IBM Support

MustGather: IBM HTTP Server SSL handshake and configuration problems

Technote (troubleshooting)


Problem(Abstract)

Collect troubleshooting data for SSL handshake and configuration problems with IBM® HTTP Server. Gathering this information before calling IBM support will help familiarize you with the troubleshooting process and save you time.

Resolving the problem

Collect troubleshooting data for SSL handshake and configuration problems with IBM® HTTP Server. Gathering this information before calling IBM support will help familiarize you with the troubleshooting process and save you time..

Collecting data manually


If you have already contacted support, continue on to the component-specific MustGather information. Otherwise, click: MustGather: Read first for IBM HTTP Server.

SSL handshake and configuration specific MustGather information
The following contains a list of files that are needed for debugging SSL handshake and configuration issues:

  1. IBM HTTP Server version. Type one of the following commands to display the full IBM HTTP Server version:
    • For Windows: install_root/apache -v
    • For UNIX: install_root/bin/apachectl -V

  2. Configuration file: install_root/conf/httpd.conf

  3. Error log:
    • For Windows: install_root/logs/error.log
    • For UNIX: install_root/logs/error_log

  4. Access log:
    • For Windows: install_root/logs/access.log
    • For UNIX: install_root/logs/access_log

  5. Global Security Kit (GSKit) version. Type one of the following commands to display the full GSKit version:
    For IBM HTTP Sever 6.1 and early version distribute platform:
    • For Windows: /program files/ibm/gsk7/bin/gsk7ver.exe
    • For AIX: /usr/opt/ibm/gskkm/bin/gsk7ver
    • For Solaris: /opt/ibm/gsk7/bin/gsk7ver
    • For HP-UX: /opt/ibm/gsk7/bin/gsk7ver
    • For Linux: /usr/local/ibm/gsk7/bin/gsk7ver
    For IBM HTTP Server 7.0 version on distribute platforms:
    • install_root/bin/gsk7ver

    For IBM HTTP Server 8.0, 8.5 and 9.0 version on distribute platforms:
    • install_root/bin/gskver
    1. Traces for GSKit and SSL:

    For IBM HTTP Server standalone:
    1. Stop IBM HTTP Server.

    2. Clear all logs in the install_root/logs directory.

    3. For IBM HTTP Server 7.0, 8.0, 8.5 version edit the httpd.conf file:
      1. Change Loglevel to debug.

        For IBM HTTP Server 9.0 version
        Change LogLevel debug ibm_ssl:trace8
        After 9.0.0.3, it will be setup automatically in either direction. If ibm_ssl:trace8 is set, SSLTrace will be set. If SSLTrace is set but no ibm_ssl:trace1 or higher was set, ibm_ssl:trace8 will be set automatically.
      2. Add SSLTrace directive to the bottom at the httpd.conf file.

    4. Enable GSKit trace:
      • For Windows, create the following system variable:

        GSK_TRACE_FILE

        Set the value with the name for the log file; for example: c:\gsktrace.log.

      • For UNIX, as the user ID that starts the IBM HTTP Server, create the following environment variable:

        GSK_TRACE_FILE

        You can create the environment variable in either of the two ways:
        • setenv GSK_TRACE_FILE value (full path and filename)

          csh example:

          setenv GSK_TRACE_FILE /usr/HTTPServer/logs/gsktrace_log

          OR
        • export GSK_TRACE_FILE=value (full path and filename)

          ksh example:

          export GSK_TRACE_FILE=/usr/HTTPServer/logs/gsktrace_log

    5. Enable a packet trace on the IBM HTTP Server machine to capture IP traffic between the web server and the client browser. For a description of available packet trace tools, see Using packet trace tools iptrace, snoop, tcpdump, wireshark, and nettl.

    6. Start IBM HTTP Server.

    7. Recreate the problem.

    8. Capture a netstat -na > netstat.out.

    9. Collect the following data files:
      • httpd.conf, error_log, access_log
      • netstat.out
      • gsktrace_log
      • packet trace
      • key.kdb, key.crl, key.rdb, key.sth (include password)
      • Include the date and time of failure along with the browser version and the full URL that resulted in the SSL failure. For example:

        https://www.mycompany.com/mystuff/goodies/index.html

    10. Follow instructions to send diagnostic information to IBM support.

    For IBM HTTP Server with WebSphere Application Server:
    1. Stop IBM HTTP Server and WebSphere Application Server.

    2. Clear all logs in the IBM HTTP Server directory:

      install_root/logs

    3. Clear all logs in the WebSphere Application Server directory:

      install_root/logs

    4. Edit the plugin-cfg.xml file and change Loglevel to Trace (Plug-in Trace); for example:

      <Log LogLevel="Trace" Name="/pathto/logs/http_plugin.log"/>

    5. For IBM HTTP Server 7.0. 8.0. 8.5 version edit the httpd.conf file:
      1. Change Loglevel to debug.

        For IBM HTTP Server 9.0 version
      2. Change LogLevel debug ibm_ssl:trace8
      3. Add SSLTrace directive to the bottom at the httpd.conf file.

    6. Enable GSKit trace:
      • For Windows, create a system variable called:

        GSK_TRACE_FILE

        Set the value with the name for the log file; for example: c:\gsktrace.log

      • For UNIX:
        As the user ID that starts the IBM HTTP Server, create an environment variable called:

        GSK_TRACE_FILE

        You can create the environment variable in either of two ways:
        • setenv GSK_TRACE_FILE value (full path and filename)

          csh example:

          setenv GSK_TRACE_FILE /usr/HTTPServer/logs/gsktrace_log

          OR

        • export GSK_TRACE_FILE=value (full path and filename)

          ksh example:

          export GSK_TRACE_FILE=/usr/HTTPServer/logs/gsktrace_log

    7. Enable a packet trace on the IBM HTTP Server machine to capture ip traffic between the web server and the client browser. For a description of available packet trace tools, see Using packet trace tools iptrace, snoop, tcpdump, wireshark, and nettl.

    8. Restart IBM HTTP Server and WebSphere Application Server.

    9. Recreate the problem.

    10. Capture a netstat -na > netstat.out.

    11. Collect the following data files:
      • httpd.conf, error_log, access_log
      • plugin-cfg.xml
      • http_plugin.log
      • systemerr.log and systemout.log
      • netstat.out
      • gsktrace_log
      • packet trace
      • key.kdb, key.rdb, key.sth (include password)
      • plugin-key.kdb, plugin-key.sth (include password)
      • Include the date and time of failure along with the browser version and the full URL that resulted in the SSL failure. For example:

        https://www.mycompany.com/mystuff/goodies/index.jsp

    12. Follow instructions to send diagnostic information to IBM support.


For a listing of all technotes, downloads, and educational materials specific to IBM HTTP Server SSL handshake and configuration issues, search the IBM HTTP Server support site.

Related information
Submitting information to IBM support
Steps to getting support
MustGather: Read first for WebSphere Application Server
Troubleshooting guide for WebSphere Application Server

Exchanging data with IBM Support

To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files using one of following methods to help speed problem diagnosis:


Read first and related MustGathers

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server

Document information

More support for: IBM HTTP Server
SSL

Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5, 9.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1141302

Modified date: 16 April 2012


Translate this page: