Troubleshooting SSL

This very basic troubleshooting information is intended to help you reduce the list of possible problems that the IBM® i platform can encounter with SSL.

It is important to understand that this is not a comprehensive source for troubleshooting information, but rather a guide to aid in common problem resolution.

Verify that the following statements are true:
  • You have met the prerequisites for SSL on the IBM i platform.
  • Your certificate authority and certificates are valid and have not expired.
If you have verified that the previous statements are true for your system and you still have an SSL-related problem, try the following options:
  • The SSL error code in the server job log can be cross referenced in an error table to find more information about the error. For example, this table maps the -93 that might be seen in a server job log to the constant SSL_ERROR_SSL_NOT_AVAILABLE.
    • A negative return code (indicated by the dash before the code number) indicates that you are using an SSL_ API.
    • A positive return code indicates that you are using a GSKit API. Programmers can code the gsk_strerror()or SSL_Strerror() API in their programs to obtain a brief description of an error return code. Some applications make use of this API and print out a message to the job log containing this sentence.
    If more detailed information is required, the message id provided in the table can be displayed on an IBM i to show potential cause and recovery for this error. Additional documentation explaining these error codes may be located in the individual secure socket API that has returned the error.
  • Additional information about the last certificate validation error on the current secure session can be retrieved by using the GSK_LAST_VALIDATION_ERROR attribute on gsk_attribute_get_numeric_value(). If gsk_secure_soc_init() or gsk_secure_soc_startInit() returned an error, this attribute might provide more error information.
  • The following two header files contain the same constant names for System SSL return codes as the table, but without the message ID cross reference:
    • QSYSINC/H.GSKSSL
    • QSYSINC/H.QSOSSL
    Remember that although the names of the System SSL return codes remain constant in these two files, more than one unique error can be associated with each return code.