MustGather: Java Secure Socket Extension (JSSE), Secure Sockets Layer (SSL) or Java Cryptography Extensions (JCE) problems
 Technote (troubleshooting)
 
Problem(Abstract)
Collecting data for problems with the IBM® WebSphere® Application Server Java™ Security (JSSE/JCE) and SSL component. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.
 
Resolving the problem
If you have already contacted support, continue to the component-specific MustGather information. Otherwise, click: MustGather: Read first for all WebSphere Application Server products.

Java Security (JSSE/JCE) specific MustGather information.


  • The following information is required for all versions:

    1. If you are using the default Java Secure Socket Extension (JSSE) providers or if you have modified your java.security file.

    2. Where is the SSL problem occurring?

      1. Between the client (browser) and the Web server?

        For example: When trying to access a Web resource on the Web server over HTTPS.

      2. Between the client (browser) and the Application Server built-in Web server?

        For example: When trying to access the Application Server Administrative Console.

      3. Between the Web server plug-in and the Application Server?

        For example: When trying to access a Web resource on the Application Server over HTTPS.

      4. Using SSL when connecting to directory servers (LDAP)?

      5. Using your own application to make an HTTPS call to a remote Web site?

      6. Using your own application to make an SSL connection?

    3. Are you using the default (dummy) certificates, a self-signed certificate, or a Certificate Authority (CA) issued certificate. Have you made any recent changes to your certificate?

    4. If you changed your default key, did you change your keystore files?

  • The following three items are required for all versions of Application Server:

    1. Collect the java.security file. This file is located in the following directory:

      install_root/java/jre/lib/security

    2. Collect the keyfiles, trustfiles, cacerts files, and plugin.kdb files.

    Collect a Java Secure Socket Extension (JSSE) debug trace of the problem if possible.


  • For all releases of V4.0.5 through 4.0.7:

    Note: For V4.0 you will need to contact WebSphere support to get a copy of the ibmjsse-debug.jar referenced below

    1. Open the install_root/bin/admin.config in an editor

    2. Add the following line to the end of the file

      javax.net.debug=true

      Note: You must have a tracefile enabled to capture the standard output from the Admin Server

    3. Stop the server

    4. Move the install_root/java/jre/lib/ext/ibmjsse.jar to a temporary directory outside of the classpath (i.e. /tmp)

    5. Copy the provided ibmjsse-debug.jar to the install_root/java/jre/lib/ext directory

    6. Start the server and recreate the problem

      Note: The JSSE trace will be output to the tracefile as specified in the admin.config

    7. Follow instructions to send diagnostic information to IBM support



  • For all releases of V5.0 running JDK™ version 1.3:
To determine the Java version, run java -fullversion from the install_root/java/bin directory.
  • Note: Contact WebSphere support to get a copy of the ibmjsse-debug.jar referenced below
    1. Specify the javax.net.debug system property:
      1. In the Administrative Console, select the following: Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New

      2. Type the following:

        Name: javax.net.debug
        Value: true

      3. Click OK

    2. Save your changes to the master configuration

    3. Expand TroubleShooting > Logs and Trace > server_name

    4. Select JVM Logs. Increase the file size to 20 MB. Increase the Maximum Number of Historical Files from 1 to 10.

    5. Save your changes to the master configuration

    6. Stop the server

    7. Move the install_root/java/jre/lib/ext/ibmjsse.jar to a temporary directory outside of the classpath (i.e. /tmp)

    8. Copy the ibmjsse-debug.jar from install_root/web/docs/jsse to the install_root/java/jre/lib/ext directory

    9. Start the server and recreate the problem

      Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file

    10. Run the Collector Tool located in the install_root/bin directory

    11. Follow instructions to send diagnostic information to IBM support



  • For all releases of V5.1 running JDK version 1.4:
  • To determine the Java version, run java -fullversion from the install_root/java/bin directory.

    Note: Contact WebSphere support to get a copy of the ibmjsseprovider_debug.jar referenced below

    1. Specify the javax.net.debug system property:
      1. In the Administrative Console, select the following: Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New

      2. Type the following:

        Name: javax.net.debug
        Value: true
      3. Click OK

    2. Save your changes to the master configuration

    3. Expand TroubleShooting > Logs and Trace > server_name

    4. Select JVM Logs. Increase the file size to 20 MB. Increase the Maximum Number of Historical Files from 1 to 10.

    5. Save your changes to the master configuration

    6. Stop the server

      Please note the special instructions for Solaris™ and HP installations at the bottom of this document and skip steps 7 - 10.

