If you have already contacted support, continue to the
component-specific MustGather information. Otherwise, click: MustGather:
Read first for all WebSphere Application Server products.
Java Security (JSSE/JCE) specific MustGather information.
- The following information is required for all versions:
- If you are using the default Java Secure Socket Extension (JSSE)
providers or if you have modified your java.security file.
- Where is the SSL problem occurring?
- Between the client (browser) and the Web server?
For example: When trying to access a Web resource on the Web
server over HTTPS.
- Between the client (browser) and the Application Server built-in Web
server?
For example: When trying to access the Application Server
Administrative Console.
- Between the Web server plug-in and the Application Server?
For example: When trying to access a Web resource on the
Application Server over HTTPS.
- Using SSL when connecting to directory servers (LDAP)?
- Using your own application to make an HTTPS call to a remote Web site?
- Using your own application to make an SSL connection?
- Are you using the default (dummy) certificates, a self-signed
certificate, or a Certificate Authority (CA) issued certificate. Have you
made any recent changes to your certificate?
- If you changed your default key, did you change your keystore files?
- The following three items are required for all versions
of Application Server:
- Collect the java.security file. This file is located in the
following directory:
install_root/java/jre/lib/security |
|
- Collect the keyfiles, trustfiles, cacerts files, and plugin.kdb files.
Collect a Java Secure Socket Extension (JSSE) debug trace of the problem
if possible.
- For all releases of V4.0.5 through 4.0.7:
Note: For V4.0 you will need to contact WebSphere support to get a
copy of the ibmjsse-debug.jar referenced below
- Open the install_root/bin/admin.config in an
editor
- Add the following line to the end of the file
javax.net.debug=true |
Note: You must have a tracefile enabled to capture the standard output
from the Admin Server
|
- Stop the server
- Move the
install_root/java/jre/lib/ext/ibmjsse.jar to a
temporary directory outside of the classpath (i.e. /tmp)
- Copy the provided ibmjsse-debug.jar to the
install_root/java/jre/lib/ext directory
- Start the server and recreate the problem
Note: The JSSE trace will be output to the tracefile as specified in
the admin.config
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V5.0 running JDK™ version
1.3:
To determine the Java version, run java
-fullversion from the install_root/java/bin
directory.
- Note: Contact WebSphere support to get a copy
of the ibmjsse-debug.jar referenced below
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Expand TroubleShooting > Logs and Trace >
server_name
- Select JVM Logs. Increase the file size to 20 MB. Increase the
Maximum Number of Historical Files from 1 to 10.
- Save your changes to the master configuration
- Stop the server
- Move the
install_root/java/jre/lib/ext/ibmjsse.jar to a
temporary directory outside of the classpath (i.e. /tmp)
- Copy the ibmjsse-debug.jar from
install_root/web/docs/jsse to the
install_root/java/jre/lib/ext directory
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin
directory
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V5.1 running JDK version
1.4:
- To determine the Java version,
run java -fullversion from the
install_root/java/bin directory.
Note: Contact WebSphere support to get a copy of
the ibmjsseprovider_debug.jar referenced
below
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Expand TroubleShooting > Logs and Trace >
server_name
- Select JVM Logs. Increase the file size to 20 MB. Increase the
Maximum Number of Historical Files from 1 to 10.
- Save your changes to the master configuration
- Stop the server
Please note the special instructions for Solaris™ and HP installations
at the bottom of this document and skip steps 7 - 10.
- Rename ibmjsseprovider.jar
in install_root/java/jre/lib to
ibmjsseprovider.jar.save
- Move ibmjsseprovider.jar.save to a directory that is not used
by the IBM JVM.
- Copy the ibmjsseprovider_debug.jar to
ibmjsseprovider.jar
- Move the debug ibmjsseprovider.jar to
install_root/java/jre/lib
- Start the server and recreate the problem
- Delete the debug ibmjsseprovider.jar in
install_root/java/jre/lib
- Move ibmjsseprovider.jar.save to
install_root/java/jre/lib
- Rename ibmjsseprovider.jar.save to be
ibmjsseprovider.jar
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin
directory
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V6.0:
-
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Expand Java and
Process Management (under Server Infrastructure) - >Process
Definition > Java Virtual Machine > Custom Properties > New
To trace the Deployment Manager, select the following: System
Administration > Deployment Manager > Expand Java and Process
Management (under Server Infrastructure) >Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Expand TroubleShooting > Logs and Trace >
server_name.
- Select JVM Logs. Increase the file size to 20 MB. Increase the
Maximum Number of Historical Files from 1 to 10.
Please note the special instructions for Solaris and HP installations
at the bottom of this document if you are using JSSE (as opposed to the
default of JSSE2)
- Save your changes to the master configuration
- Stop the server
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin directory
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V6.1:
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Expand Java and
Process Management (under Server Infrastructure) - >Process
Definition > Java Virtual Machine > Custom Properties > New
To trace the Deployment Manager, select the following: System
Administration > Deployment Manager > Expand Java and Process
Management (under Server Infrastructure) >Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click Apply, and Save.
- Save your changes to the master configuration
- Expand TroubleShooting > Logs and Trace >
server_name
- Select Diagnostic Trace Service. Increase the Maximum Number
of Historical Files from 1 to 10.
- Click Apply, then select Change Log Detail Levels.
- Clear the trace string in the box and replace it with the following
trace string:
SSL=all |
|
 |
- Click Apply, and Save.
- Save your changes to the master configuration
- Stop the server
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
and trace.log
- Run the Collector
Tool located in the install_root/bin directory
- Follow instructions to send
diagnostic information to IBM support
If asked to run JSSE client traces, please do the following in
addition to server side traces:
- Add the -Djavax.net.debug=true to the Java
command line or modify the calling script to include the debug statement.
The output will go to standard out, so please redirect this output to a
file.
- This only works if is using IBM JDK along with the corresponding JDK
version debug file in place.
- For JDK 1.3 use ibmjsse-debug.jar
- For JDK 1.4 use ibmjsseprovider_debug.jar
For a listing of all technotes, downloads, and educational materials
specific to the Java Security (JSSE/JCE) component, search the WebSphere
Application Server support site.
For Solaris and HP installations using JSSE at 1.4. (all releases) SDK
please do the following:
- Contact IBM for the debug_jsse.jar
- Move the jsse.jar from java/jre/lib outside of the WebSphere
installation. Rename the debug_jsse.jar to jsse.jar and place it in
install_root/java/jre/lib
|