Академический Документы
Профессиональный Документы
Культура Документы
All of the information contained within this document has been created for the sole purpose of providing an easy reference for the setup and configuration of Secure FTP for WIGGLE Wireless. All attempts have been made to provide this information accurately and as it pertains to the IBM i5/OS Version 5.3. For up to date information and or potential changes please refer to the IBM iSeries Infocenter located at http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp.
Confidential
69697753.doc2 Page 1
9/28/2011
Wiggle Wireless
Table of Contents
WIGGLE Wireless ..............................................................................................................1 Secure FTP for IBM i5/OS .................................................................................................1 Table of Contents.................................................................................................................2 1.1 Introduction to Secure File Transfer (SFTP)............................................................3 1.2 Planning and Prerequisites for Secure FTP on the IBM iSeries ..............................3 1.2.1 Planning Suggestions:.......................................................................... 3 1.2.2 SSL Prerequisites:................................................................................ 4 1.3 Digital Certificate Manager.....................................................................................6 1.4 Certificate Stores .....................................................................................................7 1.4.1 Local Certificate Authority (CA):........................................................... 7 1.4.2 *SYSTEM............................................................................................. 7 1.4.3 *OBJECTSIGNING............................................................................... 7 1.4.4 Other System Certificate Store.............................................................8 2.1 Transferring files using secure FTP.........................................................................9 2.1.2 Plan the configuration of the server certificate................................... 10 2.1.3 Create the *SYSTEM Certificate Store ............................................. 10 2.1.5 Obtaining a server certificate from a well-known CA - VeriSign........17 2.1.5.1 Create a system certificate request................................17 2.1.6 Import the VeriSign certificate into the Certificate store..................... 27 2.1.7 Configure the FTP client to trust the Certificate Authority.................. 42 2.1.8 Configure the FTP server to listen for secure connections................ 47 2.1.9 Test the configuration.......................................................................... 48 3.1 Renewing the Server Certificate.............................................................................50 Additional material........................................................................................................61 Certificate store structure and locations........................................................ 61 Cleaning up DCM.......................................................................................... 62 Migrating to New Hardware........................................................................... 62 Local CA Certificate Parameters................................................................... 64 Server Certificate Parameters....................................................................... 65 Public Certificates versus Private Certificates.............................................. 66 Troubleshooting ............................................................................................................68 Troubleshooting ADMIN Server Problems.................................................... 68 Troubleshooting - Problem Determination for FTP....................................... 69 FTP Problem Analysis................................................................................... 69 Documentation and Links.............................................................................. 71
Confidential
69697753.doc2 Page 2
9/28/2011
Wiggle Wireless
1.2 Planning and Prerequisites for Secure FTP on the IBM iSeries
When planning to enable SSL on an iSeries server, consider the following: Planning suggestions
SSL prerequisites
Confidential
69697753.doc2 Page 3
9/28/2011
Wiggle Wireless
label, you will not be able to add this certificate to that store because the labels are not unique (a duplicate key label error will occur). There is no function in DCM to change a certificate label. If you have a duplicate key problem, the only choice is to create a new certificate with a different label. Decide on a distinct Common Name to be used on each Certificate. Enter a name to describe the certificate application. This is a required field when creating the certificate or the certificate request. How you choose a name for the certificate varies depending on the environment in which the application communicates data. For example, if you are creating a certificate for a server application that communicates data over the Internet, you should use the fully qualified domain name for the server. This ensures that browser software can validate the certificate correctly. When the certificate's common name does not match the URL domain name, the browser can validate the certificate. However, the browser cannot verify the server's identity. Consequently, the browser may warn the user of this discrepancy and prompt the user to decide whether to trust the certificate.
Ensure that you have a well planned disaster recovery plan including frequent and well maintained backups of data. In the case of digital certificates, it is important to backup the IFS directory /QIBM/UserData/ICSS and all subdirectories as well as the certificates received from your certificate provider (like VeriSign). Maintain a table of certificate installation and expiration dates and make it easily accessible to those who will maintain certificates. Although Digital Certificate Manager (DCM) has a facility to view certificate expiry information, there is currently no easy method to centrally maintain certificate information other than a user maintained database.
