Troubleshooting
Problem
Diagnosing The Problem
1. RACF output
2. Complete Job output for Control/Servant/Adjunct region
3. Collector jar for DeploymentManager and Application Server Nodes
In the sections below the control/servant region refer to the DeploymentManager, Node Agent, or Application Server address space where the SSL error is occurring.
1. RACF output
a) Confirmation that Control/Servant/Adjunct region userid or WebSphere administrative group (ie. WSCFG1) is permitted to FACILTY class IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING
RACF commands:
RLIST FACILITY IRR.DIGTCERT.LIST ALL
RLIST FACILITY IRR.DIGTCERT.LISTRING ALL
If RDATALIB class is being used instead of IRR.DIGTCERT.* class
RLIST RDATALIB CR_USERID.WASKeyring .LST ALL
RLIST RDATALIB SR_USERID.WASKeyring .LST ALL
RLIST RDATALIB ADJUNCT_USERID.WASKeyring .LST ALL
Change the name of CR_USERID to reflect the Control region userid
Change the name of SR_USERID to reflect the Servant region userid
Change the name of ADJUNCT_USERID to reflect the Adjunct region userid if there is an Adjunct region running.
Change the name WASKeyring to reflect the name of the keyring used in the WebSphere Application Server.
b) A listing of all certificates on the Control region and Servant region userid keyring
RACF commands:
RACDCERT LISTRING(WASkeyring) ID(CR_USERID)
RACDCERT LISTRING(WASkeyring) ID(SR_USERID)
RACDCERT LISTRING(WASkeyring) ID(ADJUNCT_USERID)
Change the name of CR_USERID to reflect the Control region userid
Change the name of SR_USERID to reflect the Servant region userid
Change the name of ADJUNCT_USERID to reflect the Adjunct region userid if there is an Ajdunct region running.
Change the name WASKeyring to reflect the name of the keyring used in the WebSphere Application Server.
If the keyring name is unknown at the time of problem occurrence the WASKeyring in the SAF command can be substituted with an asterisk (*) to get a list of all keyrings for that address space userid.
For example:
RACDCERT LISTRING(*) ID(USERID)
c) Details of the signer certificates (certificates with USAGE CERTAUTH) on the keyring
RACF command:
RACDCERT CERTAUTH LIST(LABEL('CERTAUTH_LABEL'))
The CERTAUTH_LABEL is obtained from the RACF LISTRING output in #1b.
This information is needed to
- confirm the certificate has a status of TRUST
- confirm certificates are not expired
- the private key type (NONE, NON-ICSF or ICSF)
- confirm the certificate chain for all root signer and intermediate signing certificates using issuer/subject DN information.
d) Details of Personal certificates (certificates with USAGE PERSONAL) on the keyring
RACF commands:
RACDCERT LIST ID(CR_USERID)
RACDCERT LIST ID(SR_USERID)
RACDCERT LIST ID(ADJUNCT_USERID)
This information is needed to confirm
- the certificate has a status of TRUST
- certificates are not expired
- the private key type (NONE, NON-ICSF or ICSF)
- the certificate chain for all root signer and intermediate signing certificates using issuer/subject DN information.
2. Complete Job output of Control/Servant/Adjunct region.
Job output should include (JESMSGLG, JESJCL, JESYSMSG, SYSOUT, and SYSPRINT) for the control region, servant region, as well as adjunct region (if there is an adjunct region).
The output can be saved to a dataset easily by typing "XDC" next to the address space in SDSF.
JESMGSGLG, JESYSMSG are of importance as this indicates the userid the address space is running under.
SYSPRINT is needed as it will usually contain the error or exception related to the SSL failure.
Note: If the logs are large, please terse
3. A collector jar containing the security.xml file and any FFDC logs.
Please issue these two USS commands in a directory outside of your WebSphere config directory (ie. /tmp).
export IBM_JAVA_OPTIONS=-Dfile.encoding=ISO8859-1
WAS_HOME/DeploymentManager/profiles/default/bin/collector.sh
and
WAS_HOME/AppServer/profiles/default/bin/collector.sh
This will create a jar labeled
hostname.cellname.nodename.default-WASenv.jar
in the directory where the command was issued.
Obtain the entire collector jar as it may be necessary to look at other xml files
(ie. endpoints, ports, or application descriptor files)
Send the following items to support when opening the PMR:
- RACF output from section 1a-d
- Complete Job output for Control/Servant/Adjunct region (section 2)
- hostname.cellname.DMGRnodename.default-WASenv.jar in binary not tersed
- hostname.cellname.AppSrvnodename.default-WASenv.jar in binary not tersed
Resolving The Problem
However, there are cases where additional documentation, such as WebSphere SSL trace or a Java JSSE trace, may be needed to further narrow down the problem.
Items 4, 5, and 6 may also be requested from the support team.
4. WebSphere SSL trace
In the admin console go to the Troubleshooting -> Logs and Trace section of the respective server and set the trace string to
*=info:SSL=all
Alternatively the WebSphere trace can also be enabled dynamically to limit trace output by issuing the MVS console command
F <CR>,tracejava='SSL=all'
Where <CR> is the Server's control region jobname
Recreate the problem
Then reset the trace back to what the server started with (ie. *=info)
F <CR>,traceinit
5. Java JSSE trace set via the administrative console
Enabling the JSSE trace for the Application Server
Application servers > servername > Process definition > Control/Servant > Java Virtual MachineGeneric JVM arguments
-Djavax.net.debug=true
Enabling the JSSE trace for the Node Agent
Generic JVM arguments
-Djavax.net.debug=true
Enabling the JSSE trace for the DeploymentManager
Generic JVM Arguments
-Djavax.net.debug=true
Note: the Java JSSE trace requires a restart of the server to enable the trace, and a restart of the server to disable the trace.
6. Java auth.debug trace
The following trace may be required to diagnose issues in which the server needs to have the unrestricted policy jars installed (i.e. local.policy.jar and US_export_policy.jar).
Enabling the Java auth.debug trace for the Application Server
Application servers > servername > Process definition > Control/Servant > Java Virtual MachineGeneric JVM arguments
-Djava.security.auth.debug=all
Enabling the Java auth debug trace for the Node Agent
Generic JVM arguments
-Djava.security.auth.debug=all
Enabling the Java auth.debug trace for the DeploymentManager
Generic JVM Arguments
-Djava.security.auth.debug=all
Note: the Java auth.debug trace requires a restart of the server to enable the trace, and a restart of the server to disable the trace.
If the server is running Java7 SR7 or higher, which introduces Java custom property com.ibm.security.jurisdictionPolicyDir, it may be easier to set the following Environment Variable to enable the unrestricted policy jars instead of obtaining the trace.
IBM_JAVA_OPTIONS=-Dcom.ibm.security.jurisdictionPolicyDir=${JAVA_HOME}/demo/jce/policy-files/unrestricted
Was this topic helpful?
Document Information
Modified date:
11 July 2023
UID
swg21996848