IBM i Global

 View Only
Expand all | Collapse all

Assigning certificates via DCM for various IBM i Access Client Solutions services

  • 1.  Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 08:15 AM

    I am trying to apply a certificate to the various IBM i Access Client Solutions services.  I do not want to just apply the cert to all services.  When I turn on SSL for one lpar I must be missing a few services as I am getting:

    I've got most of these figured out:

    Verifying connection to port mapper service...Success! using port number 449
    Verifying connection to central server service...Success! using port number 9470 -> QIBM_OS400_QZBS_SVR_CENTRAL
    Verifying connection to command service...Success! using port number 9475 -> QIBM_OS400_QZBS_SVR_RMTCMD
    Verifying connection to database service...Success! using port number 9471 -> QIBM_OS400_QZBS_SVR_DATABASE
    Verifying connection to data queues service...Success! using port number 9472 -> QIBM_OS400_QZBS_SVR_DTAQ
    Verifying connection to file service...Success! using port number 9473 -> QIBM_OS400_QZBS_SVR_FILE
    Verifying connection to print service...Success! using port number 9474 -> QIBM_OS400_QZBS_SVR_NETPRT
    Verifying connection to signon service...Success! using port number 9476 -> QIBM_OS400_QZBS_SVR_SIGNON
    Verifying connection to Telnet service...Success! using port number 992 -> QIBM_QTV_TELNET_SERVER
    Verifying connection to Secure Shell (SSH) service...Success! using port number 22
     
     
    Which DCM service pertains to
    Verifying connection to record-level access service...Failed: MSGGEN004 - An unexpected end of the file or stream has been encountered. (SSL peer shut down incorrectly) using port number 448
    Verifying connection to Navigator for i service...Failed: MSGSSL001 - An error was encountered during a secure socket operation. (Unsupported or unrecognized SSL message) using port number 2002
     
    If I run this verification screen with ssl turned off I pass fine.


    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------


  • 2.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:38 AM

    I resolved this error:

    Verifying connection to record-level access service...Failed: MSGGEN004 - An unexpected end of the file or stream has been encountered. (SSL peer shut down incorrectly) using port number 448

    I had to apply the cert to:

    QIBM_OS400_QRW_SVR_DDM_DRDA
    IBM i DDM/DRDA Server - TCP/IP
    Server



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 3.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:45 AM

    I resolved this error:

    Verifying connection to Navigator for i service...Failed: MSGSSL001 - An error was encountered during a secure socket operation. (Unsupported or unrecognized SSL message) using port number 2002

    by following the steps at:

    https://www.ibm.com/support/pages/node/667835



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 4.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:47 AM

    By following the previous resolutions, and by completely restarting iACS, I can now do the connection verify and pass with flying colors



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 5.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Tue September 26, 2023 10:26 PM

    Dear Robert

    DId you assign the same client/server certificate to these IBM i services that you want ?   If so, I found out long ago that just putting a root certificate into *SYSTEM store is enough.  All IBM i services seems to use it by default. Navigator for i is not a service in there, so you still need to take the action as you did from the Technote.



    ------------------------------
    Chance favors only the prepared mind.
    -- Louis Pasteur
    ------------------------------
    Satid S.
    ------------------------------



  • 6.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 08:02 AM

    What does "putting a root certificate into *SYSTEM store" mean?



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 7.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 09:07 AM
    Edited by Satid Singkorapoom Wed September 27, 2023 09:14 AM

    If you use a root certificate from another computer system or party, you import it into *SYSTEM store.  If you create a self-signed certificate in IBM i Local CA store of the server that run those services, you create a client/server certificate into *SYSTEM store based on the root one from Local CA store.  And then you specify it as the default certificate. Thereafter, all IBM i services with no explicit assignment of any certificate will use this default one.



    ------------------------------
    Chance favors only the prepared mind.
    -- Louis Pasteur
    ------------------------------
    Satid S.
    ------------------------------



  • 8.  RE: Assigning certificates via DCM for various IBM i Access Client Solutions services

    IBM Champion
    Posted Wed September 27, 2023 10:19 AM