Confidential
69697753.doc2 Page 4
9/28/2011
Wiggle Wireless
If you want to use SSL with iSeries Access for Windows components, you must also install the iSeries Client Encryption product, 5722-CE3 (128-bit). iSeries Access for Windows requires this product in order to establish the secure connection. Note: You do not need to install a Client Encryption Product to use the PC5250 emulator that is shipped with the Personal Communications product. Personal Communications has its own builtin encryption code.
Confidential
69697753.doc2 Page 5
9/28/2011
Wiggle Wireless
Before you can use any of its functions, you need to start Digital Certificate Manager (DCM). Complete these tasks to ensure that you can start DCM successfully:
1. Sign on with a profile that has *SECADM and *ALLOBJ. 2. Install 5722 SS1 Option 34. This is Digital Certificate Manager (DCM).
3. Install 5722 DG1. This is the IBM HTTP Server for iSeries. 4. Install 5722 AC3. This is the cryptography product that DCM uses to generate a publicprivate key pair for certificates, to encrypt exported certificate files, and decrypt imported certificate files. 5. On the command line, type STRTCPSVR *HTTP HTTPSVR(*ADMIN). 6. Verify HTTPSVR started, type WRKSBSJOB QHTTPSVR.
Confidential
69697753.doc2 Page 6
9/28/2011
Wiggle Wireless
1.4.2 *SYSTEM
DCM provides this certificate store for managing server or client certificates that applications use to participate in Secure Sockets Layer (SSL) communications sessions. IBM applications (and many other software developers' applications) are written to use certificates in the *SYSTEM certificate store only. When you use DCM to create a Local CA, DCM creates this certificate store as part of the process. When you choose to obtain certificates from a public CA, such as VeriSign, for your server or client applications to use, you must create this certificate store.
1.4.3 *OBJECTSIGNING
DCM provides this certificate store for managing certificates that you use to digitally sign objects. Also, the tasks in this certificate store allow you to create digital signatures on objects, as well as view and verify signatures on objects. When you use DCM to create a Local CA, DCM creates this certificate store as part of the process. When you choose to obtain certificates from a public CA, such as VeriSign, for signing objects, you must create this certificate store.
Confidential
69697753.doc2 Page 7
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 8
9/28/2011
Wiggle Wireless
How-to
To configure the iSeries servers to connect using the secured FTP, perform the following steps:
1. Plan the configuration of the server certificate on each system. 2. Create the *SYSTEM certificate store and certificate signing request. 3. Import the certificate into the *SYSTEM certificate store.
4. Configure the server to listen for secure connections.
Confidential
69697753.doc2 Page 9
9/28/2011
Wiggle Wireless
1024 CW iSeries Cert XXXXXXXXXX XXXXXXXXXX CFGTCP option 12 will be used as the fully qualified host name (common name) WIGGLE Georgia US
On the iSeries run the command: WRKACTJOB SBS(QHTTPSVR) or type WRKSBSJOB QHTTPSVR. You should see several jobs name ADMIN running in this subsystem. If you do, go to Step 2.
If you dont see ADMIN jobs running issue the following command: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN). Verify that the jobs start. If this is the first time the ADMIN server has been started it may take several minutes before you are able to access it. Proceed to the next step once you verify that all of the ADMIN jobs (there should be 3) have started and are in SIGW status. You should see several jobs name ADMIN running in this subsystem. If you do not, see Troubleshooting Admin Server Problems in the Additional Material Section.
Confidential
69697753.doc2 Page 10
9/28/2011
Wiggle Wireless
2. Access the iSeries Task page by opening the location http://Your_System_Name:2001 (you would supply your iSeries host name followed by :2001), using your browser. Enter User Name and Password.
3. The iSeries Tasks page is displayed as in Figure 2-2. Click on Digital Certificate
Manager.
Confidential
69697753.doc2 Page 11
9/28/2011
Wiggle Wireless
4. The Digital Certificate Manager Screen should look as shown in Figure 2-3. The left frame of Digital Certificate Manager (DCM) is the task navigation frame. You can use this frame to select a wide variety of tasks for managing certificates and the applications that use them. Which tasks are available depends on which certificate store (if any) you work with and your user profile special authorities. Most tasks are available only if you have *ALLOBJ and *SECADM special authorities. If you do not see all of the options in the selection pane on the left, you are probably signed on with a profile without proper Authority.
