sure that you have assigned your
certificate the Management Central Application identification as well as the
host server IDs. </span></li>
<li class="stepexpand"><span>Is there a padlock icon next to the central system? If not, then
the client is not using SSL to connect. Under My Connections, right-click
the central system, go to the Secure Sockets tab, and then choose to use SSL.
Then click <span class="uicontrol">OK</span>. You must close iSeries Navigator and restart it before
this value takes affect.</span></li>
<li class="stepexpand"><span>On that same Secure Sockets tab as mentioned in step 3, there is
a button to Download the CA to your PC. Make sure that you have done this,
using the operating system that you CREATED the CA on (not necessarily the
central system).</span></li>
<li class="stepexpand"><span>On the same Secure Sockets tab mentioned in the above bullet, there
is a Verify SSL Connection. Run this and look at the results.</span></li>
<li class="stepexpand"><span>If you are running OS/400 V5R2 verify that the file QIBM\ProdData\OS400\Java400\jdk\lib\security\java.security
has the following properties defined as these can cause a connection problem.</span> <ul><li>os400.jdk13.jst.factories=true </li>
<li>ssl.SocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl </li>
</ul>
</li>
<li class="stepexpand"><span>If you are running OS/400 V5R2 on the client, on your PC,
look at c:\Documents and Settings\All Users\Documents\ibm\client access\classes\com\ibm\as400\access\KeyRing.class.
Is it size 0? If so, delete the file and download the Certificate Authority. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="cstoendpttrblsht"><a name="cstoendpttrblsht"><!-- --></a><h2 class="topictitle2">Failed connection from central system to endpoint</h2>
<div><div class="section">In addition to following the steps for troubleshooting a failed connection
from the PC to the central system, you should also view the job log on the
central system. It should give a reason for why the connection was rejected.
(For example: (CPFB918) Connection to system mysystem.mydomain.com rejected.
Authentication level 0. Reason Code 99. This means that the SSL is not active
for the endpoint. Instead, it is at authentication level 0.) You can find
the meanings for negative reason codes in /QSYS.LIB/QSYSINC.LIB/H.FILE/SSL.MBR.<div class="note"><span class="notetitle">Note:</span> Endpoint
systems do not require a padlock. </div>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="tblshtmmconnadtlconsider"><a name="tblshtmmconnadtlconsider"><!-- --></a><h2 class="topictitle2">Additional considerations</h2>
<div><div class="section"><dl><dt class="dlterm">Firewall considerations</dt>
<dd>All communication is TCP initiated from the PC to the central system.
You can specify the exact port to use by adding the following line to the
C:\MgmtCtrl.properties file:<pre>QYPSJ_LOCAL_PORT=xxxx</pre>
where
xxxx is the port number. The port number should be greater than 1024 and less
than 65535. Additionally, the port number must not be used by another application
on the PC. The port must be open through the firewall. Should the firewall
require it, all sockets must be open.</dd>
</dl>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink