Start of change

LIC trace

The Trace Licensed Internal Code (LIC) service tool can capture a System SSL/TLS trace point that contains the System SSL/TLS protocols and cipher suites. The Trace Internal (TRCINT) command is the command interface to the Trace LIC Service tool.

To trace all protocol versions, issue the following command to start the trace:
TRCINT SET(*ON) TRCTBL('SCKSSL-1700x') TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009))

Wait for new secure connections to establish and end the trace with the command:
TRCINT SET(*OFF) TRCTBL('SCKSSL-1700x') OUTPUT(*PRINT)
To delete the trace, issue the following command:
TRCINT SET(*END) TRCTBL('SCKSSL-1700x')

To trace specific protocol version connections, use one or more of the following trace points.

Protocol Version Trace Identifier
Start of changeTLSv1.3End of change Start of change17005End of change
TLSv1.2 17004
TLSv1.1 17003
TLSv1.0 17002
SSLv3 17001
SSLv2 17000
For example, to find only TLSv1.0 connections use trace point 17002: 
TRCINT SET(*ON) TRCTBL('SCKSSL-17002') TRCTYPE(*SCKSSL) SLTTRCPNT((17002))
To trace a range of protocol versions, specify the beginning Trace ID followed by the end Trace ID. This example illustrates tracing SSLv2 through TLSv1.1. 
TRCINT SET(*ON) TRCTBL('SCKSSL-1700x') TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17003))

A spooled file named QPCSMPRT is created for the user that ran the TRCINT SET(*OFF) command. Submit the TRCINT SET(*OFF) command to a background job when you are managing a large trace capture. The following trace point output outlines the connection properties included in the trace point. 

SOCKETS              IDENTIFIER : SC#17003                         TIME 02/17/15  11:03:33.151908   TDE# 000000003C94
  #1    (   21)    +0000   C3D6D5D5C5C3E3C9  D6D540D7D9D6D7C5   D9E3C9C5E2                    *CONNECTION PROPERTIES
  #2    (    7)    +0000   E3D3E2E5F14BF1                                                    *TLSV1.1
  #3    (   28)    +0000   E3D3E26DD9E2C16D  E6C9E3C86DC1C5E2   6DF1F2F86DC3C2C3  6DE2C8C1   *TLS_RSA_WITH_AES_128_CBC_SHA
  #4    (   10)    +0000   D3D6C3C1D340D7D6  D9E3                                            *LOCAL PORT
  #5    (    3)    +0000   F9F9F2                                                            *992
  #6    (   16)    +0000   D3D6C3C1D340C9D7  40C1C4C4D9C5E2E2                                *LOCAL IP ADDRESS
  #7    (   20)    +0000   7A7A868686867AF1  F9F84BF5F14BF1F0   F04BF1F5                     *::ffff:198.51.100.15
  #8    (   11)    +0000   D9C5D4D6E3C540D7  D6D9E3                                          *REMOTE PORT
  #9    (    5)    +0000   F6F1F8F5F2                                                        *61852
  #10   (   17)    +0000   D9C5D4D6E3C540C9  D740C1C4C4D9C5E2   E2                           *REMOTE IP ADDRESS
  #11   (   20)    +0000   7A7A868686867AF1  F9F84BF5F14BF1F0   F04BF1F6                     *::ffff:198.51.100.16
  #12   (   16)    +0000   E3D5C1C3C3C5D7E3  E3C1E2D240404040                                *TNACCEPTTASK    
  #13   (   22)    +0000   D8C9C2D46DD8E3E5  6DE3C5D3D5C5E36D   E2C5D9E5C5D9                 *QIBM_QTV_TELNET_SERVER
The following information is in the trace point entry data:
  • Protocol Negotiated
  • Cipher suite Negotiated
  • Local port and IP address
  • Remote port and IP address
  • Job/Task/Device name
  • Application ID (if used)
End of change