Confidential
69697753.doc2 Page 12
9/28/2011
Wiggle Wireless
5. Once in the DCM environment (Figure 2-3) Select Create New Certificate Store from the navigation (left) panel.
Since there is currently no *SYSTEM store on this iSeries the default value will be *SYSTEM (Figure 2-4) in the Create New Certificate Store window. Click Continue.
Confidential
69697753.doc2 Page 13
9/28/2011
Wiggle Wireless
6. In the Create a Certificate in New Certificate Store window, shown in Figure 2-5, choose
not to create a certificate.
Confidential
69697753.doc2 Page 14
9/28/2011
Wiggle Wireless
7. The next window (Figure 2-6) allows you to create a password for the new certificate
store. You are asked to enter the password twice to verify. Remember the password, you will need it later.
Confidential
69697753.doc2 Page 15
9/28/2011
Wiggle Wireless
8. The next window (Figure 2-7) confirms that the new certificate store has been created.
Figure 2-7 Message indicating that the certificate store was created The *SYSTEM certificate store has been created. The Certificate Authority import process can now take place.
Confidential
69697753.doc2 Page 16
9/28/2011
Wiggle Wireless
Figure 2-8
Confidential
69697753.doc2 Page 17
9/28/2011
Wiggle Wireless
Figure 2-9
Confidential
69697753.doc2 Page 18
9/28/2011
Wiggle Wireless
Figure 2-10
Confidential
69697753.doc2 Page 19
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 20
9/28/2011
Wiggle Wireless
f. Fill in the requested information as show below, Make the Certificate Label: CW iSeries Cert , Enter the Common name, Organization name, state, country. g. Click on Continue.
Figure 2-12
Create Certificate
h. Open a Change Request to get permission to install a certificate on the server, for the following maintenance window, unless the window is less than 24 hours away, if so, then use the next maintenance window.
Confidential
69697753.doc2 Page 21
9/28/2011
Wiggle Wireless
i. Copy the certificate request to notepad and email the.*txt file to the appropriate WIGGLE resource to submit to VeriSign. Make sure you select the area that includes -----BEGIN NEW CERTIFICATE REQUEST----- through the area that ends with -----END NEW CERTIFICATE REQUEST----- j. Give it the name of the server with csrr appended, i.e. (aatcar52csr.txt) See Figure 2-13. k. Click OK. l. After you email the notepad file to WIGGLE Resource to submit to VeriSign, delete the *txt notepad file.
Confidential
69697753.doc2 Page 22
9/28/2011
Wiggle Wireless
m. After a certain time the person who submitted the CSR request to VeriSign receives the certificate through e-mail. They should. Copy and paste the certificate data received from VeriSign into a text file on your PC using, for example the Notepad editor. Make sure you select the area that includes -----BEGIN CERTIFICATE ----- through the area that ends with -----END CERTIFICATE -----. Make sure it is given a meaningful identifying name. Save in a protected folder. Remove the email received from VeriSign or save in a protected (preferably encrypted) email folder. Send Certificate file CSR requester.
Confidential
69697753.doc2 Page 23
9/28/2011
Wiggle Wireless
n. On the Command line of the server, make sure the CW_Cert directory exists:
Type WRKLNK /CW_cert If it does not exist, type MKDIR DIR(CW_cert) Secure the Directory: WRKLNK /CW_cert
Directory
. . . . :
Type options, press Enter. 9=Work with authority 10=Move Opt 9 Object link CW_cert Type DIR
Type options, press Enter. 1=Add user 2=Change user authority Opt 2 User *PUBLIC JSTEWART QDIRSRV QNOTES Authority *RWX *RWX *X *RWX Data Exist X X
Confidential
69697753.doc2 Page 24
9/28/2011
Wiggle Wireless
Change all Object authorities (OBJAUT) to *NONE Press ENTER , and Enter again then Press CMD 5 to Refresh
Change Authority (CHGAUT) Type choices, press Enter. Object . . . . . . . . User . . . . . . . . . New data authorities . New object authorities > *OBJEXIST > *OBJALTER > *OBJREF Authorization list . . . . . . . AUTL . . . . . . . . . . . . . . . . . . . . OBJ USER DTAAUT OBJAUT > > > > '/CW_cert' *PUBLIC *RWX *OBJMGT
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
: : : :
Type options, press Enter. 1=Add user 2=Change user authority Opt 2 User *PUBLIC JSTEWART QDIRSRV QNOTES Data Authority *RWX *RWX *X *RWX
4=Remove user
Change data authorities (DTAAUT) to *NONE Press ENTER , and Enter again Press CMD 5,
Change Authority (CHGAUT) Type choices, press Enter. Object . . . . . . . . . . . . . OBJ User . . . . . . . . . . . . . . USER > '/CW_cert' > *PUBLIC
Confidential
69697753.doc2 Page 25
9/28/2011
Wiggle Wireless
New data authorities . . . . . . DTAAUT New object authorities . . . . . OBJAUT + for more values Authorization list . . . . . . . AUTL
o. FTP the VeriSign Certificate .txt file the Server cd /CW_cert Be sure to enter NAMEFMT 1 Put certificatname.txt
Figure 2-15
Confidential
69697753.doc2 Page 26
9/28/2011
Wiggle Wireless
Click on the Select a Certificate Store button. In the Select a Store window verify that the radio button next to *SYSTEM is selected. Click Continue.
