Security components troubleshooting tips

This document explains basic resources and steps for diagnosing security related issues in the WebSphere Application Server, including:

The following security-related problems are addressed elsewhere in the information center:

If none of these steps solves the problem, check to see if the problem has been identified and documented using the links in Diagnosing and fixing problems: Resources for learning.

Note: for an overview of WebSphere Application Server security components such as z/SAS and how they work, see Getting started with security.

Log filesSDSF output logs

When troubleshooting the security component, browse the SDSF logs for the server that hosts the resource you are trying to access. The following is a sample of messages you would expect to see from a server in which the security service has started successfully:

Messages begining with BBOM0001I are related to zOS specific implementations
of z/SAS and CSIv2. They appear in both the controller and servant
but are only applicable in the controller.

 BBOM0001I com_ibm_Server_Security_Enabled: 1.
 BBOM0001I com_ibm_CSI_claimTLClientAuthenticationSupported: 1.
 BBOM0001I com_ibm_CSI_claimTLClientAuthenticationRequired: 0.
 BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 1.
 BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 0.
 BBOM0001I com_ibm_CSI_claimMessageConfidentialityRequired: 0.
 BBOM0001I com_ibm_CSI_claimClientAuthenticationSupported: 1.
 BBOM0001I com_ibm_CSI_claimClientAuthenticationRequired: 0.
 BBOM0001I com_ibm_CSI_claimClientAuthenticationtype:
 SAFUSERIDPASSWORD.
 BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeSAF: 0.
 BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeDN: 0.
 BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeCert: 0.
 BBOM0001I com_ibm_CSI_claimMessageIntegritySupported: NOT SET,DEFAULT=1.
 BBOM0001I com_ibm_CSI_claimMessageIntegrityRequired: NOT SET,DEFAULT=1.
 BBOM0001I com_ibm_CSI_claimStateful: 1.
 BBOM0001I com_ibm_CSI_claimSecurityLevel: HIGH.
 BBOM0001I com_ibm_CSI_claimSecurityCipherSuiteList: NOT SET.
 BBOM0001I com_ibm_CSI_claimKeyringName: WASKeyring.
 BBOM0001I com_ibm_CSI_claim_ssl_sys_v2_timeout: NOT SET, DEFAULT=100.
 BBOM0001I com_ibm_CSI_claim_ssl_sys_v3_timeout: 600.
 BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSSupported: 1.
 BBOM0001I security_sslClientCerts_allowed: 0.
 BBOM0001I security_kerberos_allowed: 0.
 BBOM0001I security_userid_password_allowed: 0.
 BBOM0001I security_userid_passticket_allowed: 1.
 BBOM0001I security_assertedID_IBM_accepted: 0.
 BBOM0001I security_assertedID_IBM_sent: 0.
 BBOM0001I nonauthenticated_clients_allowed: 1.
 BBOM0001I security_remote_identity: WSGUEST.
 BBOM0001I security_local_identity: WSGUEST.
 BBOM0001I security_EnableRunAsIdentity: 0.

 Messages beginning with BBOO0222I are common to java WebSphere security. 
They appear in both the controller and servant but are applicable to the servant. 

 BBOO0222I SECJ0240I: Security service initialization completed successfully
 BBOO0222I SECJ0215I: Successfully set JAAS login provider
 configuration class to com.ibm.ws.security.auth.login.Configuration.
 BBOO0222I SECJ0136I: Custom
 Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been  initialized
 BBOO0222I SECJ0157I: Loaded Vendor AuthorizationTable:
 com.ibm.ws.security.core.SAFAuthorizationTableImpl
 BBOO0222I SECJ0243I: Security service started successfully
 BBOO0222I SECJ0210I: Security enabled true

General approach for troubleshooting security-related issues

When troubleshooting security-related problems, the following questions are very helpful and should be considered:

