IBM Support

CWBCO1034 SSL Error Code 25406 Occurs On IBM i Access for Windows SSL Connection

Troubleshooting


Problem

When attempting to connect to the IBM i Host or Telnet Servers, a CWBCO1034 with SSL Error Code 25406 occurs and the connection fails.

Symptom

CWBCO1034 EC 25406

Environment

IBM i OS; IBM i Access for Windows

Resolving The Problem

The CWBCO1034 SSL Error Code 25406 message indicates an I/O error has occurred. There are multiple reasons as to why this specific error message and code may be thrown. One common reason for this error is when a RST (Reset) TCP/IP packet is received by the IBM i Access for Windows System i Navigator or 5250 Client applications.

Since this is an I/O error, IBM requests the IBM i Access for Windows CWBCOTRC trace as well as a Wireshark trace to be gathered during the failed connection on the PC and then uploaded to IBM via a Service Request (PMR) for IBM's review. Here is more information on how to collect these traces and open a new IBM Service Request (PMR).

CWBCOTRC:


Tracing Instructions for iSeries Access Connectivity Problems
http://www.ibm.com/support/docview.wss?uid=nas8N1014465

Wireshark:


Instructions for Collecting a Wireshark PC Sniffer Trace
http://www.ibm.com/support/docview.wss?uid=nas8N1014338

IBM Service Request (PMR):


http://www-01.ibm.com/support/electronicsupport/
https://www.ibm.com/support/servicerequest/

Another reason for this error might be the following:

The Server SSL certificate assigned to the IBM i server applications in the IBM Digital Certificate Manager *SYSTEM certificate store has expired.


To verify the Server certificate assigned to the application has expired, you can do the following.

  1. Verify the ADMIN jobs are started in the QHTTPSVR subsystem.
  2. Access the IBM Digital Certificate Manager application using the following URL.
    1. http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
  3. Sign into the application with a user ID that has *ALLOBJ *IOSYSCFG and *SECADM special authorities.
  4. Click on the "Select a Certificate Store" button.
  5. Select the radio button next to the *SYSTEM store and click on the Continue button.
  6. Specify the keystore password and press Continue.
    1. NOTE: If you do not know the password, you can click on the "Reset Password" button to change the password.
  7. Once logged in, click on "Fast Path" and then "Work with server applications".
  8. Identify the Server certificate assigned to the IBM i server application you are trying to access. This could be the Database Server, Signon Server, Remote Command Server, File Server, or even the IBM i Telnet Server.
  9. Once you have identified the SSL certificate label assigned to your applications, click on "Fast Path" and then "Work with server and client certificates".
  10. Select the radio button next to the SSL certificate and click on the "View" button.
  11. Review the expiration date of the SSL certificate in the "Validity period" field under "Additional Information".

If your SSL certificate has expired, you will need to renew your certificate and then assign it to the same applications as the expired certificate to resolve your issue.

Please refer to the IBM Software Technical Support Document entitled, "Digital Certificate Manager (DCM) - Frequently Asked Questions and Common Tasks" for more information on how to renew a local or third party SSL server certificate and assign it to your IBM i server applications.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
18 December 2019

UID

nas8N1020816

Page Feedback