Security components troubleshooting tips
This document explains basic resources and steps for diagnosing security-related issues in WebSphere® Application Server.
- What log files to look at and what to look for in them.
- What to look at and what to look for using SDSF.
- General approach for troubleshooting security-related issues to isolating and resolving security problems.
- When and how to trace security. Setting up component trace (CTRACE) is a topic that will aid your tracing activity.
- An overview and table of CSIv2 CORBA minor codes.
- Errors and access problems after enabling
security
After enabling security, a degradation in performance is realized. See Enabling global security for information about using the unrestricted policy files.
- Errors after enabling SSL, or SSL-related error messages
- Errors trying to configure and enable security
If none of these steps solves the problem, check to see if the problem is identified and documented using the links in the Diagnosing and fixing problems: Resources for learning article.
If you do not see a problem that resembles yours, or if the information provided does not solve your problem, see Troubleshooting help from IBM for further assistance.
Log files
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityCompo A CWSCJ0202A: Admin application initialized successfully SecurityCompo A CWSCJ0203A: Naming application initialized successfully SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully SecurityCompo A CWSCJ0243A: Security service started successfully SecurityCompo A CWSCJ0210A: Security enabled true
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security. registry.nt.NTLocalDomainRegistryImpl has been initialized Authenticatio E CWSCJ4001E: Login failed for badID/<null> javax.security.auth.login.LoginException: authentication failed: bad user/password
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: LTPA SASRas A CWWSA0004I: Principal name: MYHOSTNAME/anID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityServe E CWSCJ0237E: One or more vital LTPAServerObject configuration attributes are null or not available. The attributes and values are password : LTPA password does exist, expiration time 30, private key <null>, public key <null>, and shared key <null>.
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerId SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. SASRas E CWWSA0026E: [SecurityTaggedComponentAssistorImpl.register] Exception connecting object to the ORB. Check the SSL configuration to ensure that the SSL keyStore and trustStore properties are set properly. If the problem persists, contact support for assistance. org.omg.CORBA.OBJ_ADAPTER: ORB_CONNECT_ERROR (5) - couldn't get Server Subcontract minor code: 4942FB8F completed: No
Using SDSF
When troubleshooting the security component, use System Display and Search Facility (SDSF) to browse logs for the server that hosts the resource you are trying to access. The following sample of messages helps you see from a server in which the security service has started successfully:
+BBOM0001I com_ibm_authMechanisms_type_OID: No OID for this mechanism. +BBOM0001I com_ibm_security_SAF_unauthenticated: WSGUEST. +BBOM0001I com_ibm_security_SAF_EJBROLE_Audit_Messages_Suppress: 0. +BBOM0001I com_ibm_ws_logging_zos_errorlog_format_cbe: NOT SET, 280 DEFAULT=0. +BBOM0001I com_ibm_CSI_performClientAuthenticationRequired: 0. +BBOM0001I com_ibm_CSI_performClientAuthenticationSupported: 1. +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSRequired: 0. +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSSupported: 1. +BBOM0001I com_ibm_CSI_rmiInboundPropagationEnabled: 1. +BBOM0001I com_ibm_CSI_rmiOutboundLoginEnabled: 0. +BBOM0001I com_ibm_CSI_rmiOutboundPropagationEnabled: 1. +BBOM0001I security_assertedID_IBM_accepted: 0. +BBOM0001I security_assertedID_IBM_sent: 0. +BBOM0001I security_disable_daemon_ssl: NOT SET, DEFAULT=0. +BBOM0001I security_sslClientCerts_allowed: 0. +BBOM0001I security_sslKeyring: NOT SET. +BBOM0001I security_zOS_domainName: NOT SET. +BBOM0001I security_zOS_domainType: 0. +BBOM0001I security_zSAS_ssl_repertoire: SY1/DefaultIIOPSSL. +BBOM0001I security_EnableRunAsIdentity: 0. +BBOM0001I security_EnableSyncToOSThread: 0. +BBOM0001I server_configured_system_name: SY1. +BBOM0001I server_generic_short_name: BBOC001. +BBOM0001I server_generic_uuid: 457 *** Message beginning with BBOO0222I apply to Java within *** *** WebSphere Application Server Security *** +BBOO0222I: SECJ6004I: Security Auditing is disabled. +BBOO0222I: SECJ0215I: Successfully set JAAS login provider 631 configuration class to com.ibm.ws.security.auth.login.Configuration. +BBOO0222I: SECJ0136I: Custom 632 Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized +BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: 633 com.ibm.ws.security.core.SAFAuthorizationTableImpl
