This document explains basic resources and steps for diagnosing security related issues in the WebSphere Application Server, including:
The following security-related problems are addressed elsewhere in the information center:
If none of these steps solves the problem, check to see if the problem has been identified and documented using the links in Diagnosing and fixing problems: Resources for learning.
Note: for an overview of WebSphere Application Server security components such as z/SAS and how they work, see Getting started with security.
Log filesSDSF output logs
When troubleshooting the security component, browse the SDSF logs for the server that hosts the resource you are trying to access. The following is a sample of messages you would expect to see from a server in which the security service has started successfully:
Messages begining with BBOM0001I are related to zOS specific implementations of z/SAS and CSIv2. They appear in both the controller and servant but are only applicable in the controller. BBOM0001I com_ibm_Server_Security_Enabled: 1. BBOM0001I com_ibm_CSI_claimTLClientAuthenticationSupported: 1. BBOM0001I com_ibm_CSI_claimTLClientAuthenticationRequired: 0. BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 1. BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 0. BBOM0001I com_ibm_CSI_claimMessageConfidentialityRequired: 0. BBOM0001I com_ibm_CSI_claimClientAuthenticationSupported: 1. BBOM0001I com_ibm_CSI_claimClientAuthenticationRequired: 0. BBOM0001I com_ibm_CSI_claimClientAuthenticationtype: SAFUSERIDPASSWORD. BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeSAF: 0. BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeDN: 0. BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeCert: 0. BBOM0001I com_ibm_CSI_claimMessageIntegritySupported: NOT SET,DEFAULT=1. BBOM0001I com_ibm_CSI_claimMessageIntegrityRequired: NOT SET,DEFAULT=1. BBOM0001I com_ibm_CSI_claimStateful: 1. BBOM0001I com_ibm_CSI_claimSecurityLevel: HIGH. BBOM0001I com_ibm_CSI_claimSecurityCipherSuiteList: NOT SET. BBOM0001I com_ibm_CSI_claimKeyringName: WASKeyring. BBOM0001I com_ibm_CSI_claim_ssl_sys_v2_timeout: NOT SET, DEFAULT=100. BBOM0001I com_ibm_CSI_claim_ssl_sys_v3_timeout: 600. BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSSupported: 1. BBOM0001I security_sslClientCerts_allowed: 0. BBOM0001I security_kerberos_allowed: 0. BBOM0001I security_userid_password_allowed: 0. BBOM0001I security_userid_passticket_allowed: 1. BBOM0001I security_assertedID_IBM_accepted: 0. BBOM0001I security_assertedID_IBM_sent: 0. BBOM0001I nonauthenticated_clients_allowed: 1. BBOM0001I security_remote_identity: WSGUEST. BBOM0001I security_local_identity: WSGUEST. BBOM0001I security_EnableRunAsIdentity: 0. Messages beginning with BBOO0222I are common to java WebSphere security. They appear in both the controller and servant but are applicable to the servant. BBOO0222I SECJ0240I: Security service initialization completed successfully BBOO0222I SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration. BBOO0222I SECJ0136I: Custom Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized BBOO0222I SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTableImpl BBOO0222I SECJ0243I: Security service started successfully BBOO0222I SECJ0210I: Security enabled true
General approach for troubleshooting security-related issues
When troubleshooting security-related problems, the following questions are very helpful and should be considered:
Trace: 2003/08/25 13:06:31.034 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.auth.login.Configuration SourceId: com.ibm.ws.security.auth.login.Configuration Category: AUDIT ExtendedMessage: SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration. Trace: 2003/08/25 13:06:31.085 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityDM SourceId: com.ibm.ws.security.core.SecurityDM Category: INFO ExtendedMessage: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered success fully: true. Trace: 2003/08/25 13:06:31.086 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true. Trace: 2003/08/25 13:06:32.426 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityComponentImpl SourceId: com.ibm.ws.security.core.SecurityComponentImpl Category: INFO ExtendedMessage: SECJ0309I: Java 2 Security is disabled. Trace: 2003/08/25 13:06:32.427 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0309I: Java 2 Security is disabled. Trace: 2003/08/25 13:06:32.445 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityComponentImpl SourceId: com.ibm.ws.security.core.SecurityComponentImpl Category: INFO ExtendedMessage: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. Trace: 2003/08/25 13:06:32.445 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. Trace: 2003/08/25 13:06:32.459 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: SecurityComponentImpl SourceId: SecurityComponentImpl Category: WARNING ExtendedMessage: BBOS1000W LTPA or ISCF are configured as the authentication mechanism but SSO is disabled. Trace: 2003/08/25 13:06:32.459 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 824 error message: BBOS1000W LTPA or ISCF are configured as the authentication mechanism but SSO is disabled. Trace: 2003/08/25 13:06:32.463 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityComponentImpl SourceId: com.ibm.ws.security.core.SecurityComponentImpl Category: INFO ExtendedMessage: SECJ0240I: Security service initialization completed successfully Trace: 2003/08/25 13:06:32.463 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0240I: Security service initialization completed successfully Trace: 2003/08/25 13:06:39.718 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: AUDIT ExtendedMessage: SECJ0136I: Custom Registry: com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized Trace: 2003/08/25 13:06:41.967 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.WSAccessManager SourceId: com.ibm.ws.security.core.WSAccessManager Category: AUDIT ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTableImpl Trace: 2003/08/25 13:06:43.136 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTableImpl Trace: 2003/08/25 13:06:43.789 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityComponentImpl SourceId: com.ibm.ws.security.core.SecurityComponentImpl Category: INFO ExtendedMessage: SECJ0243I: Security service started successfully Trace: 2003/08/25 13:06:43.789 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0243I: Security service started successfully Trace: 2003/08/25 13:06:43.794 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.SecurityComponentImpl SourceId: com.ibm.ws.security.core.SecurityComponentImpl Category: INFO ExtendedMessage: SECJ0210I: Security enabled true Trace: 2003/08/25 13:06:43.794 01 t=9EA930 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 812 error message: BBOO0222I SECJ0210I: Security enabled true Trace: 2003/08/25 13:07:06.474 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.WSAccessManager SourceId: com.ibm.ws.security.core.WSAccessManager Category: AUDIT ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTableImpl Trace: 2003/08/25 13:07:09.315 01 t=9EA930 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.core.WSAccessManager SourceId: com.ibm.ws.security.core.WSAccessManager Category: AUDIT ExtendedMessage: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTableImpl
Web requests have a completely different code path than EJB requests. Also, there are different security features for Web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the LTPA authentication mechanism, the Single SignOn feature is available for Web requests but not for EJB requests. Web requests involve HTTP header information not required by EJB requests due to the protocol differences. Also, the Web container (or servlet engine) is involved in the entire process. Any of these components could be involved in the problem and all should be considered during troubleshooting, based on the type of request and where the failure occurs.
Secure EJB requests are passed from the controller to the servant. Web requests are mostly ignored by the controller. As a result, EJB requests are first processed and authenticated by the z/SAS or CSIv2 layers of security. Authorization is done by the servant. If an authentication failure occurs, the z/SAS type level of tracing must be turned on to diagnose the problem. Other problems can be diagnosed using the Setting up component trace (CTRACE) facility.
The Secure Socket Layer (SSL) is a totally distinct separate layer of security. Troubleshooting SSL problems are usually separate from troubleshooting authentication and/or authorization problems. There are many things to consider. Usually, SSL problems are first time setup problems because the configuration can be difficult. Each client must contain the server's signer certificate. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. TLS), and listener port problems related to stale IORs (i.e., IORs from a server reflecting the port prior to the server restarting).
In z/OS, two variations of SSL are used. To determine the cause of an SSL problem on z/OS, you will have to be aware of what protocol is being used. System SSL is used by the IIOP and HTTPS protocols. Java Secure Socket Extension (JSSE) is used by all other protocols, for example, Simple Object Access Protocol (SOAP). System SSL requests are handled in the controller and are used by z/SAS and CSIv1 security. JSSE is predominately used by the servant, but there are cases where it is used in the controller as well.
For SSL problems, we sometimes request an SSL trace to determine what is happening with the SSL handshake. The SSL handshake is the process which occurs when a client opens a socket to a server. If anything goes wrong with the key exchange, cipher exchange, etc. the handshake will fail and thus the socket is invalid. Tracing JSSE (the SSL implementation used in WebSphere Application Server) involves the following steps:
JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2139,localport=8878]] JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2140,localport=8878]] TrustManagerFactoryImpl: trustStore is : /WebSphere/V5R0M0/AppServer/etc/DummyServerTrustFile.jks TrustManagerFactoryImpl: trustStore type is : JKS TrustManagerFactoryImpl: init truststore JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2142,localport=8878]] KeyManagerFactoryImpl: keyStore is : /WebSphere/V5R0M0/AppServer/etc/DummyServerKeyFile.jks KeyManagerFactoryImpl: keyStore type is : JKS KeyManagerFactoryImpl: init keystore KeyManagerFactoryImpl: init keystore JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2143,localport=8878]] JSSEContext: handleSession[Socket [addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,localport=2145]] JSSEContext: confirmPeerCertificate [Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879, localport=2145]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 10094996692239509074796828756118539107568369566313889955538950668 6622953008589748001058216362638201577071902071311277365773252660799 128781182947273802312699983556527878615792292244995317112436562491 489904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2002, To: Thu Mar 17 20:08:18 GMT 2005] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 1009499669223950907479682875611853910756836956631388995553895066866 22953008589748001058216362638201577071902071311277365773252660799 1287811829472738023126999835565278786157922922449953171124365624914 89904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2002, To: Thu Mar 17 20:08:18 GMT 2005] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=2144,localport=8878]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2145]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2146]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2147]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2148]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2149]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2150]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2151]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2152]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2153]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2154]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2155]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2156]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2157]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2158]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2159]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2160]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2161]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2162]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2163]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2164]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2165]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2166]] JSSEContext: handleSession[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] JSSEContext: confirmPeerCertificate[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=WAS z/OS Deployment Manager, O=IBM Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 0 Key: IBMJCE RSA Public Key: modulus: 12840948267119651469312486548020957441946413494498370439558603901582589 8755033448419534105183133064366466828741516428176579440511007 6258795528749232737808897160958348495006972731464152299032614592135114 19361539962555997136085140591098259345625853617389396340664766 649957749527841107121590352429348634287031501 public exponent: 65537 0 Validity: [From: Fri Jul 25 05:00:00 GMT 2003, To: Mon Jul 26 04:59:59 GMT 2004] Issuer: CN=WAS CertAuth, C=US SerialNumber: [ 02] 0Certificate Extensions: 3 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 3C 13 3A 47 65 6E 65 72 61 74 65 64 20 62 79 .