Troubleshooting HTTP Server for IBM i problems

Use the following table to help you troubleshoot HTTP Server problems you may encounter while working with Digital Certificate Manager (DCM).

Problem Possible Solution
Hypertext Transfer Protocol Secure (HTTPS) does not work. Be sure the HTTP Server is configured correctly for using TLS. The configuration file must have SSLAppName set by using the HTTP Server Administration interface. Also, the configuration must have a virtual host configured that uses the TLS port, with SSL set to Enabled for the virtual host. There must also be two Listen directives specifying two different ports, one for TLS and the other not for TLS. These are set on the General Settings page. Be sure the server instance is created and the server certificate is signed.
The process for registering an HTTP Server instance as a secure application needs clarification. On your system, go to the HTTP Server Administration interface to set the configuration for your HTTP Server. You first must define a virtual host to enable TLS. After you define a virtual host, you must specify that the virtual host use the TLS port defined previously on the Listen directive (on the General Settings page. Next, you must use the SSL with Certificate Authentication page under Security to enable TLS in the previously configured virtual host. All changes must be applied to the configuration file. Note that registering your instance does not automatically choose which certificates the instance will use. You must use DCM to assign a specific certificate to your application before you try to end and then restart your server instance.
You are having difficulty setting up the HTTP Server for validation lists and optional client authentication. See the IBM® HTTP Server for i5/OS documentation for options on setting up the instance.
You are trying to get the browser to present the X.509 certificate to the HTTP Server so that you can use the certificate as input to the QsyAddVldlCertificate API. You must use SSLEnable and SSLClientAuth ON in order to get the HTTP Server to load the HTTPS_CLIENT_CERTIFICATE environment variable. You can locate information about these APIs with the API finder topic in the IBM i Information Center. You may also want to look at these validation list or certificate-related APIs:
  • QsyListVldlCertificates and QSYLSTVC
  • QsyRemoveVldlCertificate and QRMVVC
  • QsyCheckVldlCertificate and QSYCHKVC
  • QsyParseCertificate and QSYPARSC, and so on.
The HTTP Server takes too long to return, or times out if you request a list of the certificates in the validation list and there are more than 10,000 items. Create a batch job that looks for and deletes certificates matching certain criteria, such as all those that have expired or are from a certain CA.
The HTTP Server will not start successfully with SSL set to Enabled, and error message HTP8351 appears in the job log. The error log for the HTTP Server shows an error that TLS Initialization operation failed with a return code error of 107 when the HTTP Server fails. Error 107 means the certificate has expired. Use DCM to assign a different certificate to the application; for example, QIBM_HTTP_SERVER_MY_SERVER.