Troubleshooting IBM HTTP Server documentation

Troubleshooting

This section provides information to help you identify problems, gather or look at information regarding these problems, and get additional help if you need it. Links to related topics appear at the end of this section.

Knowing what to do first

Perform the following steps:

Pertains to AIX users
Pertains to HP users
Pertains to Linux users
Pertains to Solaris users
Pertains to Windows users
  • Ensure you run the IBM Developer Kit, Java Edition V1.4, or the Java Runtime Environment (JRE) V1.4 on AIX, Linux, HP, Solaris and Windows operating systems. You must install and run the IBM Developer Kit, Java edition, or the JRE yourself.
  • Check the error log to help you determine the type of problem. You can find the error logs in the directory specified by the ErrorLog directive in the configuration file. Depending on the operating system, the default directories are:

    • On AIX: /usr/IBMIHS/logs/error_log
    • On HP: /opt/IBMIHS/logs/error_log
    • On Linux: /opt/IBMIHS/logs/error_log
    • On Solaris: /opt/IBMIHS/logs/error_log
    • On Windows: <server_root>\logs\error.log
Pertains to Windows operating systems

Experiencing an IBM HTTP Server Service logon failure on Windows operating systems

When installing the IBM HTTP Server, prompts appear for a login ID and password. The ID you select must have the capability to log on as a service. If you get an error when you try to start the IBM HTTP Server Service, indicating a failure to start as a service, try one of the following:

  1. Click Start > Programs > Administrative Tools > User Manager.
  2. Select the user from the User Manager list.
  3. Click Policies > User Rights.
  4. Select the Show Advanced User Rights check box.
  5. Click Log on as a Service, from the right drop-down menu.

Pertains to Windows operating systems

  1. Click Start > Settings > Control Panel.
  2. Open Administrative Tools.
  3. Open Services. The local user you select is created in Local Users and Groups, under Computer Management.
  4. Click Service > Actions > Properties.
  5. Choose the Log on tab.
  6. Select this account option and click Browse, to select the user to associate with the service.

 

Identifying symptoms of poor server response time

If you notice that server CPU utilization appears low, but client requests for static pages take a long time to service, your server may be running out of server threads to handle requests. This situation results when you have more inbound requests than you have Apache threads to handle those requests. New connections queue in the TCP/IP stack listen queue wait for acceptance from an available thread. As a thread becomes available, it accepts and handles a connection off of the listen queue. Connections can take a long time to reach the top of the listen queue. This condition will be logged in a single error message in the error log:

  • The message on AIX, Linux, Solaris, or HP-UX is: "Server reached MaxClients setting, consider raising the MaxClients setting"
  • The message on Windows platforms is: "Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting"

If you configured Apache to listen on multiple ports, you can find responses slow on one port (port 80, for example) but adequate on another port (port 443, for example). The disparity in response time results from each port having its own listen queue. You may have a deep port 80 queue and a shallow port 443 queue. Apache does not attempt to balance the number of connections received from each queue. When a connection becomes available, Apache and the operating system consume from either queue at random.
To address this scenario, add more Apache threads to handle inbound connections. This is accomplished by increasing the number of processes or increasing the number of threads per process.

 

Identifying error messages

SSL error messages are in the format: SSLnnnnX, where:

  • nnnn: Equals a four digit error number
  • 0100-0199: Indicates an initialization message
  • 0200-0299: Indicates a handshake message
  • 0300-0399: Indicates configuration messages
  • 0400-0499: Indicates I/O messages
  • 0600-0699: Indicates caching messages
  • 0700-0799: Indicates SSL Stash utility messages
  •  

  • X: Message level
  • I: Informational
  • E: Error
  • W: Warning
  • S: Severe

Initialization messages

The following messages appear due to initialization problems:

  • Message: SSL0100S: GSK could not initialize, <errorCode>.
    • Reason: Initialization failed when the SSL library returned an unknown error.
    • Solution: None. Report this problem to Service.
  • Message: SSL0101S: GSK could not initialize, Neither the password nor the stash file name was specified. Could not open key file.
    • Reason: The stash file for the key database could not be found or is corrupted.
    • Solution: Use IKEYMAN to open the key database file and recreate the password stash file.
  • Message: SSL0102E: GSK could not initialize, Could not open key file.
    • Reason: The server could not open the key database file.
    • Solution: Check that the Keyfile directive is correct and that the file permissions allow the Web server user ID to access the file.
  • Message:SSL0103E: Internal error - GSK could not initialize, Unable to generate a temporary key pair.
    • Reason: GSK could not initialize; Unable to generate a temporary key pair.
    • Solution: Report this problem to Service.
  • Message:SSL0104E: GSK could not initialize, Invalid password for key file.
    • Reason: The password retrieved from the stash file could not open the key database file.
    • Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem could also result from a corrupted key database file. Creating a new key database file may resolve the problem.
  • Message:SSL0105E: GSK could not initialize, Invalid label.
    • Reason: Specified key label is not present in key file
    • Solution: Check that the SSLServerCert directive is correct, if coded, and that the label is valid for one of the keys in the key database.
  • Message:SSL0106E: Initialization error, Internal error - Bad handle
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0107E: Initialization error, The GSK library unloaded.
    • Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows only).
    • Solution: Shut down the server and restart.
  • Message:SSL0108E: Initialization error, GSK internal error.
    • Reason: The communication between client and the server failed due to an error in the GSKit library.
    • Solution: Retry connection from the client. If the error continues, report the problem to Service.
  • Message:SSL0109E: GSK could not initialize, Internal memory allocation failure.
    • Reason: The server could not allocate memory needed to complete the operation.
    • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
  • Message:SSL0110E: Initialization error, GSK handle is in an invalid state for operation.
    • Reason: The SSL state for the connection is invalid.
    • Solution: Retry connection from the client. If the error continues, report the problem to Service.
  • Message:SSL0111E: Initialization error, Key file label not found.
    • Reason: Certificate or key label specified was not valid.
    • Solution: Verify that the certificate name specified with the SSLServerCert directive is correct or, if no SSLServerCert directive was coded, that a default certificate exists in the key database.
  • Message:SSL0112E: Initialization error, Certificate is not available.
    • Reason: The client did not send a certificate.
    • Solution: Set Client Authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending an acceptable certificate.
  • Message:SSL0113E: Initialization error, Certificate validation error.
    • Reason: The received certificate failed one of the validation checks.
    • Solution: Use another certificate. Contact Service to determine why the certificate failed validation.
  • Message:SSL0114E: Initialization error, Error processing cryptography.
    • Reason: A cryptography error occurred.
    • Solution: None. If the problem continues, report it to Service.
  • Message:SSL0115E: Initialization error, Error validating ASN fields in certificate.
    • Reason: The server was not able to validate one of the ASN fields in the certificate.
    • Solution: Try another certificate.
  • Message:SSL0116E: Initialization error, Error connecting to LDAP server.
    • Reason: The Web server failed to connect to the CRL LDAP server.
    • Solution: Verify that the values entered for the SSLCRLHostname and SSLCRLPort directives are correct. If access to the CRL LDAP server requires authentication, is the SSLCRLUserID directive coded and was the password added to the stash file pointed to by the SSLStashfile directive.
  • Message:SSL0117E: Initialization error, Internal unknown error. Report problem to Service.
    • Reason: An unknown error has occurred in the SSL library.
    • Solution: Report the problem to Service.
  • Message:SSL0118E: Initialization error, Open failed due to cipher error.
    • Reason: An unknown error has occurred in the SSL library.
    • Solution: Report the problem to Service.
  • Message:SSL0119E: Initialization error, I/O error reading key file.
    • Reason: The server could not read the key database file.
    • Solution: Check file access permissions and verify the Web server user ID is allowed access.
  • Message:SSL0120E: Initialization error, Key file has an invalid internal format.
    • Reason: Key file has an invalid format.
    • Solution: Recreate key file.
  • Message:SSL0121E: Initialization error, Key file has two entries with the same key. Use IKEYMAN to remove the duplicate key.
    • Reason: Two identical keys exist in key file.
    • Solution: Use IKEYMAN to remove duplicate key.
  • Message:SSL0122E: Initialization error, Key file has two entries with the same label. Use IKEYMAN to remove the duplicate label.
    • Reason: A second certificate with the same label was placed in the key database file.
    • Solution: Use IKEYMAN to remove duplicate label.
  • Message:SSL0123E: Initialization error, Either the key file has become corrupted or the password is incorrect.
    • Reason: The key file password is used as an integrity check and the test failed. Either the key database file is corrupted or the password is incorrect.
    • Solution: Use IKEYMAN to stash the key database file password again. If that fails, recreate the key database.
  • Message:SSL0124E: Initialization error, The default key in the key file has an expired certificate. Use IKEYMAN to remove certificates that are expired.
    • Reason: The certificate has expired.
    • Solution: Use IKEYMAN to select another certificate as the default.
  • Message:SSL0125E: Initialization error, There was an error loading one of the GSKdynamic link libraries.
    • Reason: An open of the SSL environment resulted in an error because one of the GSKdynamic link libraries could not be loaded.
    • Solution: Contact support to make sure the GSKit is installed correctly.
  • Message: SSL0126E: Initialization error, Invalid date.
    • Reason: The system date was set to an invalid date.
    • Solution: Change the system date to a valid date.
  • Message:SSL0127E: Initialization error, No ciphers specified.
    • Reason: SSLV2 and SSLV3 are disabled.
    • Solution: None. Report this problem to Service.
  • Message:SSL0128E: Initialization error, No certificate.
    • Reason: The client did not send a certificate.
    • Solution: Set Client Authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending a certificate.
  • Message:SSL0129E: Initialization error, The received certificate was formatted incorrectly.
    • Reason: The client did not specify a valid certificate.
    • Solution: Client problem.
  • Message:SSL0130E: Initialization error, Unsupported certificate type.
    • Reason: The certificate type received from the client is not supported by this version of IBM HTTP Server SSL.
    • Solution: The client must use a different certificate type.
  • Message:SSL0131I: Initialization error, I/O error during handshake.
    • Reason: The communication between the client and the server failed. This is a common error when the client closes the connection before the handshake has completed.
    • Solution: Retry the connection from the client.
  • Message:SSL0132E: Initialization error, Invalid key length for export.
    • Reason: In a restricted cryptography environment, the key size is too long to be supported.
    • Solution: Select a certificate with a shorter key.
  • Message:SSL0133W: Initialization error, An incorrectly formatted SSL message was received.
    • Reason: The SSL message is incorrectly formatted.
    • Solution: Check and correct the SSL format.
  • Message:SSL0134W: Initialization error, Could not verify MAC.
    • Reason: The communication between the client and the server failed.
    • Solution: Retry the connection from the client.
  • Message:SSL0135W: Initialization error, Unsupported SSL protocol or unsupported certificate type.
    • Reason: The communication between the client and the server failed because the client is trying to use a protocol or certificate which IBM HTTP Server does not support.
    • Solution: Retry the connection from the client using a SSL Version 2 or 3, or TLS 1 protocol. Try another certificate.
  • Message:SSL0136W: Initialization error, Invalid certificate signature.
  • Message:SSL0137W: Initialization error, Invalid certificate sent by client.
    • Reason: The client did not specify a valid certificate.
    • Solution: Client problem.
  • Message:SSL0138W: Initialization error, Invalid peer.
  • Message:SSL0139W: Initialization error, Permission denied.
  • Message:SSL0140W: Initialization error, The self-signed certificate is not valid.
  • Message:SSL0141E: Initialization error, Internal error - read failed.
    • Reason: The read failed.
    • Solution: None. Report this error to Service.
  • Message:SSL0142E: Initialization error, Internal error - write failed.
    • Reason: The write failed.
    • Solution: None. Report this error to Service.
  • Message:SSL0143I: Initialization error, Socket has been closed.
    • Reason: The client closed the socket before the protocol completed.
    • Solution: Retry connection between client and server.
  • Message:SSL0144E: Initialization error, Invalid SSLV2 Cipher Spec.
    • Reason: The SSL Version 2 cipher specifications passed into the handshake were invalid.
    • Solution: Change the specified Version 2 cipher specs.
  • Message:SSL0145E: Initialization error, Invalid SSLV3 Cipher Spec.
    • Reason: The SSL Version 3 cipher specifications passed into the handshake were invalid.
    • Solution: Change the specified Version 3 cipher specs.
  • Message:SSL0146E: Initialization error, Invalid security type.
    • Reason: There was an internal error in the SSL library.
    • Solution: Retry the connection from the client. If the error continues, report the problem to Service.
  • Message:SSL0147E: Initialization error, Invalid security type combination.
    • Reason: There was an internal error in the SSL library.
    • Solution: Retry the connection from the client. If the error continues, report the problem to Service.
  • Message:SSL0148E: Initialization error, Internal error - SSL Handle creation failure.
    • Reason: There was an internal error in the security libraries.
    • Solution: None. Report this problem to Service.
  • Message:SSL0149E: Initialization error, Internal error - GSK initialization has failed.
    • Reason: An error in the security library has caused SSL initialization to fail.
    • Solution: None. Report this problem to Service.
  • Message:SSL0150E: Initialization error, LDAP server not available.
    • Reason: Unable to access the specified LDAP directory when validating a certificate
    • Solution: Check that the SSLCRLHostname and SSLCRLPort directives are correct. Make sure LDAP server is available.
  • Message:SSL0151E: Initialization error, The specified key did not contain a private key.
    • Reason: The key does not contain a private key.
    • Solution: Create a new key. If this was an imported key, include the private key when doing the export.
  • Message:SSL0152E: Initialization error, A failed attempt was made to load the specified PKCS#11 shared library.
    • Reason: An error occurred while loading the PKCS#11 shared library.
    • Solution: Verify that the PKCS#11 shared library specified in the SSLPKCSDriver directive is valid.
  • Message:SSL0153E: Initialization error, The PKCS#11 driver failed to find the token specified by the caller.
    • Reason: The specified token was not found on the PKCS#11 device.
    • Solution: Check that the token label specified on the SSLServerCert directive is valid for your device.
  • Message:SSL0154E: Initialization error, A PKCS#11 token is not present for the slot.
    • Reason: The PKCS#11 device has not been initialized correctly.
    • Solution: Specify a valid slot for PKCS#11 token or initialize the device.
  • Message:SSL0155E: Initialization error, The password/pin to access the PKCS#11 token is invalid.
    • Reason: Specified user password and pin for PKCS#11 token is not present or invalid.
    • Solution: Check that the correct password was stashed using the SSLStash utility and that the SSLStashfile directive is correct.
  • Message:SSL0156E: Initialization error, The SSL header received was not a properly SSLV2 formatted header.
    • Reason: The data received during the handshake does not conform to the SSLV2 protocol.
    • Solution: Retry connection between client and server. Verify that the client is using HTTPS.
  • Message:SSL0157E: Initialization error, The function call, <function> has an invalid ID.
    • Reason: An invalid function ID was passed to the specified function.
    • Solution: None. Report this problem to Service.
  • Message:SSL0158E: Initialization error, Internal error - The attribute has a negative length: <function>.
    • Reason: The length value passed to the function is negative, which is invalid.
    • Solution: None. Report this problem to Service.
  • Message:SSL0159E: Initialization error, The enumeration value is invalid for the specified enumeration type: <function>.
    • Reason: The function call contains an invalid function ID.
    • Solution: None. Report this problem to Service.
  • Message:SSL0160E: Initialization error, The SID cache is invalid: <function>.
    • Reason: The function call contains an invalid parameter list for replacing the SID cache routines.
    • Solution: None. Report this problem to Service.
  • Message:SSL0161E: Initialization error, The attribute has an invalid numeric value: <function>.
    • Reason: The function call contains an invalid value for the attribute being set.
    • Solution: None. Report this problem to Service.
  • Message:SSL0162W: Setting the LD_LIBRARY_PATH for GSK failed. (SOLARIS2)
  • Message:SSL0162W: Setting the LD_LIBRARY for GSK failed. (LINUX)
  • Message:SSL0162W: Setting the LIBPATH for GSK failed. (AIX)
  • Message:SSL0162W: Setting the SHLIB_PATH for GSK failed. (HPUX11)
    • Reason: Memory allocation failure.
    • Solution: The process is low on memory and should be restarted.
  • Message:SSL0163W: Setting the LD_LIBRARY_PATH for GSK failed, could not append /usr/lib.(SOLARIS2)
  • Message:SSL0163W: Setting the LD_LIBRARY for GSK failed, could not append /usr/lib.(LINUX)
  • Message:SSL0163W: Setting the LIBPATH for GSK failed, could not append /usr/opt/ibm/gskkm/lib.(AIX)
  • Message:SSL0163W: Setting the SHLIB_PATH for GSK failed, could not append /usr/lib.(HPUX11)
    • Reason: Memory allocation failure.
    • Solution: The process is low on memory and should be restarted.
  • Message:SSL0164W: Error accessing Registry, <function> returned <code>.
    • Reason: Memory allocation failure.
    • Solution: The process is low on memory and should be restarted.
  • Message:SSL0165W: Storage allocation failed.
    • Reason: Memory allocation failure.
    • Solution: The process is low on memory and should be restarted.
  • Message:SSL0166E: Failure attempting to load GSK library.
    • Reason: Either the GSK toolkit is not installed, a permissions problem exists, or the file does not exist.
    • Solution: Install the GSK toolkit, and check permissions on the library.
  • Message:SSL0167E: GSK function address undefined.
    • Reason: Incorrect version of the GSK installed.
    • Solution: Install the correct version of the GSK.
  • Message:SSL0168E: SSL initialization for server: <server>, port: <port> failed due to a configuration error
    • Reason: There was an error parsing the SSLClientAuthRequire directive.
    • Solution: Check the syntax of this directive.
  • Message:SSL0169E: Key file does not exist: <key file>.
    • Reason: The file name specified for key file directive does not exist.
    • Solution: Check the key file directive. Use a fully qualified path and file name. If there are blanks in the path or file name, the directive should be enclosed in quotes.
  • Message:SSL0170E: GSK could not initialize, no key file specified.
    • Reason: There is no key database file listed for this Virtual host.
    • Solution: Use the Keyfile directive to configure the key database file to use for SSL.
  • Message:SSL0171E: CRL cannot be specified as an option for the SSLClientAuth directive on HP-UX because the IBM HTTP Server does not support CRL on HP-UX
    • Reason: Client certificate revocation checking is not supported on HP.
    • Solution: Remove the CRL option from the SSLClientAuth directive.
  • Message:SSL0172E: If CRL is turned on, you must specify an LDAP host name for the SSLCRLHostname directive"
    • Reason: Certificate Revocation List (CRL) checking was enabled by the CRL option on the SSLClientAuth directive but the LDAP server containing the CRL was not specified.
    • Solution: Specify the LDAP server address using the SSLCRLHostname directive.
  • Message:SSL0173E: Failure obtaining supported cipher specs from the GSK library.
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0174I: No CRL password found in the stash file: <file name>.
    • Reason: Certificate revocation list checking has been enabled which requires accessing an LDAP server but there is no password in the SSL Stash file to use to authorize the Web server to the LDAP server.
    • Solution: If accessing the LDAP server using an anonymous bind this message can be ignored. For authorized access, a password must be stashed in a file using the SSLStash utility.
  • Message:SSL0174I: No CRYPTO password found in the stash file: <file name>.
    • Reason: SSL has been configured to use a PKCS 11 type cryptographic card but there is no password in the SSL stash file to use to access the cryptographic card token.
    • Solution: Stash the password a file using the SSLStash utility.
  • Message:SSL0175E: fopen failed for stash file: <file name>
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0176E: fread failed for the stash file: <file name>
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0177E: stash_recover <file>,\<function>\, pw_buf, NULL > failed, invalid version <version>.
    • Reason: The SSL stash file was created with an incompatible level of the SSLStash utility.
    • Solution: Create a new stash file using the SSLStash utility included with this version of the IBM HTTP Server.
  • Message:SSL0178E: stash_recover <file>,\<function>\", pw_buf, NULL > failed with invalid function.
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0179E: Unknown return code from stash_recover(), <code>
    • Reason: An internal error has occurred.
    • Solution: Report this problem to Service.
  • Message:SSL0180S: Unable to start session ID cache: %s\n
  • Message:SSL0181S: Unable to fork for startup of session ID cache\n

    Handshake messages

    The following messages appear due to handshake failures:

    • Message:SSL0200E: Handshake Failed, <code>.
      • Reason: The handshake failed when the SSL library returned an unknown error.
      • Solution: None. Report this problem to Service.
    • Message:SSL0201E: Handshake Failed, Internal error - Bad handle.
      • Reason: An internal error has occurred.
      • Solution: Report this problem to Service.
    • Message:SSL0202E: Handshake Failed, The GSK library unloaded.
      • Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows operating systems only).
      • Solution: Shut down the server and restart.
    • Message:SSL0203E: Handshake Failed, GSK internal error.
      • Reason: The communication between client and the server failed due to an error in the GSKit library.
      • Solution: Retry connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0204E: Handshake Failed, Internal memory allocation failure.
      • Reason: The server could not allocate memory needed to complete the operation.
      • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
    • Message:SSL0205E: Handshake Failed, GSK handle is in an invalid state for operation.
      • Reason: The SSL state for the connection is invalid.
      • Solution: Retry connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0206E: Handshake Failed, key file label not found.
      • Reason: Certificate or key label specified was not valid.
      • Solution: Verify that the certificate name specified with the SSLServerCert directive is correct or, if no SSLServerCert directive was coded, that a default certificate exists in the key database.
    • Message:SSL0207E: Handshake Failed, Certificate is not available.
      • Reason: The client did not send a certificate.
      • Solution: Set Client Authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending an acceptable certificate.
    • Message:SSL0208E: Handshake Failed, Certificate validation error.
      • Reason: The received certificate failed one of the validation checks.
      • Solution: Use another certificate. Contact Service to determine why the certificate failed validation.
    • Message:SSL0209E: Handshake Failed, ERROR processing cryptography.
      • Reason: A cryptography error occurred.
      • Solution: None. If the problem continues, report it to Service.
    • Message:SSL0210E: Handshake Failed, ERROR validating ASN fields in certificate.
      • Reason: The server was not able to validate one of the ASN fields in the certificate.
      • Solution: Try another certificate.
    • Message:SSL0211E: Handshake Failed, ERROR connecting to LDAP server.
      • Reason: The Web server failed to connect to the CRL LDAP server.
      • Solution: Verify that the values entered for the SSLCRLHostname and SSLCRLPort directives are correct. If access to the CRL LDAP server requires authentication, is the SSLCRLUserID directive coded and was the password added to the stash file pointed to by the SSLStashfile directive.
    • Message:SSL0212E: Handshake Failed, Internal unknown error. Report problem to Service.
      • Reason: An unknown error has occurred in the SSL library.
      • Solution: Report the problem to Service.
    • Message:SSL0213E: Handshake Failed, Open failed due to cipher error.
      • Reason: An unknown error has occurred in the SSL library.
      • Solution: Report the problem to Service.
    • Message:SSL0214E: Handshake Failed, I/O error reading key file.
      • Reason: The server could not read the key database file.
      • Solution: Check file access permissions and verify the Web server user ID is allowed access.
    • Message:SSL0215E: Handshake Failed, Key file has an invalid internal format. Recreate key file.
      • Reason: Key file has an invalid format.
      • Solution: Recreate key file.
    • Message:SSL0216E: Handshake Failed, Key file has two entries with the same key. Use IKEYMAN to remove the duplicate key.
      • Reason: Two identical keys exist in key file.
      • Solution: Use IKEYMAN to remove duplicate key.
    • Message:SSL0217E: Handshake Failed, Key file has two entries with the same label. Use IKEYMAN to remove the duplicate label.
      • Reason: A second certificate with the same label was placed in the key database file.
      • Solution: Use IKEYMAN to remove duplicate label.
    • Message:SSL0218E: Handshake failed, Either the key file has become corrupted or the password is incorrect.
      • Reason: The key file password is used as an integrity check and the test failed. Either the key database file is corrupted, or the password is incorrect.
      • Solution: Use IKEYMAN to stash the key database file password again. If that fails, recreate the key database.
    • Message:SSL0219E: Handshake Failed, The default key in the key file has an expired certificate. Use IKEYMAN to remove certificates that are expired
      • Reason: An expired certificate exists in the key file and is the default.
      • Solution: Use IKEYMAN to select another certificate as the default.
    • Message:SSL0220E: Handshake Failed, There was an error loading one of the GSKdynamic link libraries. Be sure GSK was installed correctly
      • Reason: Opening the SSL environment resulted in an error because one of the GSKdynamic link libraries could not load.
      • Solution: Contact Support to make sure the GSKit is installed correctly.
    • Message:SSL0221E: Handshake Failed, Invalid date.
      • Reason: The system date was set to an invalid date.
      • Solution: Change the system date to a valid date.
    • Message:SSL0222W: Handshake failed, no ciphers specified.
      • Reason: SSLV2 and SSLV3 are disabled.
      • Solution: None. Report this problem to Service.
    • Message:SSL0223E: Handshake Failed, No certificate.
      • Reason: The client did not send a certificate.
      • Solution: Set Client Authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending a certificate.
    • Message:SSL0224E: Handshake failed, Invalid or improperly formatted certificate.
      • Reason: The client did not specify a valid certificate.
      • Solution: Client problem.
    • Message:SSL0225E: Handshake Failed, Unsupported certificate type.
      • Reason: The certificate type received from the client is not supported by this version of IBM HTTP Server SSL.
      • Solution: The client must use a different certificate type.
    • Message:SSL0226I: Handshake Failed, I/O error during handshake.
      • Reason: The communication between the client and the server failed. This is a common error when the client closes the connection before the handshake has completed.
      • Solution: Retry the connection from the client.
    • Message:SSL0227E: Handshake Failed, Specified label could not be found in the key file.
      • Reason: Specified key label is not present in key file.
      • Solution: Check that the SSLServerCert directive is correct, if coded, and that the label is valid for one of the keys in the key database.
    • Message:SSL0228E: Handshake Failed, Invalid password for key file.
      • Reason: The password retrieved from the stash file could not open the key database file.
      • Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem can also result from a corrupted key database file. Creating a new key database file may resolve the problem.
    • Message:SSL0229E: Handshake Failed, Invalid key length for export.
      • Reason: In a restricted cryptography environment, the key size is too long to be supported.
      • Solution: Select a certificate with a shorter key.
    • Message:SSL0230I: Handshake Failed, An incorrectly formatted SSL message was received.
    • Message:SSL0231W: Handshake Failed, Could not verify MAC.
      • Reason: The communication between the client and the server failed.
      • Solution: Retry the connection from the client.
    • Message:SSL0232W: Handshake Failed, Unsupported SSL protocol or unsupported certificate type.
      • Reason: The communication between the client and the server failed because the client is trying to use a protocol or certificate which the IBM HTTP Server does not support.
      • Solution: Retry the connection from the client using an SSL Version 2 or 3, or TLS 1 protocol. Try another certificate.
    • Message:SSL0233W: Handshake Failed, Invalid certificate signature.
    • Message:SSL0234W: Handshake Failed, Invalid certificate sent by client.
      • Reason: The client did not specify a valid certificate.
      • Solution: Client problem.
    • Message:SSL0235W: Handshake Failed, Invalid peer.
    • Message:SSL0236W: Handshake Failed, Permission denied.
    • Message:SSL0237W: Handshake Failed, The self-signed certificate is not valid.
    • Message:SSL0238E: Handshake Failed, Internal error - read failed.
      • Reason: The read failed.
      • Solution: None. Report this error to Service.
    • Message:SSL0239E: Handshake Failed, Internal error - write failed.
      • Reason: The write failed.
      • Solution: None. Report this error to Service.
    • Message:SSL0240I: Handshake Failed, Socket has been closed.
      • Reason: The client closed the socket before the protocol completed.
      • Solution: Retry connection between client and server.
    • Message:SSL0241E: Handshake Failed, Invalid SSLV2 Cipher Spec.
      • Reason: The SSL Version 2 cipher specifications passed into the handshake were invalid.
      • Solution: Change the specified Version 2 cipher specs.
    • Message:SSL0242E: Handshake Failed, Invalid SSLV3 Cipher Spec.
      • Reason: The SSL Version 3 cipher specifications passed into the handshake were invalid.
      • Solution: Change the specified Version 3 cipher specs.
    • Message:SSL0243E: Handshake Failed, Invalid security type.
      • Reason: There was an internal error in the SSL library.
      • Solution: Retry the connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0244E: Handshake Failed, Invalid security type combination.
      • Reason: There was an internal error in the SSL library.
      • Solution: Retry the connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0245E: Handshake Failed, Internal error - SSL Handle creation failure.
      • Reason: There was an internal error in the security libraries.
      • Solution: None. Report this problem to Service.
    • Message:SSL0246E: Handshake Failed, Internal error - GSK initialization has failed.
      • Reason: An error in the security library has caused SSL initialization to fail.
      • Solution: None. Report this problem to Service.
    • Message:SSL0247E: Handshake Failed, LDAP server not available.
      • Reason: Unable to access the specified LDAP directory when validating a certificate.
      • Solution: Check that the SSLCRLHostname and SSLCRLPort directives are correct. Make sure the LDAP server is available.
    • Message:SSL0248E: Handshake Failed, The specified key did not contain a private key.
      • Reason: The key does not contain a private key.
      • Solution: Create a new key. If this was an imported key, include the private key when doing the export.
    • Message:SSL0249E: Handshake Failed, A failed attempt was made to load the specified PKCS#11 shared library.
      • Reason: An error occurred while loading the PKCS#11 shared library.
      • Solution: Verify that the PKCS#11 shared library specified in the SSLPKCSDriver directive is valid.
    • Message:SSL0250E: Handshake Failed, The PKCS#11 driver failed to find the token label specified by the caller.
      • Reason: The specified token was not found on the PKCS#11 device.
      • Solution: Check that the token label specified on the SSLServerCert directive is valid for your device.
    • Message:SSL0251E: Handshake Failed, A PKCS#11 token is not present for the slot.
      • Reason: The PKCS#11 device has not been initialized correctly.
      • Solution: Specify a valid slot for the PKCS#11 token or initialize the device.
    • Message:SSL0252E: Handshake Failed, The password/pin to access the PKCS#11 token is either not present, or invalid.
      • Reason: Specified user password and pin for PKCS#11 token is not present or invalid.
      • Solution: Check that the correct password was stashed using the SSLStash utility and that the SSLStashfile directive is correct.
    • Message:SSL0253E: Handshake Failed, The SSL header received was not a properly SSLV2 formatted header.
      • Reason: The data received during the handshake does not conform to the SSLV2 protocol.
      • Solution: Retry connection between client and server. Verify that the client is using HTTPS.
    • Message:SSL0254E: Internal error - I/O failed, buffer size invalid.
      • Reason: The buffer size in the call to the I/O function is zero or negative.
      • Solution: None. Report this problem to Service.
    • Message:SSL0255E: Handshake Failed, Operation would block.
      • Reason: The I/O failed because the socket is in non-blocking mode.
      • Solution: None. Report this problem to Service.
    • Message:SSL0256E: Internal error - SSLV3 is required for reset_cipher, and the connection uses SSLV2.
      • Reason: A reset_cipher function was attempted on an SSLV2 connection.
      • Solution: None. Report this problem to Service.
    • Message:SSL0257E: Internal error - An invalid ID was specified for the gsk_secure_soc_misc function call.
      • Reason: An invalid value was passed to the gsk_secure_soc_misc function.
      • Solution: None. Report this problem to Service.
    • Message:SSL0258E: Handshake Failed, The function call, <function>, has an invalid ID.
      • Reason: An invalid function ID was passed to the specified function.
      • Solution: None. Report this problem to Service.
    • Message:SSL0259E: Handshake Failed, Internal error - The attribute has a negative length in: <function>.
      • Reason: The length value passed to the function is negative, which is invalid.
      • Solution: None. Report this problem to Service.
    • Message:SSL0260E: Handshake Failed, The enumeration value is invalid for the specified enumeration type in: <function>
      • Reason: The function call contains an invalid function ID.
      • Solution: None. Report this problem to Service.
    • Message:SSL0261E: Handshake Failed, The SID cache is invalid: <function>.
      • Reason: The function call contains an invalid parameter list for replacing the SID cache routines.
      • Solution: None. Report this problem to Service.
    • Message:SSL0262E: Handshake Failed, The attribute has an invalid numeric value: <function>.
      • Reason: The function call contains an invalid value for the attribute being set.
      • Solution: None. Report this problem to Service.
    • Message:SSL0263W: SSL Connection attempted when SSL did not initialize.
      • Reason: A connection was received on an SSL-enabled virtual host but it could not be completed because there was an error during SSL initialization.
      • Solution: Check for an error message during startup and correct that problem.
    • Message:SSL0264E: Failure obtaining Cert data for label <certificate>
      • Reason: A GSKit error prevented the server certificate information from being retrieved.
      • Solution: Check for a previous error message with additional information.
    • Message:SSL0265W: Client did not supply a certificate.
      • Reason: A client who connected failed to send a client certificate and the server is configured to require a certificate.
      • Solution: Nothing on the server side.

    Configuration messages

    The following messages appear due to configuration problems:

    • Message:SSL0300E: Unable to allocate terminal node
    • Message:SSL0301E: Unable to allocate string value in node
    • Message:SSL0302E: Unable to allocate non terminal node
    • Message:SSL0303E: Syntax Error in SSLClientAuthGroup directive
    • Message:SSL0304E: Syntax Error in SSLClientAuthRequire directive
    • Message:SSL0307E: Invalid token preceding NOT or !
    • Message:SSL0308E: A group is specified in SSLClientAuthRequire but no groups are specified
    • Message:SSL0309E: The group <group> is specified in SSLClientAuthRequire is not defined
    • Message:SSL0310I: Access denied to object due to invalid SSL version <version>, expected <version>
    • Message:SSL0311E: Unable to get cipher in checkBanCipher
    • Message:SSL0312I: Cipher <cipher> is in ban list and client is forbidden to access object
    • Message:SSL0313E: Fell through to default return in checkCipherBan
    • Message:SSL0314E: Cipher is NULL in checkRequireCipher
    • Message:SSL0315E: Cipher <cipher> used is not in the list of required ciphers to access this object
    • Message:SSL0316E: Fell through to default return in checkCipherRequire
    • Message:SSL0317E: Unable to allocate memory for fake basic authentication username
    • Message:SSL0318E: Limit exceeded for specified cipher specs, only 64 total allowed
      • Reason: The number of ciphers configured using the SSLCipherSpec directive exceeds the maximum allowed of 64.
      • Solution: Check for duplicate SSLCipherSpec directives.
    • Message:SSL0319E: Cipher Spec <cipher> is not supported by this GSK library
      • Reason: The cipher is not a valid cipher for use with the installed SSL libraries.
      • Solution: Check that a valid cipher value was entered with the SSLCipherSpec directive.
    • Message:SSL0320I: Using Version 2|3 Cipher: <cipher>
      • Reason: This is an informational message listing the ciphers used for connections to this virtual host.
      • Solution: None.
    • Message:SSL0321E: Invalid cipher spec <cipher>
      • Reason: The cipher is not a valid cipher.
      • Solution: Check the documentation for a list of valid cipher specs.
    • Message:SSL0322E: Cipher Spec <cipher> is not valid.
      • Reason: The cipher is not a valid cipher.
      • Solution: Check the documentation for a list of valid cipher specs.
    • Message:SSL0323E: Cipher Spec <cipher> has already been added.
      • Reason: A duplicate SSLCipherSpec directive has been encountered.
      • Solution: This instance of the directive is ignored and should be removed from the configuration file.
    • Message:SSL0324E: Unable to allocate storage for cipher specs.
      • Reason: The server could not allocate memory needed to complete the operation.
      • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
    • Message:SSL0325E: Cipher Spec <cipher> has already been added to the v2|v3 ban|require list.
      • Reason: A duplicate cipher was specified on the SSLCipherBan directive.
      • Solution: This instance of the directive is ignored and should be removed from the configuration file.
    • Message:SSL0326E: Invalid cipher spec <cipher> set for SSLCipherBan|SSLCipherRequire
      • Reason: The cipher is not a valid cipher.
      • Solution: Check the documentation for a list of valid cipher specs.
    • Message:SSL0327E: Invalid value for sslv2timeout|sslv3timeout, using default value of nn seconds.
      • Reason: The timeout value specified is not in the valid range.
      • Solution: Check the documentation for the proper range of values.
    • Message:SSL0328W: Invalid argument for SSLClientAuth: <args>. CRL can not be turned on unless Client Authentication is on.
    • Message:SSL0329W: Invalid argument for SSLClientAuth: <args>. If a second argument is entered it must be: CRL. CRL cannot be turned on unless Client Authentication is on.
    • Message:SSL0330W: Invalid argument for SSLClientAuth: <args>. If a second value is entered it must be: crl.
    • Message:SSL0331W: Invalid argument for SSLClientAuth: <args>. The first value must be 0, 1, 2 none, optional, or required.
    • Message:SSL0332E: Not enough arguments specified for SSLClientAuthGroup
    • Message:SSL0333E: No parse tree created for <parm>
      • Reason: An error occurred processing the SSLClientAuthRequire directive.
      • Solution: Check for other error messages. Enable tracing of Client Authentication by adding the directive SSLClientAuthRequireTraceOn to the configuration file.
    • Message:SSL0334E: Function ap_make_table failed processing label <certificate>

    I/O messages

    The following messages appear due to read failures:

    • Message:SSL0400I: I/O failed, RC <code>.
      • Reason: The server received an error trying to read on the socket.
      • Solution: Some errors are expected during normal processing, especially a '406' error, which you can ignore. If you are unable to access the server and receive these errors, report this problem to Service.
    • Message:SSL0401E: I/O failed with invalid handle <handle>.
      • Reason: An internal error has occurred.
      • Solution: Report this problem to Service.
    • Message:SSL0402E: I/O failed, the GSKit library is not available.
      • Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows operating systems only).
      • Solution: Shut down the server and restart.
    • Message:SSL0403E: I/O failed, internal error.
      • Reason: The communication between client and the server failed due to an error in the GSKit library.
      • Solution: Retry connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0404E: I/O failed, insufficient storage.
      • Reason: The server could not allocate memory needed to complete the operation.
      • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
    • Message:SSL0405E: I/O failed, SSL handle <handle> is in an invalid state.
      • Reason: The SSL state for the connection is invalid.
      • Solution: Retry connection from the client. If the error continues, report the problem to Service.
    • Message:SSL0406E: I/O failed, cryptography error.
      • Reason: A cryptography error occurred.
      • Solution: None. If the problem continues, report it to Service.
    • Message:SSL0407I: I/O failed, Error validating ASN fields in certificate.
      • Reason: The server was not able to validate one of the ASN fields in the certificate.
      • Solution: Try another certificate.
    • Message:SSL0408E: I/O failed with invalid buffer size. Buffer <address>, size <length>.
      • Reason: The buffer size in the call to the read function is zero or negative.
      • Solution: None. Report this problem to Service.

    Cache messages

    The following message appears due to caching problems:

    • Message:SSL0600S: Unable to connect to session ID cache
      • Reason: The server was not able to connect to the Session ID caching daemon.
      • Solution: Verify that the daemon was successfully started.

    Secure Sockets Layer Stash utility errors

    The following messages appear due to SSL Stash utility errors:

    • Message:SSL0700S: Invalid function <function>
      • Reason: An invalid parameter was entered. The valid values are crl or crypto.
      • Solution: Rerun the command with the proper function.
    • Message:SSL0701S: The password was not entered.
      • Reason: The password was not entered on the command line.
      • Solution: Rerun the command with the password added.
    • Message:SSL0702S: Password exceeds the allowed length of 512.
      • Reason: The password that was entered is longer than the allowed maximum of 512 characters.
      • Solution: Use a shorter password.