Does the problem occur when security is disabled?
This is a good litmus test to determine that a problem is security related. However, just because a problem only occurs when security is enabled does not always make it a security problem. More troubleshooting is necessary to ensure the problem is really security-related.
Did security appear to initialize properly?
A lot of security code is visited during initialization. So you will likely see problems there first if the problem is configuration related. The following sequence of messages generated in the SDSF active log indicate normal code initialization of an application server. Non-security messages have been removed from the sequence that follows. This sequence will vary based on the configuration, but the messages are similar:
 Trace: 2003/08/25 13:06:31.034 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.auth.login.Configuration
   SourceId: com.ibm.ws.security.auth.login.Configuration
   Category: AUDIT
   ExtendedMessage: SECJ0215I: Successfully set JAAS login provider 
   configuration class to com.ibm.ws.security.auth.login.Configuration.
 Trace: 2003/08/25 13:06:31.085 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityDM
   SourceId: com.ibm.ws.security.core.SecurityDM
   Category: INFO
   ExtendedMessage: SECJ0231I: The Security component's 
   FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM 
   registered success
 fully: true.
 Trace: 2003/08/25 13:06:31.086 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0231I: The Security component's 
FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered
  successfully: true.
 Trace: 2003/08/25 13:06:32.426 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityComponentImpl
   SourceId: com.ibm.ws.security.core.SecurityComponentImpl
   Category: INFO
   ExtendedMessage: SECJ0309I: Java 2 Security is disabled.
 Trace: 2003/08/25 13:06:32.427 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0309I: Java 2 Security is disabled.
 Trace: 2003/08/25 13:06:32.445 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityComponentImpl
   SourceId: com.ibm.ws.security.core.SecurityComponentImpl
   Category: INFO
   ExtendedMessage: SECJ0212I: WCCM JAAS configuration information 
successfully pushed to login provider class.
 Trace: 2003/08/25 13:06:32.445 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0212I: WCCM JAAS configuration
 information successfully pushed to login provider class.
 Trace: 2003/08/25 13:06:32.459 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: SecurityComponentImpl
   SourceId: SecurityComponentImpl
   Category: WARNING
   ExtendedMessage: BBOS1000W  LTPA or ISCF are configured as the 
authentication mechanism but SSO is disabled.
 Trace: 2003/08/25 13:06:32.459 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 824
   error message: BBOS1000W  LTPA or ISCF are configured as the 
authentication mechanism but SSO is disabled.
 Trace: 2003/08/25 13:06:32.463 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityComponentImpl
   SourceId: com.ibm.ws.security.core.SecurityComponentImpl
   Category: INFO
   ExtendedMessage: SECJ0240I: Security service initialization completed 
successfully
 Trace: 2003/08/25 13:06:32.463 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0240I: Security service initialization 
completed successfully
 Trace: 2003/08/25 13:06:39.718 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
   SourceId: com.ibm.ws.security.registry.UserRegistryImpl
   Category: AUDIT
   ExtendedMessage: SECJ0136I: Custom Registry:
com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized
 Trace: 2003/08/25 13:06:41.967 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.WSAccessManager
   SourceId: com.ibm.ws.security.core.WSAccessManager
   Category: AUDIT
   ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: 
com.ibm.ws.security.core.SAFAuthorizationTableImpl
 Trace: 2003/08/25 13:06:43.136 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
   SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
   Category: AUDIT
   ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: 
com.ibm.ws.security.core.SAFAuthorizationTableImpl
 Trace: 2003/08/25 13:06:43.789 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityComponentImpl
   SourceId: com.ibm.ws.security.core.SecurityComponentImpl
   Category: INFO
   ExtendedMessage: SECJ0243I: Security service started successfully
 Trace: 2003/08/25 13:06:43.789 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0243I: Security service started successfully
 Trace: 2003/08/25 13:06:43.794 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.SecurityComponentImpl
   SourceId: com.ibm.ws.security.core.SecurityComponentImpl
   Category: INFO
   ExtendedMessage: SECJ0210I: Security enabled true
 Trace: 2003/08/25 13:06:43.794 01 t=9EA930 c=UNK key=P8 (0000000A)
   Description: Log Boss/390 Error
   from filename: ./bborjtr.cpp
   at line: 812
   error message: BBOO0222I SECJ0210I: Security enabled true
 Trace: 2003/08/25 13:07:06.474 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.WSAccessManager
   SourceId: com.ibm.ws.security.core.WSAccessManager
   Category: AUDIT
   ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: 
com.ibm.ws.security.core.SAFAuthorizationTableImpl
 Trace: 2003/08/25 13:07:09.315 01 t=9EA930 c=UNK key=P8 (13007002)
   FunctionName: com.ibm.ws.security.core.WSAccessManager
   SourceId: com.ibm.ws.security.core.WSAccessManager
   Category: AUDIT
   ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: 
com.ibm.ws.security.core.SAFAuthorizationTableImpl
Is this a distributed security problem or a local security problem?
  • If the problem is local, that is the code involved does not make a remote method invocation, then troubleshooting is isolated to a single process. It is important to know when a problem is local versus distributed since the behavior of the ORB, among other components, is different between the two. Once a remote method invocation takes place, an entirely different security code path is entered.
  • When you know that the problem involves two or more servers, the techniques of troubleshooting change. You will need to trace all servers involved simultaneously so that the trace shows the client and server sides of the problem. Try to make sure the timestamps on all machines match as closely as possible so that you can find the request and reply pair from two different processes. .
Is the problem related to authentication or authorization?
Most security problems fall under one of these two categories. Authentication is the process of determing who the caller is. Authorization is the process of validating that the caller has the proper authority to invoke the requested method. When authentication fails, typically this is related to either the authentication protocol, authentication mechanism or user registry. When authorization fails, this is usually related to the application bindings from assembly and/or deployment and to the caller's identity who is accessing the method and the roles required by the method.
Is this a Web or EJB request?

