Enabling SSL logging within SSP

Body

Occasionally there are problems with the SSL/TLS handshake beyond the normal everyday problems of expired certificates or mis-matched certificate chains, etc.  These problems sometimes require a more thorough debug tracing of the SSL handshake process.

While SSP has logging at different levels for many different components enabled through the Configuration Manager, the SSL handshake is enabled during startup.  This can be done by adding it to the java startup line in the startEngine.sh if you're running on Unix/Linux, or to the SSPEngine.lax file if SSP is installed on Windows (please back up your original versions before making changes):

For Unix/Linux

enable SSL debug
-Djavax.net.debug=ssl,handshake,data,trustmanager

For Windows:
You add the same lines as for Unix in the SSPEngine.lax somewhere under the following section.

#   LAX.NL.JAVA.LAUNCHER.MAIN.METHOD
#   --------------------------------
#   main method of LaunchAnywhere's java launcher -- do not adjust

lax.nl.java.launcher.main.method=main

lax.nl.java.option.additional=-server -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger -

Dcom.sterlingcommerce.cspssh.logging.SSHLogger.logger=logrp -Dcom.sterlingcommerce.cspssh.stats=false -

DvendorFile=vendor.properties -DPsPlatformFactory=com.sterlingcommerce.csp.perimeter.platform.SSPPlatformFactory -

Dhadrian.root.dir=.. -Djava.net.preferIPv4Stack=true -Dlog4j.configurationFile=../conf/log4j2.xml -

Dlog4j2.compatibility.mode=true -Dlog4j2.disable.jmx=true -Djsse.enableCBCProtection=false

The output will be written to the startEngine.out and systemout.log files if on Unix/Linux, or the systemout.log if on Windows.  You can review the data yourself to determine possible issues, or send it in with the case data if you have a PMR open with IBM.