    7. Rename ibmjsseprovider.jar in install_root/java/jre/lib to ibmjsseprovider.jar.save

    8. Move ibmjsseprovider.jar.save to a directory that is not used by the IBM JVM.

    9. Copy the ibmjsseprovider_debug.jar to ibmjsseprovider.jar

    10. Move the debug ibmjsseprovider.jar to install_root/java/jre/lib

    11. Start the server and recreate the problem

    12. Delete the debug ibmjsseprovider.jar in install_root/java/jre/lib

    13. Move ibmjsseprovider.jar.save to install_root/java/jre/lib

    14. Rename ibmjsseprovider.jar.save to be ibmjsseprovider.jar

    15. Start the server and recreate the problem
      Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file
    16. Run the Collector Tool located in the install_root/bin directory

    17. Follow instructions to send diagnostic information to IBM support



  • For all releases of V6.0:

    1. Specify the javax.net.debug system property:

    2. In the Administrative Console, select the following: Servers > Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) - >Process Definition > Java Virtual Machine > Custom Properties > New

      To trace the Deployment Manager, select the following: System Administration > Deployment Manager > Expand Java and Process Management (under Server Infrastructure) >Process Definition > Java Virtual Machine > Custom Properties > New
    3. Type the following:

      Name: javax.net.debug
      Value: true

    4. Click OK

    5. Save your changes to the master configuration

    6. Expand TroubleShooting > Logs and Trace > server_name.

    7. Select JVM Logs. Increase the file size to 20 MB. Increase the Maximum Number of Historical Files from 1 to 10.

      Please note the special instructions for Solaris and HP installations at the bottom of this document if you are using JSSE (as opposed to the default of JSSE2)

    8. Save your changes to the master configuration

    9. Stop the server

    10. Start the server and recreate the problem

      Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file

    11. Run the Collector Tool located in the install_root/bin directory

    12. Follow instructions to send diagnostic information to IBM support



  • For all releases of V6.1:
  1. Specify the javax.net.debug system property:
  2. In the Administrative Console, select the following: Servers > Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) - >Process Definition > Java Virtual Machine > Custom Properties > New

    To trace the Deployment Manager, select the following: System Administration > Deployment Manager > Expand Java and Process Management (under Server Infrastructure) >Process Definition > Java Virtual Machine > Custom Properties > New
  3. Type the following:

    Name: javax.net.debug
    Value: true

  4. Click Apply, and Save.

  5. Save your changes to the master configuration

  6. Expand TroubleShooting > Logs and Trace > server_name

  7. Select Diagnostic Trace Service. Increase the Maximum Number of Historical Files from 1 to 10.

  8. Click Apply, then select Change Log Detail Levels.

  9. Clear the trace string in the box and replace it with the following trace string:

    SSL=all


  10. Click Apply, and Save.

  11. Save your changes to the master configuration

  12. Stop the server

  13. Start the server and recreate the problem

    Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file and trace.log

  14. Run the Collector Tool located in the install_root/bin directory

  15. Follow instructions to send diagnostic information to IBM support



If asked to run JSSE client traces, please do the following in addition to server side traces:

  1. Add the -Djavax.net.debug=true to the Java command line or modify the calling script to include the debug statement. The output will go to standard out, so please redirect this output to a file.

  2. This only works if is using IBM JDK along with the corresponding JDK version debug file in place.

    • For JDK 1.3 use ibmjsse-debug.jar
    • For JDK 1.4 use ibmjsseprovider_debug.jar


For a listing of all technotes, downloads, and educational materials specific to the Java Security (JSSE/JCE) component, search the WebSphere Application Server support site.


For Solaris and HP installations using JSSE at 1.4. (all releases) SDK please do the following:
  1. Contact IBM for the debug_jsse.jar
  2. Move the jsse.jar from java/jre/lib outside of the WebSphere installation. Rename the debug_jsse.jar to jsse.jar and place it in install_root/java/jre/lib
 
Related information
MustGather for security problems in WebSphere
Submitting information to IBM support
Steps to get support for WebSphere Application Server
MustGather: Read first
Troubleshooting guide
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Java Security (JSSE/JCE)
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1162961
IBM Group: Software Group
Modified date: Sep 10, 2004