Web requests have a completely different code path than EJB requests. Also, there are different security features for Web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the LTPA authentication mechanism, the Single SignOn feature is available for Web requests but not for EJB requests. Web requests involve HTTP header information not required by EJB requests due to the protocol differences. Also, the Web container (or servlet engine) is involved in the entire process. Any of these components could be involved in the problem and all should be considered during troubleshooting, based on the type of request and where the failure occurs.

Secure EJB requests are passed from the controller to the servant. Web requests are mostly ignored by the controller. As a result, EJB requests are first processed and authenticated by the z/SAS or CSIv2 layers of security. Authorization is done by the servant. If an authentication failure occurs, the z/SAS type level of tracing must be turned on to diagnose the problem. Other problems can be diagnosed using the Setting up component trace (CTRACE) facility.

Does the problem seem to be related to the Secure Sockets Layer (SSL)?

The Secure Socket Layer (SSL) is a totally distinct separate layer of security. Troubleshooting SSL problems are usually separate from troubleshooting authentication and/or authorization problems. There are many things to consider. Usually, SSL problems are first time setup problems because the configuration can be difficult. Each client must contain the server's signer certificate. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. TLS), and listener port problems related to stale IORs (i.e., IORs from a server reflecting the port prior to the server restarting).

In z/OS, two variations of SSL are used. To determine the cause of an SSL problem on z/OS, you will have to be aware of what protocol is being used. System SSL is used by the IIOP and HTTPS protocols. Java Secure Socket Extension (JSSE) is used by all other protocols, for example, Simple Object Access Protocol (SOAP). System SSL requests are handled in the controller and are used by z/SAS and CSIv1 security. JSSE is predominately used by the servant, but there are cases where it is used in the controller as well.

For SSL problems, we sometimes request an SSL trace to determine what is happening with the SSL handshake. The SSL handshake is the process which occurs when a client opens a socket to a server. If anything goes wrong with the key exchange, cipher exchange, etc. the handshake will fail and thus the socket is invalid. Tracing JSSE (the SSL implementation used in WebSphere Application Server) involves the following steps:

