IBM Support

MustGather: SSL problems on WebSphere Liberty

Troubleshooting


Problem

This document describes the process for collecting data for problems with the IBM WebSphere® Application Server Liberty SSL component. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.

Resolving The Problem


Runtime:


This document is for collecting data for LIBERTY. If you want to collect data for WebSphere traditional, see MustGather: SSL problems on WebSphere traditional or click on the WebSphere traditional tab above.

 
  • Read first and MustGathers

    For a listing of all technotes, downloads, and educational materials specific to the Security component, search the WebSphere Application Server support site.

  • Exchange data with IBM Support

    To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files using one of following methods to help speed problem diagnosis:


  • SSL on Liberty trace specifications
    • Add the following string to the <logging> element in server.xml:
      SSLChannel=all:com.ibm.ws.ssl.*=all:com.ibm.websphere.ssl=all:com.ibm.wsspi.ssl.*=all
    • Insert the following generic JVM arguments in the jvm.options file:
      -Djavax.net.debug=all
    • Avoid Trouble: The jvm.options file requires one entry per line. Make sure you do not have any extra white space in your jvm.options file.
  • Diagnostic questions
    Please provide answers to the following diagnostic questions:

    Please provide answers to the following diagnostic questions:

    1. Please describe your system environment
      1. Liberty server version
      2. Client OS version
    2. Are you using IBM JDK? If not please specify.
      • Please provide the complete Java™ version used by Liberty:
        • For example, unless the Java version that Liberty uses has been specified under the server.env cofiguration file, you may choose to run one of the following commands:
          For Windows platforms,
          java -version
          For Unix platforms,
          ./java -version
    3. Are you using the default Java Secure Socket Extension (JSSE) providers?
    4. Are you using any third party JCE framework with your application?
    5. Where is the SSL issue occurring?
      1. Between the client (browser) and the Web server?
        For example: When trying to access a Web resource on the Web server over HTTPS.
      2. Between the Web server plug-in and Liberty server?
        For example: When trying to access a Web resource on the Application Server over HTTPS.
      3. Using SSL when connecting to directory servers (LDAP)?
      4. Using your own application to make an SSL connection?
        • Please provide the exact URL or remote server hostname called by your application.
  • Collect data for Liberty (Step-by-Step)

    This section is for collecting data for LIBERTY. If you want to collect data for Websphere traditional click here or see the WebSphere traditional tab above.

    Before you collect data, be sure to answer the Diagnostic questions in the section above.

    You may choose to follow this step-by-step document or you can watch the video in the Collect data for Liberty (Video) section below.

    SSL issues on Liberty may be difficult to troubleshoot. Please make sure to collect all the information below. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

     

    SET UP LIBERTY FOR SSL TRACING

    1. Set up the JVM for SSL tracing
      1. Locate your jvm.options file
        1. The jvm.options files can be found under the following path:
          <LIBERTY_HOME>/usr/servers/<server name>/jvm.options
          • If the jvm.options file does not exist, create it with a text editor.
        2. Insert the following generic JVM arguments to the jvm.options file:
          -Djavax.net.debug=all
          • Avoid Trouble: There is one entry per line in this file. Make sure you do not have any extra white space in your jvm.options file.
        3. Save the changes to your jvm.options file.
          • Your changes will not be picked up by the JVM until the server is restarted.
    2. Set up the Liberty server for SSL tracing
    3. Verify that your tracing is working as intended
      1. Stop the Liberty Server
      2. Delete any existing logs files found under the logs directory:
        <LIBERTY_HOME>/usr/servers/<serverName>/logs
      3. Restart the Liberty Server and review the logs to confirm that they are recent.
      4. Verify that the new Liberty trace setting has been picked up by reviewing the upper part of the trace.log file.
     

    COLLECT LIBERTY SSL TRACES

    Avoid trouble: It is important that SSL traces be gathered from Liberty server startup.
     
    1. Stop the Liberty server
    2. Restart the Liberty server
    3. Reproduce the problem, making note of time when the problem occurs
     

    GATHER LIBERTY DATA TO SEND TO IBM SUPPORT

      • Use the "dump" command to generate a .zip file containing the logs and config files which can be sent to support.
        For Windows platforms, run:
        <LIBERTY_HOME>\bin\server.bat dump <serverName>

        For UNIX platforms, run:
        <LIBERTY_HOME>/bin/server dump <serverName>
      • Collect the resulting dump zip file with date & time. These files can be found under the following path:
        <LIBERTY_HOME>/usr/servers/<serverName>

        File name example:
        (myserver.dump-17.03.20_22.20.57.zip)
      • Collect the java.security file from your JDK. This file can be found under the following path:
        JAVA_HOME\lib\security\java.security

     
  • Collect data for WebSphere Liberty (video)

    This section is for collecting data for LIBERTY. If you want to collect data for Websphere traditional click here or see the WebSphere traditional tab above.

    Before you collect data, be sure to answer the Diagnostic questions in the section above.

    You may choose to watch this video or follow the step-by-step instructions in the in the Collect data for Liberty (Step-by-Step) section above.

    SSL issues on Liberty may be difficult to troubleshoot. Please make sure to collect all the information described in the video. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

    The following video goes over the necessary steps to collect data for a SSL problem on Liberty.

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS and tWAS.
 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0;8.5.5;16.0.0.x;17.0.0.x;18.0.0.x;19.0.0.x","Edition":"Liberty","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
08 October 2019

UID

swg22003654