Troubleshooting
Problem
Collecting data for problems with the Java™ Security (JSSE/JCE) and SSL component in IBM WebSphere Application Server traditional. Gathering this MustGather information before you call IBM support can help you understand the problem and save time analyzing the data.
Resolving The Problem
Runtime:
This document describes how to obtain the following troubleshooting data for the SSL component:
Trace from server startup and configuration information (collector JAR file)
Diagnostic questions
JSSE client-side trace (if requested)
|
This document is for collecting data for WEBSPHERE TRADITIONAL. If you want to collect data for Liberty, see MustGather: SSL problems on WebSphere Liberty or click the Liberty tab above. |
- Collect data for WebSphere traditional (step by step)
- You can choose to follow this step-by-step document or you can watch the video in the Collect data for WebSphere traditional (video) section below.
- Before you collect data, be sure to answer the Diagnostic questions in the section above.
1. ADD THE javax.net.debug JVM PROPERTY- Set the following Java virtual machine (JVM) custom property for the JVM being traced:
javax.net.debug=all
Note: If you were not told which JVM to trace, or for some reason you are not sure which of the JVMs need this kind of tracing, set it on all of them. - In the administrative console, set the javax.net.debug system property by using one of the following options, depending on where the SSL issue is occurring:
- For tracing an Application server, select the following:
Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New... - For tracing a Deployment Manager, select the following:
System Administration > Deployment manager > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New... - For tracing a Node agent, select the following:
System Administration > Node agents > (pick a node agent) > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New...
- For tracing an Application server, select the following:
- Enter the following:
Name: javax.net.debug
Value: all - Click Apply, then Save
2. SET UP WEBSPHERE TRADITIONAL FOR SSL TRACING- In the administrative console, click Troubleshooting > Logs and Trace.
- On the Logging and Tracing page, click the server that you want to trace.
- Click Diagnostic Trace.
- Set up the trace output:
- On the Configuration tab, under Trace Output, click File, then
- Increase the Maximum File Size to at least 50 MB
- Increase the Maximum Number of Historical Files to at least 20
-
Unless otherwise specified by support, choose Basic (Compatible) for the Trace Output Format.
-
Click Apply.
- On the Configuration tab, under Trace Output, click File, then
-
Set the trace static specification:
-
Under Additional Properties, click Change Log Detail Levels.
-
On the Configuration tab, in the box under Change log detail levels, set the trace specification to:
*=info:SSL=all
-
- Make sure that you get a SystemOut.log file:
- Click JVM Logs
- Under System.out > Installed Application Output, make sure that Show application print statements is checked.
- Click OK
-
Save your configuration (choose the Synchronize changes with Nodes option)
-
(If requested by IBM support) set up JSSE client-side trace for client the application.
Tracing does not start until the server is restarted.
3. COLLECT WEBSPHERE TRADITIONAL SSL TRACESAvoid delay: It is important that SSL traces be gathered from server startup.
For each WebSphere server that you are tracing:- Stop the server.
- Backup and clear the logs and FFDC directories.
- Start the server
- Reproduce the problem, making note of time when the problem occurs
4. GATHER WEBSPHERE TRADITIONAL SSL DATA TO SEND TO IBM
Avoid delay: All of the following data is required for proper problem determination of most issues. Do not send a subset of this data unless you were instructed to do so by IBM support.
Data to sendInstructionsDiagnostic questions Answer the Diagnostic questions in the section above. A collector JAR file
Note: You need to run the collector tool on each <PROFILE_ROOT> in which you enabled trace.
From a temporary directory, run the Collector Tool, collector.sh,or collector.bat, which is located in the <PROFILE_ROOT>/bin directory.
If there is a message about the collector tool being deprecated, ignore it. The collector tool is the tool IBM support needs you to run.JSSE client-side trace
(if requested)This file is only required if you were asked by IBM support to collect a JSSE client-side trace.
See the information in Exchanging information with IBM Technical Support for problem determination to send this diagnostic information to IBM support.
- Collect data for WebSphere traditional (video)
- You can choose to watch this video or follow the step-by-step instructions in the Collect data for WebSphere traditional (step by step) section above.
- Before you collect data, be sure to answer the Diagnostic questions in the section above.
The following video goes over the necessary steps to collect data for an SSL problem on WebSphere traditional.Make sure to collect all the information described in the video. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.
- Diagnostic questions
Provide answers to the following diagnostic questions:
- Are you using the default Java Secure Socket Extension (JSSE) providers?
- Are you using any third-party JCE framework with your application?
- Where is the SSL issue occurring?
When you are using SSL to connect to to a directory server (like LDAP)?When you are using your own application to make an SSL connection?
If so, provide the exact URL or remote server hostname that is called by your application. Between the client (browser) and the web server?For example, when you attempt to access a Web resource on the web server over HTTPS. Between the client (browser) and the Application Server built-in web server?For example, when you attempt to access the Application Server administrative console. Between the web server plug-in and the Application Server?For example, when you attempt to access a Web resource on the Application Server over HTTPS.
- Collect JSSE client-side trace
JSSE client-side traces are required when you are observing SSL issues with a Java application that is interacting with a running WebSphere Application Server process.
See the instructions in the Collect JSSE client-side trace section on Setting up a trace in WebSphere Application Server to collect a JSSE client-side trace.
- Exchange data with IBM Support
To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities for you to use during problem determination. You can submit files by using one of the following methods to help speed problem diagnosis:
- Service Request (SR)
- FTP to the Enhanced Customer Data Repository (ECuRep)
Exchanging information with IBM Technical Support for problem determination
Related Information
WebSphere Application Server support
Submitting information to IBM support
MustGather: Read first for WebSphere Application Server and Liberty
MustGather: Core Security problems for WebSphere traditional and Liberty
MustGather: SPNEGO problems on WebSphere traditional
MustGather: Web Services Security (WS-Security) problems with WebSphere Applica…
Was this topic helpful?
Document Information
Modified date:
27 February 2024
UID
swg21162961