Troubleshooting
Problem
This document discusses how to manually disable TLS communications and enable HTTP-only communications for the ADMIN HTTP Server and the ADMIN1, ADMIN2 and ADMIN3 Application Servers. This should be used when the server is failing with an 'HTP8351 - Socket Sockets session failed to initialize successfully' error.
Symptom
None of the ADMIN server jobs stay active in the QHTTPSVR subsystem or connection issues are experienced when accessing port 2010/2003/2007. When reviewing the ADMIN job log, the following message might be logged.
When connecting to the URLs, 'https://<server>:2010', 'https://<server>:2003/Navigator', 'https://<server>:2005/IDSWebApp' or 'https://<server>:2007/dcm' you might experience a "Secure Connection Failed" error in your browser.
HTP8351 Diagnostic 10 QZSRAPR QHTTPSVR *STMT QZSRVSSL QHTTPSVR *STMT
From module . . . . . . . . : QZSRSNDM
From procedure . . . . . . : sendMessageToJobLog_CCSID
Statement . . . . . . . . . : 27
To module . . . . . . . . . : MOD_SSL
To procedure . . . . . . . : ssl_initializer
Statement . . . . . . . . . : 187
Message . . . . : Secure Sockets session failed to initialize successfully.
Cause . . . . . : Secure Sockets failed to initialize successfully.
When connecting to the URLs, 'https://<server>:2010', 'https://<server>:2003/Navigator', 'https://<server>:2005/IDSWebApp' or 'https://<server>:2007/dcm' you might experience a "Secure Connection Failed" error in your browser.
Cause
The TLS certificate assigned to the ADMIN application ID in the Digital Certificate Manager for i (DCM) *SYSTEM store has expired or there is something wrong with the ADMIN server's TLS configuration.
Environment
IBM i OS
Resolving The Problem
IBM recommends manually disabling the TLS configuration for the ADMIN HTTP Server, ADMIN1, ADMIN2 and ADMIN3 application servers; then restarting the ADMIN server so that the ADMIN Server's TLS configuration can be re-enabled. Please follow the instructions below on how to do this.
| 1) |
Manually edit the ADMIN HTTP Server configuration file to remove the TLS configuration.
a) WRKLNK '/QIBM/UserData/HTTPA/admin/conf/admin-cust.conf'
b) Option 2 to edit c) Delete the contents of this file. You can enter a "D" under the CMD column and press ENTER to delete a line. d) Press F3 twice to save and exit. |
| 2) |
Start the ADMIN Server.
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) Wait for all of the ADMIN server jobs to start and CPU utilization goes down to 0%. Use the following command to view this: WRKACTJOB SBS(QHTTPSVR) |
| 3) |
Open the IBM Web Administration for i console in a web browser via the URL, http://<server>:2001/HTTPAdmin
- Sign-in with an IBM i user profile with *ALLOBJ and *IOSYSCFG special authorities. |
| 4) | Click Manage -> Application Servers -> select "Admin1 - V8.5 (int app svr)" from the list of servers. Once the page refreshes, click the "Disable TLS" link under "Application Server Wizards" on the left menu.  |
| 5) |
On Step 1 of 4, click the Next button.
Check the box next to the TLS port you want to disable, typically this will be port 2003. Specify port 2002 as the HTTP port. Then, click the Next button.
 Accept the default selection and click the Next button when prompted to restart the server. Click the Finish button to complete the Disable TLS wizard. |
| 6) |
Click Manage -> Application Servers -> select "Admin2 - V8.5 (int app svr)" from the list of servers.
Once the page refreshes, click the "Disable TLS" link under "Application Server Wizards" on the left menu.  |
| 7) |
On Step 1 of 4, click the Next button.
Check the box next to the TLS port you want to disable, typically this will be port 2005. Then, click the Next button.
 Accept the default selection and click the Next button when prompted to restart the server.
Click the Finish button to complete the Disable TLS wizard. |
| 8) |
Click Manage -> Application Servers -> select "Admin3 - V8.5 (int app svr)" from the list of servers.
Once the page refreshes, click the "Disable TLS" link under "Application Server Wizards" on the left menu.  |
| 9) |
On Step 1 of 4, click the Next button.
Check the box next to the TLS port you want to disable, typically this will be port 2007. Then, click the Next button.
 |
| 10) |
Clean up the old QIBM_HTTP_SERVER_ADMINx application IDs and certificates in the Digital Certificate Manager (DCM) application.
a) Open the DCM web application by executing the URL, http://<server>:2001/dcm, in your web browser.
b) Sign-in with an IBM i user profile with *SECADM, *ALLOBJ, and *IOSYSCFG special authorities.
c) Click the "Open Certificate Store" button on the left.
d) Click the *SYSTEM button.
e) Enter your password and click 'Open'.
f) Click 'Manage Application Definitions' near the top.
g) In the 'Search' box above the list of application definition tiles type QIBM_HTTP_SERVER_ADMIN in the search box. This will filter the list to show all of the ADMIN-related application IDs.
h) Delete each application ID shown by clicking the + on the bottom-right of each tile, then click 'Delete'. You will be prompted to confirm the delete, click 'Yes'.
i) Click 'Manage Certificates' near the top of the screen.
j) In the 'Search' box above the list of 'Server/Client Certificate' tiles type QIBM_HTTP_SERVER_ADMIN in the search box. This will filter the list to show all of the ADMIN-related certificates.
k) They can be deleted by clicking the + in the bottom-right corner of the tile and clicking 'Delete'. Then, click the Yes link to confirm the deletion.
|
| 11) |
Restart the ADMIN Server.
ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) WRKACTJOB SBS(QHTTPSVR) Wait for all of the ADMIN jobs to end.
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) Wait for all of the ADMIN server jobs to start and CPU utilization goes down to 0%. Use the following command to view this: WRKACTJOB SBS(QHTTPSVR) |
| 12) |
OPTIONAL: Re-configure the ADMIN server for TLS using the instructions in the URLs below.
- The ADMIN HTTP Apache server will need to be configured for SSL and listening on port 2010: NOTE: After finishing the "Configure SSL for ADMIN" wizard, you can log in to DCM and assign your own custom certificate to the QIBM_HTTP_SERVER_ADMIN application ID using Fast Path -> Work with server and client certificates -> Select your certificate and click Assign to applications. Finally, select your QIBM_HTTP_SERVER_ADMIN app ID and click the Replace button.
- The ADMIN1 and ADMIN3 server jobs will need to be configured for TLS: ADMIN1:
ADMIN2:
ADMIN3:
|
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"},{"code":"a8m0z0000000CIcAAM","label":"IBM i Administration Server"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 December 2023
UID
nas8N1022157