<.:Generated by 0010: 20 74 68 65 20 53 65 63 75 72 65 57 61 79 20 53 the SecureWay S 0020: 65 63 75 72 69 74 79 20 53 65 72 76 65 72 20 66 ecurity Server f 0030: 6F 72 20 7A 2F 4F 53 20 28 52 41 43 46 29 or z/OS (RACF) -[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 05 6A CD 7F AE AF 89 78 99 A8 F1 5B 64 8B 9F AF .j.....x...[d... 0010: 73 1B 58 65 s.Xe ] ] 0[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 7E D1 7B 17 74 D3 AD D1 7D D8 F8 33 85 19 04 F8 ....t......3.... 0010: 36 51 57 16 6QW. ] 0] 0] Algorithm: [SHA1withRSA] Signature: 0000: 73 0D FC E1 8A B3 42 E1 04 73 72 B1 C6 C9 87 54 s.....B..sr....T 0010: 87 57 02 FA 41 32 D8 B0 39 09 86 CB 6B 03 B6 F9 .W..A2..9...k... 0020: 62 8D 95 36 56 0E D4 D2 F7 7A 8D 4B FB 0B FD 91 b..6V....z.K.... 0030: 89 A8 08 41 30 E2 27 DC 15 5F 2C F4 CD 2F 6B 8E ...A0.'.._,../k. 0040: 21 2A 88 53 46 27 68 9B 55 14 38 8E 1F 50 95 BC !*.SF'h.U.8..P.. 0050: A8 46 F6 68 97 9E 7B 65 9E E8 A7 34 B2 C8 63 CF .F.h...e...4..c. 0060: 73 C8 4E 25 0A EF C5 8F 04 A4 EB 8C CC 33 84 26 s.N%.........3.& 0070: 5D FD 7C AD 7B 02 13 5A 86 A1 89 93 1E A4 93 63 ]......Z.......c 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=WAS CertAuth, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 0 Key: IBMJCE RSA Public Key: modulus: 1167408593733331602218385578183389496484587418638676352829560040529918 40558681208199977833401609895748222369066230329785148883251144 2382911186804921983976695395381692334250582278359056431484427844566504 41491799952592864895242987037929408453455627552772317382077015 828713585220212502839546496071839496308430393 public exponent: 65537 0 Validity: [From: Fri Jul 25 05:00:00 GMT 2003, To: Sat Jul 24 04:59:59 GMT 2010] Issuer: CN=WAS CertAuth, C=US SerialNumber: [ 0 ] 0Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 3C 13 3A 47 65 6E 65 72 61 74 65 64 20 62 79 .<.:Generated by 0010: 20 74 68 65 20 53 65 63 75 72 65 57 61 79 20 53 the SecureWay S 0020: 65 63 75 72 69 74 79 20 53 65 72 76 65 72 20 66 ecurity Server f 0030: 6F 72 20 7A 2F 4F 53 20 28 52 41 43 46 29 or z/OS (RACF) -[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 7E D1 7B 17 74 D3 AD D1 7D D8 F8 33 85 19 04 F8 ....t......3.... 0010: 36 51 57 16 6QW. ] ] 0[3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] 0[4]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] 0] Algorithm: [SHA1withRSA] Signature: 0000: 43 88 AB 19 5D 00 54 57 5E 96 FA 85 CE 88 4A BF C...].TW^.....J. 0010: 6E CB 89 4C 56 BE EF E6 8D 2D 74 B5 83 1A EF 9C n..LV....-t..... 0020: B3 82 F2 16 84 FA 5C 50 53 2A B4 FD EB 27 98 5D ......\PS*...'.] 0030: 43 48 D3 74 85 21 D1 E1 F2 63 9E FB 58 2A F3 6A CH.t.!...c..X*.j 0040: 44 D2 F5 7D B2 55 B9 5E 32 11 78 B6 34 8E 4B 1D D....U.^2.x.4.K. 0050: F3 82 1D C1 5F 7B 3F AD C9 29 FA FF D1 D1 13 2C ...._.?..)....., 0060: 57 F7 7B 51 02 99 6F ED 54 E1 51 34 B8 51 BE 97 W..Q..o.T.Q4.Q.. 0070: 30 AC 4F 89 AB AA 8A B2 E1 40 89 2E 18 C7 0E 15 0.O......@...... 0] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2168]] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=2235,localport=8878]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2236]] JSSEContext: handleSession[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8880,localport=2238]] JSSEContext: confirmPeerCertificate[Socket [addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8880,localport=2238]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 100949966922395090747968287561185391075683695663138899555389506686622953 008589748001058216362638201577071902071311277365773252660799 1287811829472738023126999835565278786157922922449953171124365624914 89904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2002, To: Thu Mar 17 20:08:18 GMT 2005] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 100949966922395090747968287561185391075683695663138899555389506 686622953008589748001058216362638201577071902071311277365773252660799 12878118294727380231269998355652787861579229224499531711243656249 1489904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2002, To: Thu Mar 17 20:08:18 GMT 2005] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2238]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2239]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2240]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2241]]
Tracing security
The classes which implement WebSphere Application Server security are:
For current information available from IBM Support on known problems and their resolution, see the IBM Support page.
IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.