BBOM0001I security_zOS_domainName: NOT SET. BBOM0001I security_zOS_domainType: 0. BBOM0001I security_SMF_record_first_auth_user: NOT SET, DEFAULT=1. BBOJ0077I: java.security.policy = /WebSphere/V8R5/AppServer/profil BBOJ0077I: es/default/properties/server.pol BBOJ0077I: icy BBOJ0077I: java.security.auth.login.config = /WebSphere/V8R5/AppServer BBOJ0077I: /profiles/default/properties/wsj BBOJ0077I: aas.conf BBOO0222I: SECJ6004I: Security Auditing is disabled. BBOO0222I: SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration. BBOO0222I: JSAS0001I: Security configuration initialized. BBOO0222I: JSAS0003I: Authentication mechanism: LTPA BBOO0222I: JSAS0004I: Principal name: DEFAULT/CBSYMSR1 BBOO0222I: JSAS0006I: Security connection interceptor initialized. BBOO0222I: JSAS0009I: IOR interceptor registered. BBOO0222I: SECJ0136I: Custom Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized BBOO0222I: SECJ6214I: SAF authorization is enabled. BBOO0222I: ACWA0002I: WorkArea service not enabled on server1. BBOO0222I: SECJ6216I: SAF delegation is enabled. BBOO0222I: SECJ6216I: SAF delegation is enabled. BBOO0222I: SECJ6216I: SAF delegation is enabled. BBOO0222I: SRVE0169I: Loading Web Module: WIM. BBOO0222I: CHFW0019I: The Transport Channel Service has started chain WCInboundAdmin. BBOO0222I: CHFW0019I: The Transport Channel Service has started chain WCInboundDefault. BBOO0222I: CHFW0019I: The Transport Channel Service has started chain WCInboundAdminSecure. BBOO0222I: CHFW0019I: The Transport Channel Service has started chain WCInboundDefaultSecure. BBOO0222I: WSVR0001I: Server SERVANT PROCESS server1 open for e-business BBOO0020I INITIALIZATION COMPLETE FOR WEBSPHERE FOR Z/OS SERVANT PROCESS BBOS001. ./bborjtr.cpp+953 ... BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Sec urityDM registered successfully: true. BossLog: { 0013} 2013/07/12 16:46:00.104 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... BBOO0222I: SECJ0309I: Java 2 Security is disabled. BossLog: { 0014} 2013/07/12 16:46:00.143 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. BossLog: { 0015} 2013/07/12 16:46:00.258 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... BBOO0222I: SECJ0240I: Security service initialization completed successfully BossLog: { 0016} 2013/07/12 16:46:00.448 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... FFDC0009I: FFDC opened incident stream file /WebSphere/V8R5/AppServer/profiles/default/logs/ffdc/S Y1_SY1_server1_STC 00042_BBOS001S_06.07.12_16.46.00_0.txt BossLog: { 0017} 2013/07/12 16:46:00.532 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... FFDC0010I: FFDC closed incident stream file /WebSphere/V8R5/AppServer/profiles/default/logs/ffdc/S Y1_SY1_server1_STC 00042_BBOS001S_06.07.12_16.46.00_0.txt ./bborjtr.cpp+953 ... BBOO0222I: SECJ0243I: Security service started successfully BossLog: { 0035} 2013/07/12 16:46:24.670 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK ./bborjtr.cpp+953 ... BBOO0222I: SECJ0210I: Security enabled true BossLog: { 0036} 2013/07/12 16:46:24.795 01 SYSTEM=SY1 SERVER=BBOS001 PID=0X02010022 TID=0X266AF610 00000000 c=UNK
General approach for troubleshooting security-related issues
- Does the problem occur when security is disabled?
- This question is a good litmus test to determine that a problem is security related. However, just because a problem only occurs when security is enabled does not always make it a security problem. More troubleshooting is necessary to ensure the problem is really security-related.
- Did security seem to initialize properly?
- A lot of security code is visited during initialization. So you can see problems there first if
the problem is configuration related.
The following sequence of messages that are generated in the SystemOut.log indicate normal code initialization of an application server. This sequence varies based on the configuration, but the messages are similar:
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: BIRKT20/pbirk SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityCompo A CWSCJ0202A: Admin application initialized successfully SecurityCompo A CWSCJ0203A: Naming application initialized successfully SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully SecurityCompo A CWSCJ0243A: Security service started successfully SecurityCompo A CWSCJ0210A: Security enabled true
The following sequence of messages generated in the SDSF active log indicate normal code initialization of an application server. Non-security messages have been removed from the sequence that follows. This sequence will vary based on the configuration, but the messages are similar:Trace: 2013/05/06 17:27:31.539 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge Category: AUDIT ExtendedMessage: BBOJ0077I java.security.policy = /WebSphere/V8R5M0/AppServer/profiles/default/pr Trace: 2013/05/06 17:27:31.779 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge Category: AUDIT ExtendedMessage: BBOJ0077I java.security.auth.login.config = /WebSphere/V8R5M0/AppServer/profiles/default/pr Trace: 2013/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.SecurityDM SourceId: com.ibm.ws.security.core.SecurityDM Category: INFO ExtendedMessage: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Secur red successfully: true. Trace: 2013/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Securit d successfully: true. Trace: 2013/05/06 17:27:41.054 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.audit.AuditServiceImpl SourceId: com.ibm.ws.security.audit.AuditServiceImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ6004I: Security Auditing is disabled. Trace: 2013/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0309I: Java 2 Security is disabled. Trace: 2013/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0309I: Java 2 Security is disabled. Trace: 2013/05/06 17:27:42.239 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.auth.login.Configuration SourceId: com.ibm.ws.security.auth.login.Configuration Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.securit Configuration. Trace: 2013/05/06 17:27:42.253 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider clas Trace: 2013/05/06 17:27:42.254 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. Trace: 2013/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0240I: Security service initialization completed successfully Trace: 2013/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0240I: Security service initialization completed successfully Trace: 2013/05/06 17:27:42.952 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.objectpool.ObjectPoolService SourceId: com.ibm.ws.objectpool.ObjectPoolService Category: INFO ExtendedMessage: BBOO0222I: OBPL0007I: Object Pool Manager service is disabled. Trace: 2013/05/06 17:27:53.512 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0136I: Custom Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been init Trace: 2013/05/06 17:27:55.229 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.role.PluggableAuthorizationTableProxy SourceId: com.ibm.ws.security.role.PluggableAuthorizationTableProxy Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTab Trace: 2013/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0243I: Security service started successfully Trace: 2013/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0243I: Security service started successfully Trace: 2013/05/06 17:27:56.482 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0210I: Security enabled true Trace: 2013/05/06 17:27:56.483 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0210I: Security enabled true
- Is there a stack trace or exception printed in the system log file?
- A single stack trace tells a lot about the problem. What code initiated the code that failed? What is the failing component? Which class did the failure actually come from? Sometimes the stack trace is all that is needed to solve the problem and it can pinpoint the root cause. Other times, it can only give us a clue, and can actually be misleading. When support analyzes a stack trace, they can request additional trace if it is not clear what the problem is. If it seems to be security-related and the solution cannot be determined from the stack trace or problem description, you are asked to gather the following trace specification: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled from all processes involved.
- Is this a distributed security problem or a local security problem?
-
- If the problem is local, that is the code involved does not make a remote method invocation, then troubleshooting is isolated to a single process. It is important to know when a problem is local versus distributed because the behavior of the object request broker (ORB), among other components, is different between the two. When a remote method invocation takes place, an entirely different security code path is entered.
- When you know that the problem involves two or more servers, the techniques of troubleshooting
change. You need to trace all the servers involved simultaneously so that the trace shows the client
and server sides of the problem. Make sure the timestamps on all machines match as closely as
possible so that you can find the request and reply pair from two different processes. Enable both
Secure Authentication Services (SAS) or z/SAS and Security trace using the trace specification:
SASRas=all=enabled:com.ibm.ws.security.*=all=enabled.
For more information on enabling trace, see Working with Trace.
- Is the problem related to authentication or authorization?
- Most security problems fall under one of these two categories. Authentication is the process of determining who the caller is. Authorization is the process of validating that the caller has the proper authority to invoke the requested method. When authentication fails, typically this failure is related to either the authentication protocol, authentication mechanism or user registry. When authorization fails, this is usually related to the application bindings from assembly and deployment and to the caller's identity who is accessing the method and the roles that are required by the method.
