If you already contacted support, continue to the
component-specific MustGather information. Otherwise, click: MustGather:
Read first for all WebSphere Application Server products.
Java Security (JSSE/JCE) specific MustGather information
- The following information is required for all versions:
- If you are using the default Java Secure Socket Extension (JSSE)
providers or if you have modified your java.security file.
- Where is the SSL problem occurring?
- Between the client (browser) and the Web server?
For example: When trying to access a Web resource on the Web
server over HTTPS.
- Between the client (browser) and the WebSphere Application Server
built-in Web server?
For example: When trying to access the WebSphere
Application Server Administrative Console.
- Between the Web server plug-in and the WebSphere Application Server?
For example: When trying to access a Web resource on the
WebSphere Application Server over HTTPS.
- Using SSL when connecting to directory servers (LDAP)?
- Using your own application to make an HTTPS call to a remote Web site?
- Using your own application to make an SSL connection?
- Are you using the default (dummy) certificates, a self-signed
certificate, or a Certificate Authority (CA) issued certificate. Have you
made any recent changes to your certificate?
- If you changed your default key, did you change your keystore files?
- The following three items are required for all versions
of WebSphere:
- Collect the java.security file. This file is located in the
following directory:
install_root/java/jre/lib/security |
|
- Collect the keyfiles, trustfiles, cacerts files, and plugin.kdb files.
- Collect a Java Secure Socket Extension (JSSE) debug trace of the
problem if possible.
- For all releases of V4.0.5 or higher
Note: For V4 you will need to contact WebSphere support to get a copy
of the ibmjsse-debug.jar referenced below
- Open the install_root/bin/admin.config in an
editor
- Add the following line to the end of the file
javax.net.debug=true |
Note: You must have a tracefile enabled to capture the standard output
from the Admin Server
|
- Stop the server
- Move the
install_root/java/jre/lib/ext/ibmjsse.jar to a
temporary directory outside of the classpath (i.e. /tmp)
- Copy the provided ibmjsse-debug.jar to the
install_root/java/jre/lib/ext directory
- Start the server and recreate the problem
Note: The JSSE trace will be output to the tracefile as specified in
the admin.config
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V5.x running JDK version
1.3.x
To determine the java version run java
-fullversion from the install_root/java/bin
directory.
- Note: Contact WebSphere support to get a copy
of the ibmjsse-debug.jar referenced below
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Stop the server
- Move the
install_root/java/jre/lib/ext/ibmjsse.jar to a
temporary directory outside of the classpath (i.e. /tmp)
- Copy the ibmjsse-debug.jar from
install_root/web/docs/jsse to the
install_root/java/jre/lib/ext directory
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin
directory
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V5.x running JDK version
1.4.x
To determine the java version
run java -fullversion from the
install_root/java/bin directory.
Note: Contact WebSphere support to get a copy of
the ibmjsseprovider_debug.jar referenced
below
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following: Servers >
Application Servers > server_name > Process Definition
> Java Virtual Machine > Custom Properties > New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Stop the server
- Rename the jsse provider jar
in install_root/java/jre/lib
- Move ibmjsseprovider.jar.save to a directory that is not used
by the IBM JVM.
- Copy the ibmjsseprovider_debug.jar to
ibmjsseprovider.jar
- Move the debug ibmjsseprovider.jar to
install_root/java/jre/lib
- Start the server and recreate the problem
- Delete the debug ibmjsseprovider.jar in
install_root/java/jre/lib
- Move ibmjsseprovider.jar.save to
install_root/java/jre/lib
- Rename ibmjsseprovider.jar.save to be
ibmjsseprovider.jar
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin
directory
- Follow instructions to send
diagnostic information to IBM support
- For all releases of V6.x running JDK version
1.4.x
WebSphere version 6 uses IBMJSSE2 by default, if using IBMJSSE use
the steps above as indicated in For all releases of V5.x running JDK
version 1.4.x.
Note: These instructions are for WebSphere Version 6 using the default
IBMJSSE2 provider.
- Specify the javax.net.debug system property:
- In the Administrative Console, select the following:
Servers > Application Servers > server_name >
Process Definition > Java Virtual Machine > Custom Properties >
New
- Type the following:
Name: javax.net.debug
Value: true
- Click OK
- Save your changes to the master configuration
- Stop the server
- Start the server and recreate the problem
Note: The output will be in the file specified in Application Servers
> server_name > Logging and Tracing > JVM Logs.
The default is set to the SystemOut.log file
- Run the Collector
Tool located in the install_root/bin directory
- Follow instructions to send
diagnostic information to IBM support
- If asked to run JSSE client traces, please do
the following in addition to server side traces.
1. Add the -Djavax.net.debug=true to the java
command line or modify the calling script to include the debug statement.
The output will go to standard out, please redirect this output to a file.
2. This only works if is using IBM JDK along with the corresponding JDK
version debug file in place.
- For JDK 1.3.x use ibmjsse-debug.jar
- For JDK 1.4.x use ibmjsseprovider_debug.jar
For a listing of all technotes, downloads, and educational materials
specific to the Java Security (JSSE/JCE) component, search the WebSphere
Application Server support site. |