Figure 2-16 Select the *SYSTEM store to import the file into
Confidential
69697753.doc2 Page 27
9/28/2011
Wiggle Wireless
2. In the Certificate Store and Password window provide the password and click Continue.
Confidential
69697753.doc2 Page 28
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 29
9/28/2011
Wiggle Wireless
4. From the Manage Certificates page as shown in Figure 2-19, Select the radio button for Import Certificate. Click on Continue.
Confidential
69697753.doc2 Page 30
9/28/2011
Wiggle Wireless
5. The Import Certificate page is displayed, as shown in Figure 2-20. Select the Server or Client radio button. Click Continue.
Confidential
69697753.doc2 Page 31
9/28/2011
Wiggle Wireless
6. The Import Server or Client Certificate page is displayed, as you can see in Figure 2-21.
In the Import file field, specify the full name of the file (including the leading /) that contains the Certificate to be imported. We used /CW_cert/aatcar51cer.txt Click Continue.
Confidential
69697753.doc2 Page 32
9/28/2011
Wiggle Wireless
7. You should see a message stating the import was successful, as in figure 2-22 Click OK.
Confidential
69697753.doc2 Page 33
9/28/2011
Wiggle Wireless
8. From the left panel select Fast Path, shown in Figure 2-23. Click on Fast Path.
Confidential
69697753.doc2 Page 34
9/28/2011
Wiggle Wireless
9. From the Fast Path page, shown in Figure 2-24: Select Radio Button Work with server and client certificates. Click Continue.
Confidential
69697753.doc2 Page 35
9/28/2011
Wiggle Wireless
10. The Work with Server and Client Certificates page is displayed, as seen in Figure 2-25. Select the certificate, here it is labeled CW iSeries Cert. Click on Assign to Applications.
Confidential
69697753.doc2 Page 36
9/28/2011
Wiggle Wireless
11. The Select Applications page is displayed, as seen in Figure 2-26. Scroll down until you see the OS/400 TCP/IP FTP Server option. Select OS/400 TCP/IP FTP Server. Click Continue.
Confidential
69697753.doc2 Page 37
9/28/2011
Wiggle Wireless
12. You should see an Application Status message as shown in Figure 2-27. Click OK.
You will be returned to the Work with Server and Client Certificates page, Click Cancel. From the Fast Path page, Click Cancel.
Confidential
69697753.doc2 Page 38
9/28/2011
Wiggle Wireless
Click on Manage Applications from the left side Panel in the DCM. Click on radio button View application definition. Click Continue.
Confidential
69697753.doc2 Page 39
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 40
9/28/2011
Wiggle Wireless
Scroll down and select the Radio button for OS/400 TCP/IP FTP Server. Click View. Next, Click on View Certificate and verify correct certificate assignment.
Confidential
69697753.doc2 Page 41
9/28/2011
Wiggle Wireless
Click on Manage Applications from the list of tasks in the DCM navigation panel on the left as shown in Figure 2-30. Select Define CA trust list. Click on Continue.
Confidential
69697753.doc2 Page 42
9/28/2011
Wiggle Wireless
2. The Define CA Trust List page is displayed, as shown in Figure 2-32. Select the Client radio button. Click Continue.
Confidential
69697753.doc2 Page 43
9/28/2011
Wiggle Wireless
3. The list with client applications installed on the iSeries server is displayed, as you can see in
Figure 2-33.
Select the OS/400 TCP/IP FTP Client radio button. Click Define CA Trust List.
Confidential
69697753.doc2 Page 44
9/28/2011
Wiggle Wireless
4. A list with all the Certificate Authorities on the system is displayed in the next window, as
shown in Figure 2-34.
Confidential
69697753.doc2 Page 45
9/28/2011
Wiggle Wireless
5. A message is displayed in the next page, stating that the Certificate Authority changes have
been applied (see Figure 2-35).
Confidential
69697753.doc2 Page 46
9/28/2011
Wiggle Wireless
To enable the FTP server to listen only for secure connections, perform the following steps:
1. Use the command line to configure FTP to listen for secure connections. This changes FTP attributes to allow SSL connections. (ALWSSL) which can be set to allow only SSL, or both SSL and non-secure connections. When this parameter is set to allow only SSL the FTP server will not start without a certificate assigned to the application (FTP server). Enter CHGFTPA ALWSSL(*YES)
Note : ALWSSL(*YES) The iSeries FTP server accepts non-SSL FTP sessions. If the prerequisite products needed to allow SSL support are installed and a valid FTP server certificate is configured in the Digital certificate Manager, SSL sessions will also be allowed. Note: If ALWSSL(*YES) is specified and the Digital Certificate Manager is configured for required FTP client authentication, non-SSL sessions are accepted by the FTP server. However, nonanonymous FTP users must switch to SSL mode in order to log in to the iSeries FTP server.
Command Entry Request level Previous commands and messages: (No previous commands or messages)
2. In order for the modifications to take effect, the FTP server must be restarted. Once this
done the FTP server will be able to support secure connects with any clients that trust our Certificate Authority. On the Command line enter the following command:
ENDTCPSVR SERVER(*FTP). Wait a moment and then enter the following command: STRTCPSVR SERVER(*FTP).
This completes the configuration of the FTP server to accept only secure connections.
Confidential
69697753.doc2 Page 47
9/28/2011
Wiggle Wireless
Using this command, the client tries to establish secure control and data connections.
3. The FTP client is started and status messages are displayed on the screen. As you can see
in Figure 2-37, the control messages are displayed on the screen.
File Transfer Protocol Previous FTP subcommands and messages: Connecting to remote host WAXLAB01.WIGGLElab.com using port 990 Connection is secure. 220-QTCP at WAXLAB01.WIGGLElab.com 220 Connection will close if idle more than 5 minutes. Enter password: ===>
F3=Exit F17=Top
F6=Print F18=Bottom
Confidential
69697753.doc2 Page 48
9/28/2011
Wiggle Wireless
4. Connect to the FTP server and transfer a file to the server. The messages displayed on the
FTP client session screen should be like the ones in Figure 2-38.
Confidential
69697753.doc2 Page 49
9/28/2011
Wiggle Wireless
2. Next, you will need to FTP the renewed certificate you received to your iSeries. Refer to
section 2.1.5.1, steps 5 m through o for instructions to FTP the file you received from your certificate provider up to the IFS on your system. After FTPing the certificate to your system, continue with step 3. 3. Go to the Tasks page (Figure 3-11) via the iSeries HTTP Administration server using the URL: http://your_server_name.com:2001
Supply the user ID and password (must have IOSYSCFG, *ALLOBJ, *SECADM authority). Select Digital Certificate Manager. Click on Select a Certificate Store.
Confidential
69697753.doc2 Page 50
9/28/2011
Wiggle Wireless
Figure 3-11
Confidential
69697753.doc2 Page 51
9/28/2011
Wiggle Wireless
4. Enter the Certificate store password as shown in figure 3-12 and click Continue.
Figure 3-12
Confidential
69697753.doc2 Page 52
9/28/2011
Wiggle Wireless
On the Current Certificate Store screen, Click on Manage Certificates to expand the selection and then click on the Renew certificate link.
Figure 3-13
Confidential
69697753.doc2 Page 53
9/28/2011
Wiggle Wireless
5. Choose the certificate that you wish to renew and then click the Renew button as shown in
Figure 3-14.
Figure 3-14
Confidential
69697753.doc2 Page 54
9/28/2011
Wiggle Wireless
6. Choose VeriSign or other Internet Certificate Authority (CA) as shown in Figure 3-15 and
click Continue.
