IBM Support

MustGather: SSL problems on WebSphere Traditional

Troubleshooting


Problem

Collecting data for problems with the Java™ Security (JSSE/JCE) and SSL component in IBM WebSphere Application Server traditional. Gathering this MustGather information before you call IBM support can help you understand the problem and save time analyzing the data.

Resolving The Problem


Runtime:
This document describes how to obtain the following troubleshooting data for the SSL component:
image-20240207133523-1 Trace from server startup and configuration information (collector JAR file)
image-20240207133523-1 Diagnostic questions
image-20240207133523-1 JSSE client-side trace (if requested)
 This document is for collecting data for WEBSPHERE TRADITIONAL. If you want to collect data for Liberty, see MustGather: SSL problems on WebSphere Liberty or click the Liberty tab above.
   SSL on WebSphere traditional trace specifications
image-20240208115009-1 SSL trace specification:
*=info:SSL=all
image-20240208115009-1 Java virtual machine (JVM) Custom Property
javax.net.debug=all
  •  Collect data for WebSphere traditional (step by step)
    • You can choose to follow this step-by-step document or you can watch the video in the  Collect data for WebSphere traditional (video) section below.
    • image-20240207130936-3 Before you collect data, be sure to answer the  image-20240207131021-4 Diagnostic questions in the section above.

      1. ADD THE javax.net.debug JVM PROPERTY
    • Set the following Java virtual machine (JVM) custom property for the JVM being traced:
      javax.net.debug=all
    To accomplish this, perform the following steps:
    Note: If you were not told which JVM to trace, or for some reason you are not sure which of the JVMs need this kind of tracing, set it on all of them.
    1. In the administrative console, set the javax.net.debug system property by using one of the following options, depending on where the SSL issue is occurring:
      • For tracing an Application server, select the following:
        Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New...
      • For tracing a Deployment Manager, select the following:
        System Administration > Deployment manager > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New...
      • For tracing a Node agent, select the following:
        System Administration > Node agents > (pick a node agent) > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New...
    2. Enter the following:
      Name: javax.net.debug
      Value: all
    3. Click Apply, then Save

      2. SET UP WEBSPHERE TRADITIONAL FOR SSL TRACING
    1. In the administrative console, click Troubleshooting > Logs and Trace.
    2. On the Logging and Tracing page, click the server that you want to trace.
    3. Click Diagnostic Trace.
    4. Set up the trace output:
      1. On the Configuration tab, under Trace Output, click File, then
        1. Increase the Maximum File Size to at least 50 MB
        2. Increase the Maximum Number of Historical Files to at least 20
      2. Unless otherwise specified by support, choose Basic (Compatible) for the Trace Output Format.
      3. Click Apply.
    5. Set the trace static specification:
      1. Under Additional Properties, click Change Log Detail Levels.
      2. On the Configuration tab, in the box under Change log detail levels, set the trace specification to:
        *=info:SSL=all
    6. Make sure that you get a SystemOut.log file:
      1. Click JVM Logs
      2. Under System.out > Installed Application Output, make sure that Show application print statements is checked.
      3. Click OK
    7. Save your configuration (choose the Synchronize changes with Nodes option)
    8. (If requested by IBM support) set up JSSE client-side trace for client the application.
    image-20240207130851-2 Tracing does not start until the server is restarted.

      3. COLLECT WEBSPHERE TRADITIONAL SSL TRACES
    image-20240207130829-1  Avoid delay: It is important that SSL traces be gathered from server startup.

    For each WebSphere server that you are tracing:
    1. Stop the server.
    2. Backup and clear the logs and FFDC directories.
    3. Start the server
    4. Reproduce the problem, making note of time when the problem occurs

      4. GATHER WEBSPHERE TRADITIONAL SSL DATA TO SEND TO IBM
    Avoid delay: All of the following data is required for proper problem determination of most issues. Do not send a subset of this data unless you were instructed to do so by IBM support.
     
    Data to send
    Instructions
    Diagnostic questions Answer the  Diagnostic questions in the section above.
    A collector JAR file

    Note: You need to run the collector tool on each <PROFILE_ROOT> in which you enabled trace.
         		 From a temporary directory, run the Collector Tool, collector.sh,or collector.bat, which is located in the <PROFILE_ROOT>/bin directory.

    If there is a message about the collector tool being deprecated, ignore it.  The collector tool is the tool IBM support needs you to run.
    JSSE client-side trace
    (if requested)    		 This file is only required if you were asked by IBM support to collect a JSSE client-side trace.

    See the information in Exchanging information with IBM Technical Support for problem determination to send this diagnostic information to IBM support.

     
  •  Collect data for WebSphere traditional (video)
    • You can choose to watch this video or follow the step-by-step instructions in the Collect data for WebSphere traditional (step by step) section above.
    • Before you collect data, be sure to answer the image-20240207131021-4Diagnostic questions in the section above.

    The following video goes over the necessary steps to collect data for an SSL problem on WebSphere traditional.

    Make sure to collect all the information described in the video. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

  •  Diagnostic questions
    Provide answers to the following diagnostic questions:
    1. Are you using the default Java Secure Socket Extension (JSSE) providers?
    2. Are you using any third-party JCE framework with your application?
    3. Where is the SSL issue occurring?
      image-20240208115009-1 When you are using SSL to connect to to a directory server (like LDAP)?
      image-20240208115009-1 When you are using your own application to make an SSL connection?
      If so, provide the exact URL or remote server hostname that is called by your application.
      image-20240208115009-1 Between the client (browser) and the web server?
      For example, when you attempt to access a Web resource on the web server over HTTPS.
      image-20240208115009-1 Between the client (browser) and the Application Server built-in web server?
      For example, when you attempt to access the Application Server administrative console.
      image-20240208115009-1 Between the web server plug-in and the Application Server?
      For example, when you attempt to access a Web resource on the Application Server over HTTPS.
  •  Collect JSSE client-side trace

    JSSE client-side traces are required when you are observing SSL issues with a Java application that is interacting with a running WebSphere Application Server process.

    See the instructions in the Collect JSSE client-side trace section on Setting up a trace in WebSphere Application Server to collect a JSSE client-side trace. 

 
  • Exchange data with IBM Support

    To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities for you to use during problem determination. You can submit files by using one of the following methods to help speed problem diagnosis:

    • Service Request (SR)
    • Email
    • FTP to the Enhanced Customer Data Repository (ECuRep)

    Exchanging information with IBM Technical Support for problem determination

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CcyMAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
27 February 2024

UID

swg21162961

Page Feedback