If you have already contacted support, continue on to the
component-specific MustGather information. Otherwise, click: MustGather:
Read first for IBM HTTP Server.
Note: Collecting the following MustGather information has been
automated in the IBM
Support Assistant product feature for WebSphere Application Server.
For more information about this automated data collection feature, see Using
IBM Support Assistant to collect MustGather data.
SSL handshake and configuration specific MustGather information
The following contains a list of files that are needed for debugging SSL
handshake and configuration issues:
- IBM HTTP Server version.
Type one of the following commands to display the full IBM HTTP Server
version:
- For Windows®:
- For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28,
2.0.42, 2.0.47, 6.0:
- For UNIX®:
- For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28:
install_root/bin/httpd
-ver |
|
- For all releases of V2.0.42, 2.0.47, 6.0:
install_root/bin/apachectl -V |
|
- Configuration file:
install_root/conf/httpd.conf |
|
- Error log:
- For Windows:
install_root/logs/error.log |
|
- For UNIX:
install_root/logs/error_log |
|
- Access log:
- For Windows:
install_root/logs/access.log |
|
- For UNIX:
install_root/logs/access_log |
|
- Global Security Kit (GSKit) version.
Type one of the following commands to display the full GSKit version:
- For Windows:
- For all releases of V1.3.12:
/program
files/ibm/gsk4/bin/gsk4ver.exe |
|
- For all releases of V1.3.19, 1.3.26, 2.0.42:
/program
files/ibm/gsk5/bin/gsk5ver.exe |
|
- For all releases of V1.3.28, 2.0.47, 6.0:
/program
files/ibm/gsk7/bin/gsk7ver.exe |
|
- For AIX®:
- For all releases of V1.3.12:
/usr/opt/ibm/gskit/bin/gsk4ver |
|
- For all releases of V1.3.19, 1.3.26, 2.0.42:
/usr/opt/ibm/gskkm/bin/gsk5ver |
|
- For all releases of V1.3.28, 2.0.47, 6.0:
/usr/opt/ibm/gskkm/bin/gsk7ver |
|
- For Solaris™:
- For all releases of V1.3.12:
/opt/ibm/gsk4/bin/gsk4ver |
|
- For all releases of V1.3.19, 1.3.26, 2.0.42:
/opt/ibm/gsk5/bin/gsk5ver |
|
- For all releases of V1.3.28, 2.0.47, 6.0:
/opt/ibm/gsk7/bin/gsk7ver |
|
- For HP-UX:
- For all releases of V1.3.12:
/opt/ibm/gsk4/bin/gsk4ver |
|
- For all releases of V1.3.19, 1.3.26, 2.0.42:
/opt/ibm/gsk5/bin/gsk5ver |
|
- For all releases of V1.3.28, 2.0.47, 6.0:
/opt/ibm/gsk7/bin/gsk7ver |
|
- For Linux®:
- For all releases of V1.3.12:
/usr/local/ibm/gsk4/bin/gsk4ver |
|
- For all releases of V1.3.19, 1.3.26, 2.0.42:
/usr/local/ibm/gsk5/bin/gsk5ver |
|
- For all releases of V1.3.28, 2.0.47, 6.0:
/usr/local/ibm/gsk7/bin/gsk7ver |
|
- Traces for GSKit and SSL:
- For IBM HTTP Server standalone:
- Stop IBM HTTP Server.
- Clear all logs in the install_root/logs
directory.
- Edit the httpd.conf file:
- Change Loglevel to debug.
- Add SSLTrace directive to the bottom at the httpd.conf
file.
- Enable GSKit trace:
- For Windows:
- Create the following system variable:
- Set the value with the name for the log file; for example:
c:\gsktrace.log.
- For UNIX:
As the user ID that starts the IBM HTTP Server, create the following
environment variable:
GSK_TRACE_FILE |
You can create the environment variable in either of the two ways:
- setenv GSK_TRACE_FILE value (full path and
filename)
csh example:
setenv GSK_TRACE_FILE
/usr/HTTPServer/logs/gsktrace_log |
OR
 |
- export GSK_TRACE_FILE=value (full path and
filename)
ksh example:
export
GSK_TRACE_FILE=/usr/HTTPServer/logs/gsktrace_log |
|
|
- Enable a packet trace on the IBM HTTP Server machine to capture ip
traffic between the web server and the client browser. Description of
available packet trace tools can be found here... Edge_Component/swg21175744.html
- Start IBM HTTP Server.
- Recreate the problem.
- Capture a netstat -na > netstat.out.
- Collect the following data files:
- httpd.conf, error_log, access_log
- netstat.out
- gsktrace_log
- packet trace
- key.kdb, key.crl, key.rdb, key.sth (include password)
- Include the date and time of failure along with the
browser version and the full URL that resulted in the SSL failure. For
example:
https:
//www.mycompany.com/mystuff/goodies/index.html |
|
- Follow instructions to send
diagnostic information to IBM support.
- For IBM HTTP Server with WebSphere Application
Server:
- Stop IBM HTTP Server and WebSphere Application Server.
- Clear all logs in the IBM HTTP Server directory:
- Clear all logs in the WebSphere Application Server directory:
- Edit the plugin-cfg.xml file and change Loglevel to
Trace (Plug-in Trace); for example:
<Log LogLevel="Trace"
Name="/pathto/logs/native.log"/> |
 |
- Edit the httpd.conf file:
- Change Loglevel to debug.
- Add SSLTrace directive to the bottom at the httpd.conf file.
- Enable GSKit trace:
- For Windows:
- Create a system variable called:
- Set the value with the name for the log file; for example:
c:\gsktrace.log
- For UNIX:
As the user ID that starts the IBM HTTP Server, create an environment
variable called:
GSK_TRACE_FILE |
You can create the environment variable in either of two ways:
- setenv GSK_TRACE_FILE value (full path and
filename)
csh example:
setenv GSK_TRACE_FILE
/usr/HTTPServer/logs/gsktrace_log |
OR
 |
- export GSK_TRACE_FILE=value (full path and
filename)
ksh example:
export
GSK_TRACE_FILE=/usr/HTTPServer/logs/gsktrace_log |
|
|
 |
- Enable a packet trace on the IBM HTTP Server machine to capture ip
traffic between the web server and the client browser. Description of
available packet trace tools can be found here... Edge_Component/swg21175744.html
- Restart IBM HTTP Server and WebSphere Application Server.
- Recreate the problem.
- Capture a netstat -na > netstat.out.
- Collect the following data files:
- httpd.conf, error_log, access_log
- plugin-cfg.xml
- native.log (V4.0x), http_plugin.log (V5.0x)
- stderr and stdout
- netstat.out
- gsktrace_log
- packet trace
- key.kdb, key.crl, key.rdb, key.sth (include password)
- plugin-key.kdb, plugin-key.sth
- Include the date and time of failure along with the
browser version and the full URL that resulted in the SSL failure. For
example:
https://www.mycompany.com/mystuff/goodies/index.jsp |
|
- Follow instructions to send
diagnostic information to IBM support.
For a listing of all technotes, downloads, and educational materials
specific to IBM HTTP Server SSL handshake and configuration issues, search
the IBM
HTTP Server support site.
|