Figure 3-15
Confidential
69697753.doc2 Page 55
9/28/2011
Wiggle Wireless
7. Choose No Import the renewed signed certificate from an existing file and click
Continue.
Figure 3-16
Confidential
69697753.doc2 Page 56
9/28/2011
Wiggle Wireless
8. Enter the path to the Import File that you FTPed up to the system in step 2 as shown in
Figure 3-17. When done, click Continue.
Figure 3-17
Confidential
69697753.doc2 Page 57
9/28/2011
Wiggle Wireless
9. You will see the Certificate Renewed Successfully page as shown in Figure 3-18. Here you will select the application/s that you want to assign this renewed certificate to.
Figure 3-18
Confidential
69697753.doc2 Page 58
9/28/2011
Wiggle Wireless
10. Scroll down and check all applications that you wish to assign this certificate to and click Continue when finished.
Figure 3-19
Confidential
69697753.doc2 Page 59
9/28/2011
Wiggle Wireless
Figure 3-20
11. When you have finished, you will see the page displayed above in Figure 3-20. 12. You may need to cycle the application/s using the renewed certificate. Test the application
and ensure that if functions properly.
Confidential
69697753.doc2 Page 60
9/28/2011
Wiggle Wireless
Additional material
DEFAULT.KDB System certificate(s), private key(s) and CA certificates DEFAULT.RDB Certificate request DEFAULT.STH Stashed password for automatic access to a KDB file by the server
Confidential
69697753.doc2 Page 61
9/28/2011
Wiggle Wireless
OTHER You can specify another directory such as /your_directory_name to store certificates. Customer applications that are written to use SSL_Init (instead of the newer SSL_Init_App) can make more use of this. System administrators can also make use of this certificate store for certain kinds of backups or testing before moving into their production environment. Some functions, such as exporting certificates from certificate stores created while the system was on a previous release, may also make use of this. Again do not use this if you want to use OS/400 secure applications.
Cleaning up DCM
Here are the locations to cleanup in order to start over with DCM (NOTE: We'll want to cleanup all files in these locations): These files can be deleted allowing you to start from scratch. Prior to deleting the *System store you should verify that the store does not contain certificates that have been purchased or are currently in use. There is no way to recover
files that have not been backed up after performing this operation. Only remove *STMF files, Do NOT remove the folders
/QIBM/UserData/ICSS/Cert/Server/ --> This location holds the *SYSTEM store /QIBM/UserData/ICSS/Cert/CertAuth/ --> This location holds the Local CA store /QIBM/UserData/ICSS/Cert/Download/CertAuth/CertAuth --> This locations holds a file that gets created when a CA is created (so that you can't create it again). Once all the files are cleared from these locations, get out of DCM and go back into it. You should now have the option to create a Local CA (which will in turn create a *SYSTEM store and a server/client cert in the store).
Also, from command line on the iSeries issue this command to clean up Cache:
CALL QSOMAINT PARM('10' '3')
Confidential
69697753.doc2 Page 62
9/28/2011
Wiggle Wireless
Recovery . . . : Remove "sslmode on" from your configuration file or install AC1, AC2 or AC3 and try to start the server again. To correct the error, on an iSeries command line type the following: CALL QCAP3/QYAC3INAT
Confidential
69697753.doc2 Page 63
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 64
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 65
9/28/2011
Wiggle Wireless
Which of these implementation choices you make depends on a number of factors, one of the most important being the environment in which the certificates are used. Here's some information to help you better determine which implementation choice is right for your business and security needs.
Confidential
69697753.doc2 Page 66
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 67
9/28/2011
Wiggle Wireless
Troubleshooting
Troubleshooting ADMIN Server Problems
If the *ADMIN server fails to start, you will need to determine the reason why and take corrective action.
1. On an iSeries command line, type WRKSPLF QTMHHTTP. This will display spooled files
that belong to user QTMHHTTP (this is the user that is responsible for starting the *ADMIN server. Look at the last spooled file belonging to QTMHHTTP and it should tell you why the *ADMIN server failed to start. 2. Edit the ADMIN custom config file that resides in the IFS a. On the iSeries run the command WRKLNK and navigate to directory /QIBM/UserData/HTTPA/admin/conf/ b. Edit the file admin-cust.conf and look for any invalid directives, if
you can not determine the cause of the error, comment out all of the lines in the custom config as shown in the following example using the # character. #-----------------------------------------------------# The following directives should be added to # /QIBM/UserData/HTTPA/admin/conf/admin-cust.conf # and uncommented in order to enable SSL for ADMIN. #-----------------------------------------------------# LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM # Listen 2001 # Listen 2010 # SetEnv HTTPS_PORT 2010 # <VirtualHost *:2010> # SSLEnable # SSLAppName QIBM_HTTP_SERVER_ADMIN # </VirtualHost>
Confidential
69697753.doc2 Page 68
9/28/2011
Wiggle Wireless
1.
