MustGather: Errors using iKeyman with IBM HTTP Server

Technote (troubleshooting)


Collecting data for problems with the IBM® HTTP Server iKeyman tool. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.

Note: This only applies to the iKeyman tool that is local to each IBM HTTP Server install and does not apply to WebSphere® Application Server V6.1 Administrative Console key administration feature.

Resolving the problem

The iKeyman tool is used to implement certificates for servers using Secure Sockets Layer (SSL). When iKeyman error messages do not isolate the problem, it might be necessary to enable the iKeyman trace log.

If you have already contacted support, continue on to the component-specific MustGather information. Otherwise, click: MustGather: Read first for IBM HTTP Server.

Collecting iKeyman specific MustGather information

  1. Open a command window or a terminal session (UNIX).
    • If you are using IBM HTTP Server version 6.0, set JAVA_HOME to <ihsinst>/_jvm

    • If you are using IBM HTTP Server version 6.1, set JAVA_HOME to <ihsinst>/java/jre

    • If you are using IBM HTTP Server version 7.0 set JAVA_HOME to <ihsinst>/java/jre

    Note: If you are using an IBM HTTP Server release version earlier than 6.0, set JAVA_HOME to any 32-bit IBM JRE 1.4.2/1.5 at the latest service level.

  2. Use the following commands to enable the iKeyman debug logging:
    • Windows iKeyman debug instruction
      1. In the command window create a new, empty directory and CD into that directory.

      2. Enter the following command on 1 line from the empty directory:

        gsk7ikm -Dkeyman.debug=true -Dkeyman.jnitracing=ON  2>ikeyman.txt

        You can also use this script file that automatically starts iKeyman with the correct debug options.


        Note: You might need to edit this script to set the correct value for Java_home and gsk_home on your system.

    • UNIX iKeyman debug instructions
      Run the iKeyman script and add the option -x. For example: ikeyman -x

  3. Recreate the problem.

  4. Collect these files to send to IBM.
    • The .kdb, .crl, .sth, .rdb files you are using. The files will all have the same file name and filetypes of: kdb, sth, rdb and crl

    • Any certificate or signer certs required to reproduce the failure.

    • The 3 files created by running iKeyman with debug options. These 3 files are created in the folder where iKeyman is run. The filenames are ikmcdgb.log, ikmgdbg.log, and ikmjdbg.log.

  5. Follow instructions to send diagnostic information to IBM support.

For a listing of all technotes, downloads, and educational materials specific to iKeyman, search the IBM HTTP Server support site or the WebSphere Application Server support site .

Related information

MustGather: CMS key DB and certificate problems
Submitting information to IBM Support
MustGather: Read first for IBM HTTP Server
Troubleshooting Guide
Steps to get support

Document information

More support for:


Software version:, 6.0, 6.1, 7.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:


Modified date:


Translate my page

Content navigation