- Is this a web or EJB request?
-
Web requests have a completely different code path than Enterprise JavaBeans (EJB) requests. Different security features exist for web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the Lightweight Third-Party Authentication (LTPA) authentication mechanism, the single sign-on feature (SSO) is available for web requests but not for EJB requests. Web requests involve HTTP header information that is not required by EJB requests due to the protocol differences. Also, the web container or servlet engine is involved in the entire process. Any of these components can be involved in the problem and all require consideration during troubleshooting, based on the type of request and where the failure occurs.
Secure EJB requests heavily involve the ORB and Naming components since they flow over the RMI/IIOP protocol. In addition, when Workload Manager (WLM) is enabled, other behavior changes in the code can be observed. All of these components interact closely for security to work properly in this environment. At times, trace in any or all of these components might be necessary to troubleshoot problems in this area.
The trace specification to begin with is SASRas=all=enabled:com.ibm.ws.security.*=all=enabled. ORB trace is also very beneficial when the SAS/Security trace does not seem to pinpoint the problem.
Secure EJB requests are passed from the controller to the servant. Web requests are mostly ignored by the controller. As a result, EJB requests are first processed and authenticated by the zSAS or Common Security Interoperability Version 2 (CSIv2) layers of security. Authorization is done by the servant. If an authentication failure occurs, the zSAS type level of tracing must be turned on to diagnose the problem. Other problems can be diagnosed using the WebSphere Application Server component tracing (CTRACE) facility.
- Does the problem seem to be related to the Secure Sockets Layer (SSL)?
-
SSL is a totally distinct separate layer of security. Troubleshooting SSL problems is usually separate from troubleshooting authentication and authorization problems, and you have many considerations. Usually, SSL problems are first-time setup problems because the configuration can be difficult. Each client must contain the signer certificate of the server. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. Transport Layer Security (TLS)), and listener port problems related to stale Interoperable Object References (IORs), that is IORs from a server, that reflect the port prior to the server restarting.
In z/OS, two variations of SSL are used. To determine the cause of an SSL problem on z/OS, you have to be aware of what protocol is being used.- System SSL is used by the Internet Inter-ORB Protocol (IIOP) and HTTPS protocols
- Java Secure Socket Extension (JSSE) is used by all other protocols, for example, SOAP.
- System SSL requests are handled in the controller and are used by z/SAS and CSIv2 security.
- SJSSE is predominately used by the servant, but cases exist where JSSE is used in the controller as well.
For SSL problems, sometimes you get a request for an SSL trace to determine what is happening with the SSL handshake. The SSL handshake is the process that occurs when a client opens a socket to a server. If anything goes wrong with the key exchange, cipher exchange, and so on, the handshake fails and the socket is not valid. Tracing JSSE (the SSL implementation that is used in WebSphere Application Server) involves the following steps:- Set the following system property on the client and server processes: -Djavax.net.debug=true. For the server, add the system property to the Generic JVM Arguments property of the Java virtual machine settings page.
- Turn on ORB trace as well.
- Recreate the problem. The SystemOut.log of both processes contain the JSSE trace. You can find trace similar to the following example:
SSLConnection: install <com.ibm.sslite.e@3ae78375> >> handleHandshakeV2 <com.ibm.sslite.e@3ae78375> >> handshakeV2 type = 1 >> clientHello: SSLv2. SSL client version: 3.0 ... ... ... JSSEContext: handleSession[Socket[addr=null,port=0,localport=0]] << sendServerHello. SSL version: 3.0 SSL_RSA_WITH_RC4_128_MD5 HelloRandom ... ... ... << sendCertificate. << sendServerHelloDone. >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 16 >> clientKeyExchange. >> handleData <com.ibm.sslite.e@3ae78375> >> handleChangeCipherSpec <com.ibm.sslite.e@3ae78375> >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 20 >> finished. << sendChangeCipherSpec. << sendFinished.
