IBM Support

QMGTOOLS GETSSL Utility

Troubleshooting


Problem

Incorporated into the V7R1 and above version of QMGTOOLS is a utility called GETSSL. This tool allows you to connect to a remote SSL/TLS server and retrieve all the Certificate Authority certificates in the SSL/TLS chain. Each certificate is stored in a separate file, which can then be imported into Digital Certificate Manager, or any other keystore.

Resolving The Problem

To obtain this tool, you can download the QMGTOOLS library for your IBM i OS VRM using the following Web site:

http://www.ibm.com/support/docview.wss?uid=nas8N1011297

Note: The Install Notes at the above Web page contain the installation instructions for QMGTOOLS.
Note: Before running any tool in QMGTOOLS, make certain you have the current version of the tool by following the steps in : http://www.ibm.com/support/docview.wss?uid=nas8N1020468 (If you just downloaded the tool, this can be ignored, as you will automatically get the most current version from the download)
Note: The GETSSL utility also requires OpenSSL.  OpenSSL is installed with IBM Portable Utilities for i 5733SC1. 


After the tools library is installed, the tool can be accessed by the following steps:
1. On the IBM i command line, either enter QMGTOOLS/GETSSL, or the tool can be accessed using the main MGTOOLS menu: GO QMGTOOLS/MG, select Option 7 for CTA-EWS , and then select Option 1 for DCM/SSL , and then option 1 to Retrieve SSL Certificate.
2. Enter the IP address or host name of the SSL/TLS server and the Port number to connect with. If the connection is directly to the secure port of the application, Start TLS should be N. If the connection is to the non-secure port, and SSL/TLS must be initiated by application subcommand, then Start TLS should be Y. Press Enter to run the tool:

This is a screen shot of the GETSSL parameters.
3.
The tool will connect to the remote system and download each Certificate Authority (CA) passed during the SSL/TLS handshake. It will then take you to the directory and show you the resulting file:

This is a screen shot of the resulting stream files.

Each file will end in .cer and can then be easily imported into Digital Certificate Manager using the instructions found in the following documentation:
Optionally you can import the CA certificate directly into DCM with the command
image 8771

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"},{"code":"a8m0z0000000CIJAA2","label":"SSL TLS Communications"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Historical Number

654853841

Document Information

Modified date:
16 August 2022

UID

nas8N1010617