RSA Product Set: RSA Identity Governance & LIfecycle
RSA Version/Condition: All versions
Platform: WebSphere
There are many different scenarios that can lead to an SSL handshake failing between the application server and another server or even local application.
This debug could be used to troubleshoot connectivity from:
- The Access Fulfillment Express (AFX) instance to the application server.
- The application server to a collector.
- A browser connecting to the application server.
Some of the different details you can derive from the debug would be failures like:
- Using an unsupported TLS version.
- No common SSL ciphers between the client and server.
- An unsupported or invalid certificate attribute.
- Deprecated certificate signing algorithm.
- A keystore referenced in the debug is different than what was expected.
SSL Debug Trace for IBM WebSphere
CAUTION: These traces should be removed as soon as you have reproduced the problem and collected the trace. This debug trace generates a significant amount of events in the WebSphere SystemOut.log file.
- In the WebSphere Application Server (WAS) Admin Console, navigate to Servers > Server Types > WebSphere application servers, then select the server name.
- Under Server Infrastructure, expand Java and Process Management > Process definition > Java Virtual Machine.
- Add the following to the end of the Generic JVM Arguments box:
-Djavax.net.debug=ssl,handshake,data,trustmanager
- Save to the master config, and restart the server for it to take hold.
- This will add debug trace of the SSL handshake to the <Websphere installation>/<AppServer>/profiles/<profile name>/logs/<server name>/SystemOut.log
NOTE: To get useful/verbose messages, the IBM Trust manager may need to be changed from IbmPKIX to IbmX509. This setting is in the WebSphere Admin GUI under Security > SSL Certificate and Key Management > SSL configurations > Select Resource > Trust and Key Managers. The default trust manager for that resource can be changed using the pull-down menu.