The SYSOUT data set for the region's started task contains the JSSE trace. Using SDSF, this trace is similar to the following:JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2139,localport=8878]] JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2140,localport=8878]] TrustManagerFactoryImpl: trustStore is : /WebSphere/V8R50M0/AppServer/etc/DummyServerTrustFile.jks TrustManagerFactoryImpl: trustStore type is : JKS TrustManagerFactoryImpl: init truststore JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2142,localport=8878]] KeyManagerFactoryImpl: keyStore is : /WebSphere/V8R5M0/AppServer/etc/DummyServerKeyFile.jks KeyManagerFactoryImpl: keyStore type is : JKS KeyManagerFactoryImpl: init keystore KeyManagerFactoryImpl: init keystore JSSEContext: handleConnection[Socket [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2143,localport=8878]] JSSEContext: handleSession[Socket [addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,localport=2145]] JSSEContext: confirmPeerCertificate [Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879, localport=2145]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 10094996692239509074796828756118539107568369566313889955538950668 6622953008589748001058216362638201577071902071311277365773252660799 128781182947273802312699983556527878615792292244995317112436562491 489904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2013, To: Thu Mar 17 20:08:18 GMT 2014] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 1009499669223950907479682875611853910756836956631388995553895066866 22953008589748001058216362638201577071902071311277365773252660799 1287811829472738023126999835565278786157922922449953171124365624914 89904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2013, To: Thu Mar 17 20:08:18 GMT 2015] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=2144,localport=8878]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2145]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2146]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2147]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2148]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2149]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2150]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2151]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2152]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2153]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2154]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2155]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2156]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2157]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2158]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2159]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2160]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2161]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2162]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2163]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2164]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2165]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2166]] JSSEContext: handleSession[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] JSSEContext: confirmPeerCertificate[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=WAS z/OS Deployment Manager, O=IBM Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 0 Key: IBMJCE RSA Public Key: modulus: 12840948267119651469312486548020957441946413494498370439558603901582589 8755033448419534105183133064366466828741516428176579440511007 6258795528749232737808897160958348495006972731464152299032614592135114 19361539962555997136085140591098259345625853617389396340664766 649957749527841107121590352429348634287031501 public exponent: 65537 0 Validity: [From: Fri Jun 25 05:00:00 GMT 2013, To: Mon Jun 26 04:59:59 GMT 2015] Issuer: CN=WAS CertAuth, C=US SerialNumber: [ 02] 0Certificate Extensions: 3 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 3C 13 3A 47 65 6E 65 72 61 74 65 64 20 62 79 .<.:Generated by 0010: 20 74 68 65 20 53 65 63 75 72 65 57 61 79 20 53 the SecureWay S 0020: 65 63 75 72 69 74 79 20 53 65 72 76 65 72 20 66 ecurity Server f 0030: 6F 72 20 7A 2F 4F 53 20 28 52 41 43 46 29 or z/OS (RACF) -[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 05 6A CD 7F AE AF 89 78 99 A8 F1 5B 64 8B 9F AF .j.....x...[d... 0010: 73 1B 58 65 s.Xe ] ] 0[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 7E D1 7B 17 74 D3 AD D1 7D D8 F8 33 85 19 04 F8 ....t......3.... 0010: 36 51 57 16 6QW. ] 0] 0] Algorithm: [SHA1withRSA] Signature: 0000: 73 0D FC E1 8A B3 42 E1 04 73 72 B1 C6 C9 87 54 s.....B..sr....T 0010: 87 57 02 FA 41 32 D8 B0 39 09 86 CB 6B 03 B6 F9 .W..A2..9...k... 0020: 62 8D 95 36 56 0E D4 D2 F7 7A 8D 4B FB 0B FD 91 b..6V....z.K.... 0030: 89 A8 08 41 30 E2 27 DC 15 5F 2C F4 CD 2F 6B 8E ...A0.'.._,../k. 0040: 21 2A 88 53 46 27 68 9B 55 14 38 8E 1F 50 95 BC !