MustGather: Java Secure Socket Extension (JSSE), SSL or Java Cryptography Extensions (JCE) problems
 Technote (FAQ)
 
Problem
MustGather for problems with the WebSphere® Application Server Java™ Security (JSSE/JCE) and SSL component. Gathering this information before calling IBM support helps familiarize you with the troubleshooting process and saves you time.
 
Solution
If you already contacted support, continue to the component-specific MustGather information. Otherwise, click: MustGather: Read first for all WebSphere Application Server products.


Java Security (JSSE/JCE) specific MustGather information

  • The following information is required for all versions:

    1. If you are using the default Java Secure Socket Extension (JSSE) providers or if you have modified your java.security file.

    2. Where is the SSL problem occurring?

      1. Between the client (browser) and the Web server?

        For example: When trying to access a Web resource on the Web server over HTTPS.

      2. Between the client (browser) and the WebSphere Application Server built-in Web server?

        For example: When trying to access the WebSphere Application Server Administrative Console.

      3. Between the Web server plug-in and the WebSphere Application Server?

        For example: When trying to access a Web resource on the WebSphere Application Server over HTTPS.

      4. Using SSL when connecting to directory servers (LDAP)?

      5. Using your own application to make an HTTPS call to a remote Web site?

      6. Using your own application to make an SSL connection?

    3. Are you using the default (dummy) certificates, a self-signed certificate, or a Certificate Authority (CA) issued certificate. Have you made any recent changes to your certificate?

    4. If you changed your default key, did you change your keystore files?

  • The following three items are required for all versions of WebSphere:

    1. Collect the java.security file. This file is located in the following directory:

      install_root/java/jre/lib/security

    2. Collect the keyfiles, trustfiles, cacerts files, and plugin.kdb files.

    3. Collect a Java Secure Socket Extension (JSSE) debug trace of the problem if possible.

  • For all releases of V4.0.5 or higher

    Note: For V4 you will need to contact WebSphere support to get a copy of the ibmjsse-debug.jar referenced below

    1. Open the install_root/bin/admin.config in an editor

    2. Add the following line to the end of the file

      javax.net.debug=true

      Note: You must have a tracefile enabled to capture the standard output from the Admin Server

    3. Stop the server

    4. Move the install_root/java/jre/lib/ext/ibmjsse.jar to a temporary directory outside of the classpath (i.e. /tmp)

    5. Copy the provided ibmjsse-debug.jar to the install_root/java/jre/lib/ext directory

    6. Start the server and recreate the problem

      Note: The JSSE trace will be output to the tracefile as specified in the admin.config

    7. Follow instructions to send diagnostic information to IBM support

  • For all releases of V5.x running JDK version 1.3.x
To determine the java version run java -fullversion from the install_root/java/bin directory.
  • Note: Contact WebSphere support to get a copy of the ibmjsse-debug.jar referenced below
    1. Specify the javax.net.debug system property:
      1. In the Administrative Console, select the following: Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New

      2. Type the following:

        Name: javax.net.debug
        Value: true

      3. Click OK

    2. Save your changes to the master configuration

    3. Stop the server

    4. Move the install_root/java/jre/lib/ext/ibmjsse.jar to a temporary directory outside of the classpath (i.e. /tmp)

    5. Copy the ibmjsse-debug.jar from install_root/web/docs/jsse to the install_root/java/jre/lib/ext directory

    6. Start the server and recreate the problem

      Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file

    7. Run the Collector Tool located in the install_root/bin directory

    8. Follow instructions to send diagnostic information to IBM support

  • For all releases of V5.x running JDK version 1.4.x
To determine the java version run java -fullversion from the install_root/java/bin directory.

Note: Contact WebSphere support to get a copy of the ibmjsseprovider_debug.jar referenced below

  1. Specify the javax.net.debug system property:
    1. In the Administrative Console, select the following: Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New

    2. Type the following:

      Name: javax.net.debug
      Value: true
    3. Click OK

  2. Save your changes to the master configuration

  3. Stop the server

  4. Rename the jsse provider jar in install_root/java/jre/lib

  5. Move ibmjsseprovider.jar.save to a directory that is not used by the IBM JVM.

  6. Copy the ibmjsseprovider_debug.jar to ibmjsseprovider.jar

  7. Move the debug ibmjsseprovider.jar to install_root/java/jre/lib

  8. Start the server and recreate the problem

  9. Delete the debug ibmjsseprovider.jar in install_root/java/jre/lib

  10. Move ibmjsseprovider.jar.save to install_root/java/jre/lib

  11. Rename ibmjsseprovider.jar.save to be ibmjsseprovider.jar


    Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file

  12. Run the Collector Tool located in the install_root/bin directory

  13. Follow instructions to send diagnostic information to IBM support
  • For all releases of V6.x running JDK version 1.4.x

WebSphere version 6 uses IBMJSSE2 by default, if using IBMJSSE use the steps above as indicated in For all releases of V5.x running JDK version 1.4.x.

Note: These instructions are for WebSphere Version 6 using the default IBMJSSE2 provider.

  1. Specify the javax.net.debug system property:
  2. In the Administrative Console, select the following: Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New

  3. Type the following:

    Name: javax.net.debug
    Value: true

  4. Click OK

  5. Save your changes to the master configuration

  6. Stop the server

  7. Start the server and recreate the problem

    Note: The output will be in the file specified in Application Servers > server_name > Logging and Tracing > JVM Logs. The default is set to the SystemOut.log file

  8. Run the Collector Tool located in the install_root/bin directory

  9. Follow instructions to send diagnostic information to IBM support
  • If asked to run JSSE client traces, please do the following in addition to server side traces.


    1. Add the -Djavax.net.debug=true to the java command line or modify the calling script to include the debug statement. The output will go to standard out, please redirect this output to a file.


    2. This only works if is using IBM JDK along with the corresponding JDK version debug file in place.

    • For JDK 1.3.x use ibmjsse-debug.jar
    • For JDK 1.4.x use ibmjsseprovider_debug.jar


For a listing of all technotes, downloads, and educational materials specific to the Java Security (JSSE/JCE) component, search the WebSphere Application Server support site.
 
Related information
MustGather for security problems in WebSphere
Submitting information to IBM support
Steps to getting support
MustGather: Read first
Troubleshooting guide
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Java Security (JSSE/JCE)
Operating system(s): HP-UX
Software version: 4.0
Software edition:
Reference #: 1162961
IBM Group: Software Group
Modified date: Sep 10, 2004