Is there is a long delay between connecting to the iSeries(TM) FTP server and receiving a prompt for a user id? If so, check the configuration of the domain name server on your iSeries. The FTP server performs a DNS query as soon as a new connection is received. DNS problems may cause the server to hang for several minutes before a response is received. 2. Check to see if an exit program has been added to the FTP Server Logon Exit Point. Refer to the Server logon exit point subtopic. If yes, then check if the logon that is unsuccessful is allowed by the exit program.
Confidential
69697753.doc2 Page 69
9/28/2011
Wiggle Wireless
3. Check to see if the remote logon requires a password if a password was requested. Some systems request a password, but the connection can fail because it is not required. 4. Set up a password on the remote system if required. You may have to restart if you change the security information on the system. 5. Check your user ID and password by attempting to sign on to your remote system. If you are unable to do so, contact the system owner to verify that your user ID and password are correct.
Cause List B 1. Make sure binary mode is in effect if you are transferring binary files. 2. Check to be sure the mapping tables on both the client and server systems are compatible. You need only do this if you are using your own mapping tables. 3. Check to see that the correct CCSID has been specified for the transfer. If not, use the TYPE or LTYPE subcommand to set the correct CCSID value before the transfer is performed. 4. Create a file on the system that you are planning to store data into. Set the proper record length, number of members, and number of increments. Try the data transfer again and verify that it was successful. 5. Make sure that you are authorized to use the file and the file members. 6. Check to see if the transfer file contains packed decimal or zoned decimal data. 7. If you are transferring a Save file, verify that the appropriate method was used.
Cause List C 1. Check file size limits on the remote system. 2. Check to see if the FTP server timer ended. The iSeries server time-out value can be set using the QUOTE TIME command. 3. Use the NETSTAT command to verify that the *LOOPBACK interface is active. Then re-create the problem doing FTP LOOPBACK (iSeries-to-iSeries internally). If the problem cannot be recreated, it is probably a remote system problem. If you can re-create the problem, do the following: a. If the problem is an FTP server problem, then start the FTP server trace using the TRCTCPAPP command. b. Create the problem again. c. End the FTP connection. Refer to the Starting and stopping the FTP server. d. End the FTP server trace using the TRCTCPAPP command. e. Find a spooled file with the following characteristics: The file name is QTMFFTRC The username associated with the file is the name of the user who issued the TRCTCPAPP command.
Confidential
69697753.doc2 Page 70
9/28/2011
Wiggle Wireless
The trace is a spooled file in the default output queue of the system associated with the FTP server job. f. Send in that spooled file. g. If the problem was on the iSeries FTP client, a trace can be obtained using the DEBUG 100 client subcommand. h. When running the FTP client interactively, use the F6 (Print) key to create a spool file that contains a history of the FTP client subcommands entered, and the associated FTP server replies. When the FTP client is run in batch unattended mode, then this history of subcommands and server replies is written to the specified OUTPUT file. For more details, see "FTP as Batch Job".
Several good publications exist in downloadable PDF format at the following site: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp
Good publications to get here include: Digital Certificate Manager V5R3 book on the basics of DCM Redbook SG24-5659-00 - AS/400 Internet Security: Developing a Digital Certificate Infrastructure Redbook SG24-6168-00 - iSeries Wired Network Security OS/400 V5R1 DCM and Cryptographic Enhancements (highly recommend this Redbook-most of it is current in V5R3 and V5R4)
http://www.rsasecurity.com/rsalabs/faq/3-1-5.html RSA article on how large a key should be used in the RSA cryptosystem. iSeries DCM utilizes RSA cryptography in its key stores.
Confidential
69697753.doc2 Page 71
9/28/2011
Wiggle Wireless
Confidential
69697753.doc2 Page 72
9/28/2011