Capturing z/OS System SSL trace

To diagnose secure sockets layer (SSL) problems in a CICS® TS region, in addition to CICS trace, IBM Support might ask you to capture and format SSL CTRACE (component trace). Follow this topic to get the System SSL trace you need.

Before you begin

To capture SSL CTRACE, you must have an SSL server and a CTRACE writer running.

SSL server

You can use the following JCL to start SSL server task (GSKSRVR) at IPL. After the SSL server is started, it can be left running. It provides valuable services to users of SSL on the LPAR.

Figure 1. Sample JCL for SSL server task (GSKSRVR)
//GSKSRVR  PROC  REGSIZE=256M,OUTCLASS='H'                               
//*********************************************************************
//* Procedure for starting the System SSL Server                      *
//*********************************************************************
//GO       EXEC  PGM=GSKSRVR,REGION=&REGSIZE,TIME=1440,
//  PARM=('ENVAR("HOME=/etc/gskssl/server"),TERM(DUMP)                 X
//             / 1>DD:STDOUT 2>DD:STDERR')
//STDOUT   DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
//            FREE=END,SPIN=UNALLOC
//STDERR   DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
//            FREE=END,SPIN=UNALLOC
//SYSOUT   DD SYSOUT=&OUTCLASS,
//            FREE=END,SPIN=UNALLOC
//*CEEDUMP  DD SYSOUT=&OUTCLASS,
//*            FREE=END,SPIN=UNALLOC

If GSKSRVR is not already running, you can start it with the console command S GSKSRVR.

CTRACE writer
You can use the following JCL to start CTRACE writer (GSKWTR) at IPL.
Figure 2. Sample JCL for CTRACE writer (GSKWTR)
//GSKWTR    PROC                                                      
//*-----------------------------------------------------------------*//
//*  MODELED AFTER hlq.SGSKSAMP(GSKWTR) AND CUSTOMIZED.             *//
//*-----------------------------------------------------------------*//
//IEFPROC EXEC PGM=ITTTRCWR,REGION=32M
//TRCOUT01  DD DSN=<your.dataset.name.here>,DISP=(NEW,CATLG),
//             SPACE=(CYL,(100)),UNIT=SYSDA
Note: The trace writer PROC (GSKWTR) must be stored in a system PROCLIB. This is not the same as a JES2 or JES3 PROCLIB. Trace writers must be in a data set that is part of the IEFPDSI PROCLIBs in MSTJCL00.

For more information about SSL CTRACE, see Capturing component trace data in the z/OS Cryptographic Services System Secure Sockets Layer Programming guide.

Procedure

To capture and format SSL CTRACE, follow these steps:

  1. Start the trace writer PROC with the console command: 
    TRACE CT,WTRSTART=GSKWTR
  2. Start SSL CTRACE with the console command: 
    TRACE CT,ON,COMP=GSKSRVR
  3. Enter the reply. 
    R xx,JOBNAME=(your-job),OPTIONS=(LEVEL=255),WTR=GSKWTR,END

    If you are using AT-TLS to secure the connection, then your-job is the name of the + TCPIP started task.

  4. Re-create the error or event that you want to trace.
  5. Format the trace data set by using IPCS option 2.7.1 and the following command: 
    CTRACE COMP(GSKSRVR) FULL

What to do next

To stop SSL CTRACE, use the following console command:
TRACE CT,OFF,COMP=GSKSRVR
To stop the trace writer PROC, use the following console command:
TRACE CT,WTRSTOP=GSKWTR

Merge CICS GTF trace and z/OS® System SSL trace so that you can have both trace in one report.