IBM Support




Incorporated into the V7R1 and above version of QMGTOOLS is a utility called GETSSL. This tool allows you to connect to a remote SSL/TLS server and retrieve all the Certificate Authority certificates in the SSL/TLS chain. Each certificate is stored in a separate file, which can then be imported into Digital Certificate Manager, or any other keystore.

Resolving The Problem

To obtain this tool, you can download the QMGTOOLS library for your IBM i OS VRM using the following Web site:

Note: The Install Notes at the above Web page contain the installation instructions for QMGTOOLS.
Note: Before running any tool in QMGTOOLS, make certain you have the current version of the tool by following the steps in : (If you just downloaded the tool, this can be ignored, as you will automatically get the most current version from the download)
Note: The GETSSL utility also requires OpenSSL.  OpenSSL is installed with IBM Portable Utilities for i 5733SC1. 

After the tools library is installed, the tool can be accessed by the following steps:
1. On the IBM i command line, either enter QMGTOOLS/GETSSL, or the tool can be accessed using the main MGTOOLS menu: GO QMGTOOLS/MG, select Option 7 for CTA-EWS , and then select Option 1 for DCM/SSL , and then option 1 to Retrieve SSL Certificate.
2. Enter the IP address or host name of the SSL/TLS server and the Port number to connect with. If the connection is directly to the secure port of the application, Start TLS should be N. If the connection is to the non-secure port, and SSL/TLS must be initiated by application subcommand, then Start TLS should be Y. Press Enter to run the tool:

This is a screen shot of the GETSSL parameters.
The tool will connect to the remote system and download each Certificate Authority (CA) passed during the SSL/TLS handshake. It will then take you to the directory and show you the resulting file:

This is a screen shot of the resulting stream files.

Each file will end in .cer and can then be easily imported into Digital Certificate Manager using the instructions found in Rochester Support Center Knowledgebase document New, How to Import a CA Certificate into Digital Certificate Manager:
Optionally you can import the CA certificate directly into DCM with the command
image 8771

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number


Document Information

Modified date:
21 December 2021