Collect troubleshooting data for SSL handshake and configuration problems with IBM® HTTP Server. Gathering this information before calling IBM support will help familiarize you with the troubleshooting process and save you time.
Resolving The Problem
Collect troubleshooting data for SSL handshake and configuration problems with IBM® HTTP Server. Gathering this information before calling IBM support will help familiarize you with the troubleshooting process and save you time..
If you have already contacted support, continue on to the component-specific MustGather information. Otherwise, click: MustGather: Read first for IBM HTTP Server.
SSL handshake and configuration specific MustGather information
The following contains a list of files that are needed for debugging SSL handshake and configuration issues.
Enabling traces for GSKit and SSL:
- Stop IBM HTTP Server.
- Clear all logs in the install_root/logs directory.
If you elect to not clear all of the logs, be sure to remove gsktrace*
- Turn on IBM HTTP Server verbose logging for SSL
- Change LogLevel in httpd.conf
- IBM HTTP Server 7.0, 8.0, 8.5
Change Loglevel to "debug".
- IBM HTTP Server 9.0:
Change LogLevel to "debug ibm_ssl:trace8"
- Append the SSLTrace directive to the bottom at the httpd.conf file.
- If the issue may relate to interaction with the application server, edit the plugin-cfg.xml file and change Loglevel to Trace (Plug-in Trace); for example:
<Log LogLevel="Trace" Name="/pathto/logs/http_plugin.log"/>
|After 22.214.171.124, it will be setup automatically in either direction. If ibm_ssl:trace8 is set, SSLTrace will be set. If SSLTrace is set but no ibm_ssl:trace1 or higher was set, ibm_ssl:trace8 will be set automatically.|
- For Windows, create the following system variables:
Set the value with the name for the log file; for example:
2) Set additional variables:
- For UNIX, as the user ID that starts the IBM HTTP Server, create the following environment variables in the install_root/bin/envvars file:
- httpd.conf, error_log, access_log (or your customized equivalents)
- gsktrace_log* (gsktrace_log, gsktrace_log.1, ...)
- Binary output of packet capture (*.pcap)
- key.kdb, key.crl, key.rdb, key.sth (include password)
- http_plugin.log, plugin-cfg.xml
- plugin-key.kdb, plugin-key.sth (include password)
- Include the date and time of failure along with the browser version and the full URL that resulted in the SSL failure.
- WebSphere Application Server logs and trace where applicable
- IBM HTTP Server version.
Type one of the following commands to display the full IBM HTTP Server version:
- For Windows: ihs_install_root/apache -v
- For UNIX: ihs_install_root/bin/apachectl -V
- Global Security Kit (GSKit) version. Execute the following command and capture the output:
For a listing of all technotes, downloads, and educational materials specific to IBM HTTP Server SSL handshake and configuration issues, search the IBM HTTP Server support site.
Submitting information to IBM support
Steps to getting support
MustGather: Read first for WebSphere Application Server
Troubleshooting guide for WebSphere Application Server
To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files using one of following methods to help speed problem diagnosis: