If SSL does not start, or starts but SSL handshake does not occur,
turn on trace, and restart the web server. Calls to r_datalib occur
when the web server is being started. You should be able to tell
from this list what went wrong based on the trace you received. For
these trace examples, important trace information is followed by an
explanatory note.
- First DataGetFirst contains a return code of 8 with a reason
code of 54
All of the trace results offset 8 are not shown.
The sample trace follows:
Area value:
D6C6C6E2 C5E30010 | OFFSET.. |
Note: Offset
10 is the return code
Area length: 00000004
Area value:
00000008 | .... |
Note: Hex
8 in the return code value
Area length: 00000008
Area value:
D6C6C6E2 C5E30014 | OFFSET.. |
Area length: 00000004
Area value:
00000000 | .... |
Area length: 00000008
Area value:
D6C6C6E2 C5E30018 | OFFSET.. |
Note: Offset
18 is the reason code
D6C6C6E2 C5E30018 | OFFSET.. |
Area length: 00000004
Area value:
00000054 | .... |
Note: Hex
54 is the reason code value
54 in hex is equal to a
reason code of 80 which for this function is reason: Profile for ring_name
not found. The next step for fixing this problem would be to look
at the trace at offset 28 and compare the ring name found there with
the one in the keyfile area of the .conf file. An example of output
at offset 28 is the first DataGetFirst previous example. Check that
the ring name is correct. Note, ring names are case-sensitive and
must be owned by the web server daemon user ID (WEBSRV by default).
This can be checked using the RACDCERT LISTRING TSO command.
- SSL doesn't start on the server and there are no traces.
Check
the keyfile like in the http.main.conf file. It should look like
this:
keyfile MYSSLRING SAF
If the SAF positional
parameter is missing, then System SSL treats the name as a GSKKYMAN
key file, not a RACF® keyring,
hence there is no trace. If the keyfile really is a RACF keyring, add the SAF positional parameter.
- Second DataGetNext has a reason code 2C.
Hex 2C is reason
code 44: Record not found. This means that there is a problem with
one of the two certificates that are attached to the ring. To find
out what exactly is wrong, some more research is needed.
In
order for SSL to function properly the key ring needs:
- to be owned by the ID who assigned to the web server process
- to contain a signing CERTAUTH certificate with CERTAUTH usage
- to contain a PERSONAL certificate owned by the ID who is assigned
to the web server process. This certificate must also be signed by
the CERTAUTH certificate and be marked DEFAULT.
- to have neither certificate marked NOTRUST
To learn what could be wrong a RACDCERT should be issued:
RACDCERT ID(webserver-user-id) LISTRING(MYSSLRING)
WEBSERV
is the name of the ID who assigned to the web server process. MYSSLRING
is the name that is listed in the keyfile area of the .conf file.
The output should be similar to this example:
Ring:
>MYSSLRING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
MY PKI CA CERTAUTH CERTAUTH NO
SSL CERT ID(WEBSERV) PERSONAL YES
Looking
at this output verifies most of these conditions.
The output:
"IRRD114I Ring MYSSLRING does not exist." indicates that the ring
in the .conf file does not exist, or that it is not owned by the ID
assigned to the web server process.
To check the signer of
the PERSONAL certificate is the CERTAUTH certificate and that neither
certificate is marked NOTRUST, other commands must be used.
Using
the previous certificate label names, the commands and output are
listed:
Command:RACDCERT ID(WEBSERV) LIST(LABEL('SSL CERT'))
Output:Label: SSL CERT
Certificate ID: 2QfmxcLixdnl4uLTQMPF2eNA
Status: TRUST
Start Date: 2001/06/25 00:00:00
End Date: 2002/06/25 23:59:59
Serial Number:
>01<
Issuer's Name:
>OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US<
Subject's Name:
>CN=WWW.MYCOMPANY.COM.O=MY COMPANY INC.L=MILLBROOK.SP=NEW YORK.C=US<
Signing Algorithm: sha1RSA
Key Type: RSA
Key Size: 1024
Private Key: YES
Ring Associations:
Ring Owner: WEBSERV
Ring:
>MYSSLRING<
Command:RACDCERT CERTAUTH LIST(LABEL('MY PKI CA'))
Output:Label: MY PKI CA
Certificate ID: 2QiJmZmDhZmjgdToQNfSyUDDwUBA
Status: TRUST
Start Date: 2001/06/08 00:00:00
End Date: 2020/06/09 23:59:59
Serial Number:
>00<
Issuer's Name:
>OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US<
Subject's Name:
>OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US<
Key Usage: CERTSIGN
Signing Algorithm: sha256RSA
Key Type: RSA
Key Size: 2048
Private Key: YES
Ring Associations:
Ring Owner: WEBSERV
Ring:
>MYSSLRING<
Note: Both certificates have TRUST status and the
PERSONAL certificate was issued by the CERTAUTH certificate.
Compare your results with the examples provided to evaluate your
situation for common IBM® HTTP
Server related problems that are related to an incorrect SAF keyring
configuration. If you need more assistance when you are done, you
might want to consider calling the IBM support
center.