MustGather information for SSL runtime problems

Other useful information

Known IHS problems at startup or request processing issues to check first

If you're using an intermediate certificate (your server certificate isn't signed by one of a browser's default trusted root certificate authorities but is signed by an issuer who is in turn signed by a trusted CA), web browsers can improperly cache expired copies of the intermediate certificates. This can occur if in the past the user has clicked 'Trust site permanently' on a site that uses the same intermediate certificate authority.

Solution: Remove the expired cached copy of the intermediate certificate from the browser's SSL configuration.

Client Authentication is enabled but browser doesn't prompt for certificate

During the SSL handshake, the web server informs the browser of what Certificate Authorities it trusts to assist the browser in selecting the correct client certificate. If the browser detects that none of the user's client certificates would be validated given the list of certificate authorities sent by the server, the browser will NOT prompt the user for a certificate.

If a subset of the user's client certificates can be validated by the servers list of certificate authorities, the browser will display that partial list of certificates to the user.

Solution: The issuer of the client certificates must be added as a trusted Certificate Authority in the servers KeyFile.

Gathering documentation

IHS startup or request processing problems

  1. Set LogLevel to Debug and SSLTrace at the bottom of httpd.conf.
  2. Configure environment for GSKit trace
  3. Restart IBM HTTP Server.
  4. Start an iptrace that will show the interaction between the web browser and web server. This can be taken from the IHS server, the client machine, or another machine on the network. (Possible tools include sniffer, Network Monitor, or Ethereal.)
  5. Recreate the problem from the browser.
  6. Save a screen capture of the browser window.
  7. Send the following to IBM support:
    • web server error log, access log, and httpd.conf
    • Output from system and web server information, from ihsdiag collector tool
    • GSKit trace file
    • If a client certificate is in use, please include it along with any necessary CAs
    • IP trace file, unformatted
    • KDB file in use along with accompanying .sth/.crl/.rdb files as well as KDB password
    • Detail on time of request/handshake and IP address of client
    • Description of client and server trust chain with Certificate Authority in use
    • Details of cryptographic token configuration described above, when appropriate.