Troubleshooting SSL
This very basic troubleshooting information is intended to help you reduce the list of possible problems that the IBM® i platform can encounter with SSL.
It is important to understand that this is not a comprehensive source for troubleshooting information, but rather a guide to aid in common problem resolution.
Verify that the following statements are true:
- You have met the prerequisites for SSL on the IBM i platform.
- Your certificate authority and certificates are valid and have not expired.
If you have verified that the previous statements are true for
your system and you still have an SSL-related problem, try the following
options:
- The SSL error code in the server job log can be cross referenced
in an error table to find more information about the error. For example,
this table maps the
-93
that might be seen in a server job log to the constantSSL_ERROR_SSL_NOT_AVAILABLE
.- A negative return code (indicated by the dash before the code number) indicates that you are using an SSL_ API.
- A positive return code indicates that you are using a GSKit API.
Programmers can code the
gsk_strerror()or SSL_Strerror()
API in their programs to obtain a brief description of an error return code. Some applications make use of this API and print out a message to the job log containing this sentence.
- Additional information about the last certificate validation error on the current secure session can be retrieved by using the GSK_LAST_VALIDATION_ERROR attribute on gsk_attribute_get_numeric_value(). If gsk_secure_soc_init() or gsk_secure_soc_startInit() returned an error, this attribute might provide more error information.
- The following two header files contain the same constant names
for System SSL return codes as the table, but without the message
ID cross reference:
QSYSINC/H.GSKSSL
QSYSINC/H.QSOSSL