Troubleshooting
Problem
This document provides the process to follow if you are using FTPS over X509 and you need to sign the files using OPENSSL.
Resolving The Problem
If you are using FTPS over X509 and you need to sign the files using OPENSSL, you should use the following process:
|
1. | Make a connection to the digital certificate manager: http://system-name:2001/ |
| 2. | Select Digital Certificate Manager - Create, distribute, and manage Digital Certificates. |
| 3. | Click Select A Certificate Store, and select System Store. |
| 4. | Select Fastpath from the left window. |
| 5. | Select Work with Server and Client Certificates. |
| 6. | Select the certificate you will use to sign the file, and click Export. |
| 7. | Select Export to a File, and click on Continue. |
| 8. | Enter the fully qualified path and file name to which you want to export the certificate. Specify an encryption password for the file, for instance: /home/users_name/keystore.pfx You must use the pfx extension. |
| 9. | Now call qp2term to get into the PASE environment. The command pwd should show you are in the /home/users_name directory determined by your user profile. The command ls -al should show you the keystore.pfx file. |
| 10. | Issue the following command: openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes This will generate the keystore.pem file where you will find the certificates and RSA key. When you run this command, you will be asked for the password you supplied when you exported the certificate. |
| 11. | From an i5 command line, run WRKLNK '/home/users_name and press Enter. You should type 5 to display the directory. and type 2 to edit keystore.pem. You will need to delete the certificate whose Local KeyID does not match that of the RSA key at the bottom of this file. Usually, this is the first one. Delete starting at Bag Attributes and delete through the first -----END CERTIFICATE----- you come to. Press F3 to save and exit. |
| 12. | Now you should run the following command: openssl smime -sign -text -in /path/file_name_to_sign.txt -out /path/signed_file_name.signed -signer keystore.pem. This will create the signed file you will transfer. If this needs to be in a base64 format, you can run the following command: openssl base64 -in /path/signed_file_name.signed -out /path/filename.txt |
openssl smime -verify -in /path/signed_file_name.signed -noverify -certfile keystore.pem
Notes:
If, during this process, you receive unable to load 'random state', this means that the random number generator has not been seeded with much random data. The following command should resolve this issue at R540:
call qp2term
then /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/libexec/prng > $HOME/.rnd
This presumes that the $HOME directory for this user exists ($HOME comes from the value in "Home directory" shown in DSPUSRPRF for the user running the command).
[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]
Historical Number
561410193
Was this topic helpful?
Document Information
More support for:
IBM i
Software version:
Version Independent
Operating system(s):
IBM i
Document number:
686535
Modified date:
18 December 2019
UID
nas8N1012278
Manage My Notification Subscriptions