Troubleshooting HTTP Server for System i™ problems

 

Review this information to help you troubleshoot HTTP Server problems you may encounter while working with Digital Certificate Manager (DCM).

Problem Possible Solution
Hypertext Transfer Protocol Secure (HTTPS) does not work. Be sure the HTTP Server is configured correctly for using SSL. In V5R1 or later versions the configuration file must have SSLAppName set by using the HTTP Server Administration interface. Also, the configuration must have a virtual host configured that uses the SSL port, with SSL set to Enabled for the virtual host. There must also be two Listen directives specifying two different ports, one for SSL and the other not for SSL. These are set on the General Settings page. Be sure the server instance is created and the server certificate is signed.
The process for registering an HTTP Server instance as a secure application needs clarification. On your system, go to the HTTP Server Administration interface to set the configuration for your HTTP Server. You first must define a virtual host to enable SSL. After you define a virtual host, specify that the virtual host use the SSL port defined previously on the Listen directive (on the General Settings page. Next, use the SSL with Certificate Authentication page under Security to enable SSL in the previously configured virtual host. All changes must be applied to the configuration file. Note that registering your instance does not automatically choose which certificates the instance will use. You must use DCM to assign a specific certificate to your application before you try to end and then restart your server instance.
You are having difficulty setting up the HTTP Server for validation lists and optional client authentication. See the IBM HTTP Server for i5/OS documentation for options on setting up the instance.
Netscape Communicator waits for the configuration directive in the HTTP Server code to expire before allowing you to select a different certificate. A large certificate value makes it hard to register a second certificate since the browser is still using the first one.
You are trying to get the browser to present the X.509 certificate to the HTTP Server so that you can use the certificate as input to the QsyAddVldlCertificate API. You must use SSLEnable and SSLClientAuth ON in order to get the HTTP Server to load the HTTPS_CLIENT_CERTIFICATE environment variable. You can locate information about these APIs with the API finder topic in the i5/OS® Information Center. You may also want to look at these validation list or certificate-related APIs:

  • QsyListVldlCertificates and QSYLSTVC

  • QsyRemoveVldlCertificate and QRMVVC

  • QsyCheckVldlCertificate and QSYCHKVC

  • QsyParseCertificate and QSYPARSC, and so on.
The HTTP Server takes too long to return, or times out if you request a list of the certificates in the validation list and there are more than 10,000 items. Create a batch job that looks for and deletes certificates matching certain criteria, such as all those that have expired or are from a certain CA.
The HTTP Server will not start successfully with SSL set to Enabled, and error message HTP8351 appears in the job log. The error log for the HTTP Server shows an error that SSL Initialization operation failed with a return code error of 107 when the HTTP Server fails. Error 107 means the certificate has expired. Use DCM to assign a different certificate to the application; for example, QIBM_HTTP_SERVER_MY_SERVER. If the server instance that is failing to start is the *ADMIN server, then temporarily set SSL to Disabled so that you can use DCM on the *ADMIN server. Then use DCM to assign a different certificate to the QIBM_HTTP_SERVER_ADMIN application and try setting SSL to Enable again.

 

Parent topic:

Troubleshooting DCM