z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using the trace to find problems

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

If SSL does not start, or starts but SSL handshake does not occur, turn on trace, and restart the web server. Calls to r_datalib occur when the web server is being started. You should be able to tell from this list what went wrong based on the trace you received. For these trace examples, important trace information is followed by an explanatory note.
  • First DataGetFirst contains a return code of 8 with a reason code of 54
    All of the trace results offset 8 are not shown. The sample trace follows:
         Area value:
     D6C6C6E2  C5E30010                      | OFFSET..         |
    Note: Offset 10 is the return code
         Area length:                  00000004
     Area value:
     00000008                                | ....             |
    Note: Hex 8 in the return code value
     
     Area length:                  00000008
     Area value:
     D6C6C6E2  C5E30014                      | OFFSET..         |
     Area length:                  00000004
     Area value:
     00000000                                | ....             |
     Area length:                  00000008
     Area value:
     D6C6C6E2  C5E30018                      | OFFSET..         |
    Note: Offset 18 is the reason code
     
     D6C6C6E2  C5E30018                      | OFFSET..         |
     Area length:                  00000004
     Area value:
     00000054                                | ....             |
    Note: Hex 54 is the reason code value
     

    54 in hex is equal to a reason code of 80 which for this function is reason: Profile for ring_name not found. The next step for fixing this problem would be to look at the trace at offset 28 and compare the ring name found there with the one in the keyfile area of the .conf file. An example of output at offset 28 is the first DataGetFirst previous example. Check that the ring name is correct. Note, ring names are case-sensitive and must be owned by the web server daemon user ID (WEBSRV by default). This can be checked using the RACDCERT LISTRING TSO command.

  • SSL doesn't start on the server and there are no traces.
    Check the keyfile like in the http.main.conf file. It should look like this:
    keyfile MYSSLRING SAF
    If the SAF positional parameter is missing, then System SSL treats the name as a GSKKYMAN key file, not a RACF® keyring, hence there is no trace. If the keyfile really is a RACF keyring, add the SAF positional parameter.
  • Second DataGetNext has a reason code 2C.

    Hex 2C is reason code 44: Record not found. This means that there is a problem with one of the two certificates that are attached to the ring. To find out what exactly is wrong, some more research is needed.

    In order for SSL to function properly the key ring needs:
    • to be owned by the ID who assigned to the web server process
    • to contain a signing CERTAUTH certificate with CERTAUTH usage
    • to contain a PERSONAL certificate owned by the ID who is assigned to the web server process. This certificate must also be signed by the CERTAUTH certificate and be marked DEFAULT.
    • to have neither certificate marked NOTRUST

    To learn what could be wrong a RACDCERT should be issued: 

    RACDCERT ID(webserver-user-id) LISTRING(MYSSLRING)
    WEBSERV is the name of the ID who assigned to the web server process. MYSSLRING is the name that is listed in the keyfile area of the .conf file. The output should be similar to this example:
     Ring:                                                               
        >MYSSLRING<                                                    
   Certificate Label Name             Cert Owner     USAGE      DEFAULT
   --------------------------------   ------------   --------   -------
   MY PKI CA                          CERTAUTH       CERTAUTH     NO   
   SSL CERT                           ID(WEBSERV)    PERSONAL     YES
    Looking at this output verifies most of these conditions.

    The output: "IRRD114I Ring MYSSLRING does not exist." indicates that the ring in the .conf file does not exist, or that it is not owned by the ID assigned to the web server process.

    To check the signer of the PERSONAL certificate is the CERTAUTH certificate and that neither certificate is marked NOTRUST, other commands must be used.

    Using the previous certificate label names, the commands and output are listed:

    Command:
    RACDCERT ID(WEBSERV) LIST(LABEL('SSL CERT'))
 
    Output:
    Label: SSL CERT                                                          
Certificate ID: 2QfmxcLixdnl4uLTQMPF2eNA                                 
Status: TRUST                                                            
Start Date: 2001/06/25 00:00:00                                          
End Date:   2002/06/25 23:59:59                                          
Serial Number:                                                           
     >01<                                                                
Issuer's Name:                                                           
     >OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US<             
Subject's Name:                                                          
     >CN=WWW.MYCOMPANY.COM.O=MY COMPANY INC.L=MILLBROOK.SP=NEW YORK.C=US<
Signing Algorithm: sha1RSA
Key Type: RSA                                               
Key Size: 1024                                                   
Private Key: YES
Ring Associations:                                                       
  Ring Owner: WEBSERV                                                    
  Ring:                                                                  
     >MYSSLRING<     
 
    Command:
    RACDCERT CERTAUTH LIST(LABEL('MY PKI CA'))
 
    Output:
    Label: MY PKI CA                                             
Certificate ID: 2QiJmZmDhZmjgdToQNfSyUDDwUBA                 
Status: TRUST                                                
Start Date: 2001/06/08 00:00:00                              
End Date:   2020/06/09 23:59:59                              
Serial Number:                                               
     >00<                                                    
Issuer's Name:                                               
     >OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US< 
Subject's Name:                                              
     >OU=HUMAN RESOURCES CERTIFICATE.O=MY COMPANY, INC.C=US< 
Key Usage: CERTSIGN                                          
Signing Algorithm: sha256RSA
Key Type: RSA                                               
Key Size: 2048                                                   
Private Key: YES
Ring Associations:                                           
  Ring Owner: WEBSERV                                        
  Ring:                                                      
     >MYSSLRING<
 
    Note: Both certificates have TRUST status and the PERSONAL certificate was issued by the CERTAUTH certificate.

Compare your results with the examples provided to evaluate your situation for common IBM® HTTP Server related problems that are related to an incorrect SAF keyring configuration. If you need more assistance when you are done, you might want to consider calling the IBM support center.

Parent topic: Using SAF Trace to debug IBM HTTP server problems

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014