IBM i Global

 View Only
Expand all | Collapse all

Assigning certificates via DCM for various IBM i Access Client Solutions services

  • 1.  Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 08:15 AM

    I am trying to apply a certificate to the various IBM i Access Client Solutions services.  I do not want to just apply the cert to all services.  When I turn on SSL for one lpar I must be missing a few services as I am getting:

    I've got most of these figured out:

    Verifying connection to port mapper service...Success! using port number 449
    Verifying connection to central server service...Success! using port number 9470 -> QIBM_OS400_QZBS_SVR_CENTRAL
    Verifying connection to command service...Success! using port number 9475 -> QIBM_OS400_QZBS_SVR_RMTCMD
    Verifying connection to database service...Success! using port number 9471 -> QIBM_OS400_QZBS_SVR_DATABASE
    Verifying connection to data queues service...Success! using port number 9472 -> QIBM_OS400_QZBS_SVR_DTAQ
    Verifying connection to file service...Success! using port number 9473 -> QIBM_OS400_QZBS_SVR_FILE
    Verifying connection to print service...Success! using port number 9474 -> QIBM_OS400_QZBS_SVR_NETPRT
    Verifying connection to signon service...Success! using port number 9476 -> QIBM_OS400_QZBS_SVR_SIGNON
    Verifying connection to Telnet service...Success! using port number 992 -> QIBM_QTV_TELNET_SERVER
    Verifying connection to Secure Shell (SSH) service...Success! using port number 22
     
     
    Which DCM service pertains to
    Verifying connection to record-level access service...Failed: MSGGEN004 - An unexpected end of the file or stream has been encountered. (SSL peer shut down incorrectly) using port number 448
    Verifying connection to Navigator for i service...Failed: MSGSSL001 - An error was encountered during a secure socket operation. (Unsupported or unrecognized SSL message) using port number 2002
     
    If I run this verification screen with ssl turned off I pass fine.


    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------


  • 2.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:38 AM

    I resolved this error:

    Verifying connection to record-level access service...Failed: MSGGEN004 - An unexpected end of the file or stream has been encountered. (SSL peer shut down incorrectly) using port number 448

    I had to apply the cert to:

    QIBM_OS400_QRW_SVR_DDM_DRDA
    IBM i DDM/DRDA Server - TCP/IP
    Server



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 3.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:45 AM

    I resolved this error:

    Verifying connection to Navigator for i service...Failed: MSGSSL001 - An error was encountered during a secure socket operation. (Unsupported or unrecognized SSL message) using port number 2002

    by following the steps at:

    https://www.ibm.com/support/pages/node/667835



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 4.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:47 AM

    By following the previous resolutions, and by completely restarting iACS, I can now do the connection verify and pass with flying colors



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 5.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:26 PM

    Dear Robert

    DId you assign the same client/server certificate to these IBM i services that you want ?   If so, I found out long ago that just putting a root certificate into *SYSTEM store is enough.  All IBM i services seems to use it by default. Navigator for i is not a service in there, so you still need to take the action as you did from the Technote.



    ------------------------------
    Chance favors only the prepared mind.
    -- Louis Pasteur
    ------------------------------
    Satid S.
    ------------------------------



  • 6.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 08:02 AM

    What does "putting a root certificate into *SYSTEM store" mean?



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 7.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 09:07 AM
    Edited by Satid Singkorapoom Wed September 27, 2023 09:14 AM

    If you use a root certificate from another computer system or party, you import it into *SYSTEM store.  If you create a self-signed certificate in IBM i Local CA store of the server that run those services, you create a client/server certificate into *SYSTEM store based on the root one from Local CA store.  And then you specify it as the default certificate. Thereafter, all IBM i services with no explicit assignment of any certificate will use this default one.



    ------------------------------
    Chance favors only the prepared mind.
    -- Louis Pasteur
    ------------------------------
    Satid S.
    ------------------------------



  • 8.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 10:19 AM

    I am using a cert from Digicert.  If I do not "assign" it to each service necessary then that verification screen fails.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 9.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 09:43 PM

    If you cannot see an option "Set AS Default" for that Digicert certificate (click + sign for that certificate you see in IBM i DCM), then it is a root certificate.  But if it comes as an intermediate certificate (called client/server certificate in IBM i DCM), you will see this alternative way of setting it as a default one to avoid repetitive assignment to multiple services of your interest.  



    ------------------------------
    Chance favors only the prepared mind.
    -- Louis Pasteur
    ------------------------------
    Satid S.
    ------------------------------



  • 10.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Thu September 28, 2023 07:11 AM

    Ok.  I notice the Set as Default now.

    Thank you.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------