Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000030977 - How to enable SSL debug when using the WebSphere application server with RSA Identity Governance and Lifecycle

Document created by RSA Customer Support

on Jun 22, 2016•Last modified by RSA Customer Support

on Mar 27, 2017

Version 2Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000030977
Applies To	RSA Product Set: RSA Identity Governance and LIfecycle RSA Version/Condition: All versions Platform: WebSphere
Issue	There are many different scenarios that can lead to an SSL handshake failing between the application server and another server or even local application. This debug could be used to troubleshoot connectivity from: The Access Fulfillment Express (AFX) instance to the application server. The application server to a collector. A browser connecting to the application server. Some of the different details you can derive from the debug would be failures like: Using an unsupported TLS version. No common SSL ciphers between the client and server. An unsupported or invalid certificate attribute. Deprecated certificate signing algorithm. A keystore referenced in the debug is different than what was expected.
Resolution	SSL Debug Trace for IBM WebSphere CAUTION: These traces should be removed as soon as you have reproduced the problem and collected the trace. This debug trace generates a significant amount of events in the WebSphere SystemOut.log file. In the WebSphere Application Server (WAS) Admin Console, navigate to Servers > Server Types > WebSphere application servers, then select the server name. Under Server Infrastructure, expand Java and Process Management > Process definition > Java Virtual Machine. Add the following to the end of the Generic JVM Arguments box: -Djavax.net.debug=ssl,handshake,data,trustmanager Save to the master config, and restart the server for it to take hold. This will add debug trace of the SSL handshake to the <Websphere installation>/<AppServer>/profiles/<profile name>/logs/<server name>/SystemOut.log NOTE: To get useful/verbose messages, the IBM Trust manager may need to be changed from IbmPKIX to IbmX509. This setting is in the WebSphere Admin GUI under Security > SSL Certificate and Key Management > SSL configurations > Select Resource > Trust and Key Managers. The default trust manager for that resource can be changed using the pull-down menu.

Attachments

Outcomes

0 Comments

Recommended Content