  • Set the following system property on the client and server processes: -Djavax.net.debug=true. For the server, add this to the Generic JVM Arguments property of the Java virtual machine settings page.
  • Recreate the problem. The SDSF active log of both processes should contain the JSSE trace. You will find trace similar to the following:
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2139,localport=8878]]
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2140,localport=8878]]
     TrustManagerFactoryImpl: trustStore is :
     /WebSphere/V5R0M0/AppServer/etc/DummyServerTrustFile.jks
     TrustManagerFactoryImpl: trustStore type is : JKS
     TrustManagerFactoryImpl: init truststore
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2142,localport=8878]]
     KeyManagerFactoryImpl: keyStore is : 
    /WebSphere/V5R0M0/AppServer/etc/DummyServerKeyFile.jks
     KeyManagerFactoryImpl: keyStore type is : JKS
     KeyManagerFactoryImpl: init keystore
     KeyManagerFactoryImpl: init keystore
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2143,localport=8878]]
     JSSEContext: handleSession[Socket
    [addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,localport=2145]]
     JSSEContext:  confirmPeerCertificate
    [Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,
      localport=2145]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     10094996692239509074796828756118539107568369566313889955538950668
    6622953008589748001058216362638201577071902071311277365773252660799
     128781182947273802312699983556527878615792292244995317112436562491
    489904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     1009499669223950907479682875611853910756836956631388995553895066866
    22953008589748001058216362638201577071902071311277365773252660799
     1287811829472738023126999835565278786157922922449953171124365624914
    89904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=2144,localport=8878]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2145]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2146]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2147]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2148]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2149]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2150]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2151]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2152]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2153]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2154]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2155]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2156]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2157]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2158]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2159]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2160]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2161]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2162]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2163]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2164]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2165]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2166]]
     
