000030977 - How to enable SSL debug when using the WebSphere application server with RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Jun 22, 2016Last modified by RSA Customer Support Employee on Mar 27, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030977
Applies ToRSA Product Set:  RSA Identity Governance and LIfecycle
RSA Version/Condition: All versions
Platform: WebSphere
 
IssueThere are many different scenarios that can lead to an SSL handshake failing between the application server and another server or even local application.
This debug could be used to troubleshoot connectivity from:
  • The Access Fulfillment Express (AFX) instance to the application server.
  • The application server to a collector.
  • A browser connecting to the application server.
Some of the different details you can derive from the debug would be failures like:
  • Using an unsupported TLS version.
  • No common SSL ciphers between the client and server.
  • An unsupported or invalid certificate attribute.
  • Deprecated certificate signing algorithm.
  • A keystore referenced in the debug is different than what was expected.
Resolution

SSL Debug Trace for IBM WebSphere


CAUTION:  These traces should be removed as soon as you have reproduced the problem and collected the trace. This debug trace generates a significant amount of events in the WebSphere SystemOut.log file.
  1. In the WebSphere Application Server (WAS) Admin Console, navigate to Servers > Server Types > WebSphere application servers, then select the server name.
  2. Under Server Infrastructure, expand Java and Process Management > Process definition > Java Virtual Machine.
  3. Add the following to the end of the Generic JVM Arguments box: 

-Djavax.net.debug=ssl,handshake,data,trustmanager


  1. Save to the master config, and restart the server for it to take hold.
  2. This will add debug trace of the SSL handshake to the <Websphere installation>/<AppServer>/profiles/<profile name>/logs/<server name>/SystemOut.log

NOTE: To get useful/verbose messages, the IBM Trust manager may need to be changed from IbmPKIX to IbmX509.  This setting is in the WebSphere Admin GUI under Security > SSL Certificate and Key Management > SSL configurations > Select Resource > Trust and Key Managers.  The default trust manager for that resource can be changed using the pull-down menu.

Attachments

    Outcomes