Troubleshooting
Problem
Incorporated into the V7R1 and above version of QMGTOOLS is a utility called GETSSL. This tool allows you to connect to a remote SSL/TLS server and retrieve all the Certificate Authority certificates in the SSL/TLS chain. Each certificate is stored in a separate file, which can then be imported into Digital Certificate Manager, or any other keystore.
Resolving The Problem
To obtain this tool, you can download the QMGTOOLS library for your IBM i OS VRM using the following Web site:
http://www.ibm.com/support/docview.wss?uid=nas8N1011297
Note: The Install Notes at the above Web page contain the installation instructions for QMGTOOLS.
Note: Before running any tool in QMGTOOLS, make certain you have the current version of the tool by following the steps in : http://www.ibm.com/support/docview.wss?uid=nas8N1020468 (If you just downloaded the tool, this can be ignored, as you will automatically get the most current version from the download)
http://www.ibm.com/support/docview.wss?uid=nas8N1011297
Note: The Install Notes at the above Web page contain the installation instructions for QMGTOOLS.
Note: Before running any tool in QMGTOOLS, make certain you have the current version of the tool by following the steps in : http://www.ibm.com/support/docview.wss?uid=nas8N1020468 (If you just downloaded the tool, this can be ignored, as you will automatically get the most current version from the download)
Note: The GETSSL utility also requires OpenSSL. OpenSSL is installed with IBM Portable Utilities for i 5733SC1.
After the tools library is installed, the tool can be accessed by the following steps:
1. | On the IBM i command line, either enter QMGTOOLS/GETSSL, or the tool can be accessed using the main MGTOOLS menu: GO QMGTOOLS/MG, select Option 7 for CTA-EWS , and then select Option 1 for DCM/SSL , and then option 1 to Retrieve SSL Certificate. |
2. | Enter the IP address or host name of the SSL/TLS server and the Port number to connect with. If the connection is directly to the secure port of the application, Start TLS should be N. If the connection is to the non-secure port, and SSL/TLS must be initiated by application subcommand, then Start TLS should be Y. Press Enter to run the tool: |
3. |
The tool will connect to the remote system and download each Certificate Authority (CA) passed during the SSL/TLS handshake. It will then take you to the directory and show you the resulting file:
Each file will end in .cer and can then be easily imported into Digital Certificate Manager using the instructions found in the following documentation: Optionally you can import the CA certificate directly into DCM with the command
|
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"},{"code":"a8m0z0000000CIJAA2","label":"SSL TLS Communications"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
654853841
Was this topic helpful?
Document Information
Modified date:
16 August 2022
UID
nas8N1010617