     JSSEContext: handleSession[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     JSSEContext:  confirmPeerCertificate[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=WAS z/OS Deployment Manager, O=IBM
       Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     12840948267119651469312486548020957441946413494498370439558603901582589
    8755033448419534105183133064366466828741516428176579440511007
     6258795528749232737808897160958348495006972731464152299032614592135114
    19361539962555997136085140591098259345625853617389396340664766
     649957749527841107121590352429348634287031501
     public exponent:
     65537
    0  Validity: [From: Fri Jul 25 05:00:00 GMT 2003,
                    To: Mon Jul 26 04:59:59 GMT 2004]
       Issuer: CN=WAS CertAuth, C=US
       SerialNumber: [    02]
    0Certificate Extensions: 3
     [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
     Extension unknown: DER encoded OCTET string =
     0000: 04 3C 13 3A 47 65 6E 65   72 61 74 65 64 20 62 79  .<.:Generated by
     0010: 20 74 68 65 20 53 65 63   75 72 65 57 61 79 20 53   the SecureWay S
     0020: 65 63 75 72 69 74 79 20   53 65 72 76 65 72 20 66  ecurity Server f
     0030: 6F 72 20 7A 2F 4F 53 20   28 52 41 43 46 29        or z/OS (RACF)
    -[2]: ObjectId: 2.5.29.14 Criticality=false
     SubjectKeyIdentifier [
     KeyIdentifier [
     0000: 05 6A CD 7F AE AF 89 78   99 A8 F1 5B 64 8B 9F AF  .j.....x...[d...
     0010: 73 1B 58 65                                        s.Xe
     ]
     ]
    0[3]: ObjectId: 2.5.29.35 Criticality=false
     AuthorityKeyIdentifier [
     KeyIdentifier [
     0000: 7E D1 7B 17 74 D3 AD D1   7D D8 F8 33 85 19 04 F8  ....t......3....
     0010: 36 51 57 16                                        6QW.
     ]
    0]
    0]
       Algorithm: [SHA1withRSA]
       Signature:
     0000: 73 0D FC E1 8A B3 42 E1   04 73 72 B1 C6 C9 87 54  s.....B..sr....T
     0010: 87 57 02 FA 41 32 D8 B0   39 09 86 CB 6B 03 B6 F9  .W..A2..9...k...
     0020: 62 8D 95 36 56 0E D4 D2   F7 7A 8D 4B FB 0B FD 91  b..6V....z.K....
     0030: 89 A8 08 41 30 E2 27 DC   15 5F 2C F4 CD 2F 6B 8E  ...A0.'.._,../k.
     0040: 21 2A 88 53 46 27 68 9B   55 14 38 8E 1F 50 95 BC  !*.SF'h.U.8..P..
     0050: A8 46 F6 68 97 9E 7B 65   9E E8 A7 34 B2 C8 63 CF  .F.h...e...4..c.
     0060: 73 C8 4E 25 0A EF C5 8F   04 A4 EB 8C CC 33 84 26  s.N%.........3.&
     0070: 5D FD 7C AD 7B 02 13 5A   86 A1 89 93 1E A4 93 63  ]......Z.......c
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=WAS CertAuth, C=US
       Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     1167408593733331602218385578183389496484587418638676352829560040529918
    40558681208199977833401609895748222369066230329785148883251144
     2382911186804921983976695395381692334250582278359056431484427844566504
    41491799952592864895242987037929408453455627552772317382077015
     828713585220212502839546496071839496308430393
     public exponent:
     65537
    0  Validity: [From: Fri Jul 25 05:00:00 GMT 2003,
                    To: Sat Jul 24 04:59:59 GMT 2010]
       Issuer: CN=WAS CertAuth, C=US
       SerialNumber: [  0  ]
    0Certificate Extensions: 4
     [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
     Extension unknown: DER encoded OCTET string =
     0000: 04 3C 13 3A 47 65 6E 65   72 61 74 65 64 20 62 79  .<.:Generated by
     0010: 20 74 68 65 20 53 65 63   75 72 65 57 61 79 20 53   the SecureWay S
     0020: 65 63 75 72 69 74 79 20   53 65 72 76 65 72 20 66  ecurity Server f
     0030: 6F 72 20 7A 2F 4F 53 20   28 52 41 43 46 29        or z/OS (RACF)
    -[2]: ObjectId: 2.5.29.14 Criticality=false
     SubjectKeyIdentifier [
     KeyIdentifier [
     0000: 7E D1 7B 17 74 D3 AD D1   7D D8 F8 33 85 19 04 F8  ....t......3....
     0010: 36 51 57 16                                        6QW.
     ]
     ]
    0[3]: ObjectId: 2.5.29.15 Criticality=true
     KeyUsage [
       Key_CertSign
       Crl_Sign
     ]
    0[4]: ObjectId: 2.5.29.19 Criticality=true
     BasicConstraints:[
     CA:true
     PathLen:2147483647
     ]
    0]
       Algorithm: [SHA1withRSA]
       Signature:
     0000: 43 88 AB 19 5D 00 54 57   5E 96 FA 85 CE 88 4A BF  C...].TW^.....J.
     0010: 6E CB 89 4C 56 BE EF E6   8D 2D 74 B5 83 1A EF 9C  n..LV....-t.....
     0020: B3 82 F2 16 84 FA 5C 50   53 2A B4 FD EB 27 98 5D  ......\PS*...'.]
     0030: 43 48 D3 74 85 21 D1 E1   F2 63 9E FB 58 2A F3 6A  CH.t.!...c..X*.j
     0040: 44 D2 F5 7D B2 55 B9 5E   32 11 78 B6 34 8E 4B 1D  D....U.^2.x.4.K.
     0050: F3 82 1D C1 5F 7B 3F AD   C9 29 FA FF D1 D1 13 2C  ...._.?..).....,
     0060: 57 F7 7B 51 02 99 6F ED   54 E1 51 34 B8 51 BE 97  W..Q..o.T.Q4.Q..
     0070: 30 AC 4F 89 AB AA 8A B2   E1 40 89 2E 18 C7 0E 15  0.O......@......
    0]
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2168]]
     
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=2235,localport=8878]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2236]]
     JSSEContext: handleSession[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8880,localport=2238]]
     JSSEContext:  confirmPeerCertificate[Socket
    [addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8880,localport=2238]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
    
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     100949966922395090747968287561185391075683695663138899555389506686622953
    008589748001058216362638201577071902071311277365773252660799
     1287811829472738023126999835565278786157922922449953171124365624914
    89904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     100949966922395090747968287561185391075683695663138899555389506
    686622953008589748001058216362638201577071902071311277365773252660799
     12878118294727380231269998355652787861579229224499531711243656249
    1489904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2238]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2239]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2240]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2241]]
    

Tracing security

The classes which implement WebSphere Application Server security are:

For current information available from IBM Support on known problems and their resolution, see the IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.


Related tasks
Troubleshooting by task: What are you trying to do?
Related reference
Troubleshooting installation problems



Searchable topic ID:   rtrb_securitycomp
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rtrb_securitycomp.html

Library | Support | Terms of Use | Feedback