IBM Support

How to capture and format SSL component trace on z/OS

Question & Answer


Question

You are having trouble configuring or using secure sockets layer (SSL) in a CICS Transaction Server for z/OS (CICS TS) region. You have captured CICS tracing as directed by IBM Level2 Support, but now you need to know how to capture and format SSL CTRACE (Component Tracing).

Answer

In order to capture SSL CTRACE, you must have an SSL Server and a CTRACE writer running. The following JCL samples can be used.
Sample JCL for SSL Server task (GSKSRVR):
 
//GSKSRVR  PROC  REGSIZE=256M,OUTCLASS='H'                               
//*********************************************************************
//* Procedure for starting the System SSL Server                      *
//*********************************************************************
//GO       EXEC  PGM=GSKSRVR,REGION=&REGSIZE,TIME=1440,
//  PARM=('ENVAR("HOME=/etc/gskssl/server"),TERM(DUMP)                 X
//             / 1>DD:STDOUT 2>DD:STDERR')
//STDOUT   DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
//            FREE=END,SPIN=UNALLOC
//STDERR   DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
//            FREE=END,SPIN=UNALLOC
//SYSOUT   DD SYSOUT=&OUTCLASS,
//            FREE=END,SPIN=UNALLOC
//*CEEDUMP  DD SYSOUT=&OUTCLASS,
//*            FREE=END,SPIN=UNALLOC

Note:
  • IBM provides an SSL sample started procedure in GSK.SGSKSAMP(GSKSRVR), but your MVS Systems programmer might have changed the defaults when copying it to SYS1.PROCLIB(GSKSRVR).
  • The SSL Server task (GSKSRVR) can be started at IPL time and left running. It provides valuable services to users of SSL on the LPAR. If GSKSRVR is not already running, you can start it with the console command:
    S GSKSRVR


Sample JCL for CTRACE writer (GSKWTR):
 
//GSKWTR    PROC                                                      
//*-----------------------------------------------------------------*//
//*  MODELED AFTER hlq.SGSKSAMP(GSKWTR) AND CUSTOMIZED.             *//
//*-----------------------------------------------------------------*//
//IEFPROC EXEC PGM=ITTTRCWR,REGION=32M
//TRCOUT01  DD DSN=<your.dataset.name.here>,DISP=(NEW,CATLG),
//             SPACE=(CYL,(100)),UNIT=SYSDA

Note: The trace writer proc (GSKWTR) must be stored in a system PROCLIB. This is not the same as a JES2 or JES3 PROCLIB.  Trace writers must be in a data set that is part of the IEFPDSI PROCLIBs in MSTJCL00.
Once GSKSRVR running, you can capture and format SSL CTRACE:
  1. Start the trace writer proc with the console command:
    TRACE CT,WTRSTART=GSKWTR
     
  2. Start SSL CTRACE with the console command:
    TRACE CT,ON,COMP=GSKSRVR
     
  3. Reply to the outstanding reply (If you are using AT-TLS to secure the problem connection, then "your-job" is the name of the+ TCPIP started task):
    R xx,JOBNAME=(your-job),OPTIONS=(LEVEL=255),WTR=GSKWTR,END
     
  4. Re-create the error or event that you want to trace.
     
  5. Stop SSL CTRACE with the console command:
    TRACE CT,OFF,COMP=GSKSRVR
     
  6. Stop the trace writer proc with the console command:
    TRACE CT,WTRSTOP=GSKWTR
     
  7. Format the trace data set by using IPCS option 2.7.1 and the command:
    CTRACE COMP(GSKSRVR) FULL
     
For more information about SSL CTRACE, see topic Capturing Component Trace Data in the z/OS Documentation.

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"ARM Category":[{"code":"a8m0z00000007YsAAI","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
17 April 2024

UID

swg21394697

Page Feedback