    Viewing error messages from a target server start

    If you encounter an error starting a target server, the error message, line number in the configuration file and the actual line text that caused the error display. To view the line text error in context:

    1. Click View Configuration > Edit Configuration.
    2. Select the text.
    3. Copy the text.
    4. Go to View Configuration > Edit Configuration and press Ctrl + F for Find.
    5. Paste the text.
    6. Click OK.

    Identifying GSKit certificate support limitations

    Ikeyman cannot be used to create certificates with key sizes larger than 1024 bits. However, certificates with key sizes up to 4096 can be imported into the key database.

    Looking at known problems with hardware cryptographic support

Pertains to AIX users
Pertains to HP-UX users
Pertains to Linux users
Pertains to Solaris users
Pertains to Windows users
You must have the bos.pkcs11 package installed on the AIX platform, to get the PKCS11 module and to intialize the device on AIX.

 

An added update to the bos.pkcs11 package fixed a forking problem. Obtain the most recent copy of the bos.pkcs11 package from the IBM PSeries Support Site, to ensure you have this fix.

 

The ikmuser.sample file shipped with the GSKit Toolkit, typically installs in the following directories, depending on the platform:

  • AIX: /usr/opt/ibm/gskta/classes
  • HP: /opt/ibm/gsk7/classes
  • Linux: /usr/local/ibm/gsk7/classes
  • Solaris: /opt/ibm/gsk7/classes
  • Windows: C:\Program Files\ibm\gsk7\classes

Renaming this file to ikmuser.properties in the classes directory, enables IKEYMAN to use it for a cryptographic token.

If you are having problems using the IBM eBusiness Cryptographic Accelerator Device with IBM HTTP Server 2.0, do the following:
  1. Reboot the machine.
  2. Kill pkcsslotd and the shared memory it created. To determine what shared memory was created, type ipcs -a and for a size of 270760. This was the memory created by pkcsslotd.
  3. Do an export EXPSHM=ON.
  4. Sart the pkcs11 process: /etc/rc.pkcsw11
  5. Restart the IBM HTTP Server: ./apachectl start
Applies to HP-UX

Looking at known problems on the HP platform

You cannot install one version of GSKit onto another. Delete the current GSKit files from your system before installing a new GSKit version.

Identifying LDAP Secure Sockets Layer limitation with Netscape LDAP server

The LDAP client has a limitation when using Secure Sockets Layer (SSL) to communicate to a Netscape directory server. If the Netscape directory server has client authentication enabled, the connection fails. If the IBM HTTP Server uses SSL with LDAP, to check authentication information on a Netscape Directory Server, ensure that client authentication is not enabled on the directory server.

Pertains to Solaris users

Looking at known problems on the Solaris platform

A known problem on the Solaris operating system includes specifying a valid ServerName directive.

On some Solaris machines (level unknown), an error is received at IBM HTTP Server startup (apachectl). The error indicates that the ServerName directive is not set in the IBM HTTP Server configuration file, httpd.conf. To resolve this problem, supply a valid ServerName directive.

Pertains to Linux PPC users

Looking at known problems on the Linux PowerPC platform

Pertains to UNIX users

Looking at known problems on the UNIX platform

Getting the suexec module to work

The suexec module does not work unless IBM HTTP Server V2.0 is installed to the default location.

Running the /<ihs install root>/bin/httpd command

Source the /<ihs install root>/bin/envvars file first to ensure you can run the /<ihs install root>/bin/httpd command to start the IBM HTTP Server. To source the envvars file, enter . /<ihs install root>/bin/envvars at the command line. The envvars file contains the path to the libraries needed to run the /<ihs install root>/bin/httpd command.

Pertains to Windows users

Looking at known problems on Windows operating systems

Problems when the IBM HTTP Server runs on the same system as a Virtual Private Networking Client

A problem occurs when the IBM HTTP Server runs on a system, along with a Virtual Private Networking client, for example, Aventail Connect. You can experience the following problem, or see the following error message:

  • The IBM HTTP Server does not start - Reference Apache FAQ.
  • The IBM HTTP Server does not start. The error log contains the following message:

    "[crit] (10045) The attempted operation is not supported for the type of object referenced: Parent: WSADuplicateSocket failed for socket ###">

Aventail Connect is a Layered Service Provider (LSP) that inserts itself, as a shim, between the Winsock 2 API and the Windows native Winsock 2 implementation. The Aventail Connect shim does not implement WASDuplicateSocket, the cause of the failure. The shim is not unloaded when Aventail Connect is shut down.

Fix the problem by doing one of the following:

  • Explicitly unloading the shim
  • Rebooting the machine
  • Temporarily removing the Aventail Connect V3.x shim

Configuring security on Internet Explorer V5.01x

If IBM HTTP Server uses a Verisign Global Server ID for SSL transactions, a 40-bit encryption browser can get a connection to a server at 128-bit encryption. This connection does not work for someone using Internet Explorer 5.01x. You can fix this situation, by adding the following directives to the IBM HTTP Server configuration file:

Note: Add the directives in the order shown:

 

SSLCipherSpec 34
SSLCipherSpec 35
SSLCipherSpec 3A
SSLCipherSpec 33
SSLCipherSpec 36
SSLCipherSpec 39
SSLCipherSpec 32
SSLCipherSpec 31
SSLCipherSpec 30

Contacting Customer Service and Support

For help, see the WebSphere Application Server support page.

You can also contact the IBM Software Support Center (1-800-IBM-SERV in the US and Canada). For more information on software support services and contact numbers in other countries, refer to the Software Support Handbook.

Finding related information


     (Back to the top)