IBM Support

MustGather: IBM HTTP Server SSL handshake and configuration problems

Troubleshooting


Problem

Collect troubleshooting data for SSL handshake and configuration problems with IBM® HTTP Server. 

Resolving The Problem

SSL handshake and configuration specific MustGather information
The following contains a list of files that are needed for debugging SSL handshake and configuration issues.

Enabling traces for GSKit and SSL:
  1. Stop IBM HTTP Server.
  2. Clear all logs in the <IHS_INSTALL_ROOT>/logs directory.
    • If you elect to not clear all of the logs, be sure to remove gsktrace*
  3. Turn on IBM HTTP Server verbose logging for SSL
    • Append the LogLevel directive to httpd.conf:
      • IBM HTTP Server 9.0 and later:
        • LogLevel debug ibm_ssl:trace8
      • IBM HTTP Server 8.5.5 and earlier:
        • LogLevel debug
    • Append SSLTrace directive to the very bottom of httpd.conf (this directive requires no context nor parameters)
      • SSLTrace
    • If the issue relates to interaction with the application server, edit the plugin-cfg.xml file and change Loglevel to Trace:
      • <Log LogLevel="Trace" Name="/pathto/logs/http_plugin.log"/>
  4. Enable GSKit trace:
    • For Windows:
      • create a system environment variable named GSK_TRACE_FILE with a value of c:\IHS_INSTALL_ROOT\logs\gsktrace.log.
        • Substitute your installation path in the value
      • Create these system environment variables:
        • GSK_TRACE_FILE_SIZE=104857600
        • GSK_TRACE_FILE_NUMBER=5
    • For UNIX, append the following environment variables in the <IHS_INSTALL_ROOT>/bin/envvars file 
      Note: If gathering data for the WebSphere webserver plug-in on non-IHS Apache HTTP refer to this technote.

      Substitute the full path to your IHS installation root, or uncomment any example you find in the file:

      GSK_TRACE_FILE= <IHS_INSTALL_ROOT>/logs/gsktrace_log
      GSK_TRACE_FILE_SIZE=104857600
      GSK_TRACE_FILE_NUMBER=5
      export GSK_TRACE_FILE
      export GSK_TRACE_FILE_SIZE
      export GSK_TRACE_FILE_NUMBER
  5. Enable a packet trace on the IBM HTTP Server machine to capture IP traffic between the web server and the client browser.
  6. Start IBM HTTP Server and recreate the problem.
  7. Capture a netstat -na > netstat.out.
  8. Collect the following information and data files:
    • httpd.conf, error_log, access_log (or your customized equivalents)
    • netstat.out
    • gsktrace_log* (gsktrace_log, gsktrace_log.1, ...)
    • Binary output of packet capture (*.pcap)
    • key.kdb, key.crl, key.rdb, key.sth (include password)
    • http_plugin.log, plugin-cfg.xml
    • plugin-key.kdb, plugin-key.sth (include password)
    • Include the date and time of failure along with the browser version, IP address, and the full URL that resulted in the SSL failure.
    • WebSphere Application Server logs and trace where applicable
    • IBM HTTP Server version details:
      • For Windows: <IHS_INSTALL_ROOT>/apache -v
      • For UNIX: <IHS_INSTALL_ROOT>/bin/apachectl -V
    • Global Security Kit (GSKit) version. Execute the following command and capture the output:
      • <IHS_INSTALL_ROOT>/bin/gsk*ver
  9. Follow instructions to send diagnostic information to IBM support.

Exchanging data with IBM Support

To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files several ways:


Read first and related MustGathers

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5.5;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg21141302