• The Access Fulfillment Express (AFX) instance to the application server.
• The application server to a collector.
• A browser connecting to the application server.

• Using an unsupported TLS version.
• No common SSL ciphers between the client and server.
• An unsupported or invalid certificate attribute.
• Deprecated certificate signing algorithm.
• A keystore referenced in the debug is different than what was expected.

SSL Debug Trace for IBM WebSphere

CAUTION:  These traces should be removed as soon as you have reproduced the problem and collected the trace. This debug trace generates a significant amount of events in the WebSphere SystemOut.log file.

1. In the WebSphere Application Server (WAS) Admin Console, navigate to Servers > Server Types > WebSphere application servers, then select the server name.
2. Under Server Infrastructure, expand Java and Process Management > Process definition > Java Virtual Machine.
3. Add the following to the end of the Generic JVM Arguments box: 

-Djavax.net.debug=ssl,handshake,data,trustmanager

4. Save to the master config, and restart the server for it to take hold.
5. This will add debug trace of the SSL handshake to the <Websphere installation>/<AppServer>/profiles/<profile name>/logs/<server name>/SystemOut.log

NOTE: To get useful/verbose messages, the IBM Trust manager may need to be changed from IbmPKIX to IbmX509.  This setting is in the WebSphere Admin GUI under Security > SSL Certificate and Key Management > SSL configurations > Select Resource > Trust and Key Managers.  The default trust manager for that resource can be changed using the pull-down menu.