Debugging TLS connections

To help debug a connection that is not working, you can enable a Liberty trace, check the used truststores, and check for missing certificates.

1. Create am XML file with the required Liberty trace specification.

   The following example file "z_server.xml", sets the log level to INFO.

   <server>
      <logging
        traceSpecification="*=info:SSLChannel=all:com.ibm.ws.ssl.*=all:com.ibm.websphere.ssl=all:com.ibm.wsspi.ssl.*=all" 
        consoleLogLevel="INFO"
        traceFileName="trace.log" 
        maxFileSize="10000" 
        maxFiles="10"  />
   </server> 

2. Copy the Liberty server file into the target pod.

   For example for a Content Platform Engine (CPE) pod, the directory under /opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides is mapped to a PVC where the z_server.xml file is persisted.

   Liberty immediately recognizes the changes and the trace.log file gets created in the default log directory.

3. Check which truststore is used by Liberty by searching for the trustStoreRef property in the console.log.
4. List the certificates that are in a truststore.

   The following command lists the certificates in the Content Platform Engine (CPE) default truststore.

   keytool -v -list -storepass <keystore_password> -keystore /shared/tls/truststore/pkcs12/trusts.p12

   where <keystore_password> is the password that you provided for the KEYSTORE_PASSWORD parameter in the cp4ba_user_profile.property file.