*.SF'h.U.8..P.. 0050: A8 46 F6 68 97 9E 7B 65 9E E8 A7 34 B2 C8 63 CF .F.h...e...4..c. 0060: 73 C8 4E 25 0A EF C5 8F 04 A4 EB 8C CC 33 84 26 s.N%.........3.& 0070: 5D FD 7C AD 7B 02 13 5A 86 A1 89 93 1E A4 93 63 ]......Z.......c 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=WAS CertAuth, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 0 Key: IBMJCE RSA Public Key: modulus: 1167408593733331602218385578183389496484587418638676352829560040529918 40558681208199977833401609895748222369066230329785148883251144 2382911186804921983976695395381692334250582278359056431484427844566504 41491799952592864895242987037929408453455627552772317382077015 828713585220212502839546496071839496308430393 public exponent: 65537 0 Validity: [From: Fri Jun 25 05:00:00 GMT 2013, To: Sat Jun 24 04:59:59 GMT 2015] Issuer: CN=WAS CertAuth, C=US SerialNumber: [ 0 ] 0Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 3C 13 3A 47 65 6E 65 72 61 74 65 64 20 62 79 .<.:Generated by 0010: 20 74 68 65 20 53 65 63 75 72 65 57 61 79 20 53 the SecureWay S 0020: 65 63 75 72 69 74 79 20 53 65 72 76 65 72 20 66 ecurity Server f 0030: 6F 72 20 7A 2F 4F 53 20 28 52 41 43 46 29 or z/OS (RACF) -[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 7E D1 7B 17 74 D3 AD D1 7D D8 F8 33 85 19 04 F8 ....t......3.... 0010: 36 51 57 16 6QW. ] ] 0[3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] 0[4]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] 0] Algorithm: [SHA1withRSA] Signature: 0000: 43 88 AB 19 5D 00 54 57 5E 96 FA 85 CE 88 4A BF C...].TW^.....J. 0010: 6E CB 89 4C 56 BE EF E6 8D 2D 74 B5 83 1A EF 9C n..LV....-t..... 0020: B3 82 F2 16 84 FA 5C 50 53 2A B4 FD EB 27 98 5D ......\PS*...'.] 0030: 43 48 D3 74 85 21 D1 E1 F2 63 9E FB 58 2A F3 6A CH.t.!...c..X*.j 0040: 44 D2 F5 7D B2 55 B9 5E 32 11 78 B6 34 8E 4B 1D D....U.^2.x.4.K. 0050: F3 82 1D C1 5F 7B 3F AD C9 29 FA FF D1 D1 13 2C ...._.?..)....., 0060: 57 F7 7B 51 02 99 6F ED 54 E1 51 34 B8 51 BE 97 W..Q..o.T.Q4.Q.. 0070: 30 AC 4F 89 AB AA 8A B2 E1 40 89 2E 18 C7 0E 15 0.O......@...... 0] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=9443,localport=2167]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2168]] JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com /9.38.48.108,port=2235,localport=8878]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8879,localport=2236]] JSSEContext: handleSession[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8880,localport=2238]] JSSEContext: confirmPeerCertificate[Socket [addr=BOSSXXXX.PLEX1.L2.IBM.COM /9.38.48.108,port=8880,localport=2238]] X509TrustManagerImpl: checkServerTrusted X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 100949966922395090747968287561185391075683695663138899555389506686622953 008589748001058216362638201577071902071311277365773252660799 1287811829472738023126999835565278786157922922449953171124365624914 89904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2013, To: Thu Mar 17 20:08:18 GMT 2015] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] X509TrustManagerImpl: Certificate [ [ Version: V3 Subject: CN=jserver, OU=SWG, O=IBM, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 0 Key: IBMJCE RSA Public Key: modulus: 100949966922395090747968287561185391075683695663138899555389506 686622953008589748001058216362638201577071902071311277365773252660799 12878118294727380231269998355652787861579229224499531711243656249 1489904381884265119355037731265408654007388863303101746314438337601 264540735679944205391693242921331551342247891 public exponent: 65537 0 Validity: [From: Fri Jun 21 20:08:18 GMT 2013, To: Thu Mar 17 20:08:18 GMT 2015] Issuer: CN=jserver, OU=SWG, O=IBM, C=US SerialNumber: [ 3d1387b2 ] 0] Algorithm: [MD5withRSA] Signature: 0000: 54 DC B5 FA 64 C9 CD FE B3 EF 15 22 3D D0 20 31 T...d......"=. 1 0010: 99 F7 A7 86 F9 4C 82 9F 6E 4B 7B 47 18 2E C6 25 .....L..nK.G...% 0020: 5B B2 9B 78 D8 76 5C 82 07 95 DD B8 44 62 02 62 [..x.v\.....Db.b 0030: 60 2A 0A 6D 4F B9 0A 98 14 27 E9 BB 1A 84 8A D1 `*.mO....'...... 0040: C2 22 AF 70 9E A5 DF A2 FD 57 37 CE 3A 63 1B EB .".p.....W7.:c.. 0050: E8 91 98 9D 7B 21 4A B5 2C 94 FC A9 30 C2 74 72 .....!J.,...0.tr 0060: 95 01 54 B1 29 E7 F8 9E 6D F3 B5 D7 B7 D2 9E 9B ..T.)...m....... 0070: 85 D8 E4 CF C2 D5 3B 64 F0 07 17 9E 1E B9 2F 79 ......;d....../y 0] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2238]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2239]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2240]] JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/ 9.38.48.108,port=8880,localport=2241]]
Trace security
- com.ibm.ws.security.*
- com.ibm.websphere.security.*
- com.ibm.WebSphereSecurityImpl.*
- SASRas
- com.ibm.ws.wim.* for tracing with a Virtual Member Manager (VMM) repository
- com.ibm.ws.security.*=all=enabled:com.ibm.WebSphereSecurityImpl.*= all=enabled:com.ibm.websphere.security.*=all=enabled. This trace statement collects the trace for the security runtime.
- com.ibm.ws.console.security.*=all=enabled. This trace statement collects the trace for the security center administrative console.
- SASRas=all=enabled. This trace statement collects the trace for SAS (low-level authentication logic).
- com.ibm.ws.wim.*=all=enabled:com.ibm.websphere.wim.*=all=enabled. This trace statement collects the trace for VMM.
- Fine tuning SAS traces:
- If a subset of classes need to be traced for the SAS/CSIv2 component, a system property can be specified with the class names comma separated: com.ibm.CORBA.securityTraceFilter=SecurityConnectionInterceptorImpl, VaultImpl, ...
- Fine tuning Security traces:
- If a subset of packages need to be traced, specify a trace specification more detailed than com.ibm.ws.security.*=all=enabled. For example, to trace just dynamic policy code, you can specify com.ibm.ws.security.policy.*=all=enabled. To disable dynamic policy trace, you can specify com.ibm.ws.security.policy.*=all=disabled.
- Configuring CSIv2, or z/SAS Trace Settings
- Situations arise where reviewing trace for the CSIv2 and z/SAS authentication protocols can
assist in troubleshooting difficult problems. This section describes how to enable to CSIv2 and
z/SAS trace.
- Enabling Client-Side CSIv2 and z/SAS Trace
- To enable CSIv2 and z/SAS trace on a pure client, the following steps need to be taken:
- Edit the file TraceSettings.properties in the /WebSphere/AppServer/properties directory.
- In this file, change traceFileName= to point to the path in which you want the ouput file created. Make sure you put a double backslash (\\) between each subdirectory. For example, traceFileName=c:\\WebSphere\\AppServer\\logs\\sas_client.log
- In this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
- Point to this file from within your client application. On the Java command line where you launch the client, add the following system property:
-DtraceSettingsFile=TraceSettings.properties.Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.
- Enabling Server-Side CSIv2 and z/SAS Trace
- To enable z/SAS trace in an application server, complete the following:
- Add the trace specification, SASRas=all=enabled, to the server.xml file or add it to the Trace settings within the administrative console.
- Typically it is best to also trace the authorization security runtime in addition to the authentication protocol run time. To do this, use the following two trace specifications in combination: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled.
- When troubleshooting a connection type problem, it is beneficial to trace both CSIv2 and SAS or CSIv2 and z/SAS and the ORB. To do this, use the following three trace specifications: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled:ORBRas=all=enabled.
- In addition to adding these trace specifications, for ORB trace there are a couple of system properties that also need to be set. To set these properties, click ORB tracing option. This option sets two properties that you had to manually set in a previous release. For more information, see the Object Request Broker service settings topic. . Select the
- Configuring CSIv2, or SAS Trace Settings
- Situations arise where reviewing trace for the CSIv2 or SAS authentication protocols can assist
in troubleshooting difficult problems. This section describes how to enable to CSIv2 and SAS trace.
- Enabling Client-Side CSIv2 and SAS Trace
- To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:
- Edit the file TraceSettings.properties in the /WebSphere/AppServer/properties directory.
- In this file, change traceFileName= to point to the path in which you want the ouput file created. Make sure you put a double backslash (\\) between each subdirectory. For example, traceFileName=c:\\WebSphere\\AppServer\\logs\\sas_client.log
- In this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
- Point to this file from within your client application. On the Java command line where you launch the client, add the following system property:
-DtraceSettingsFile=TraceSettings.properties.Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.
- Enabling Client-Side CSIv2 and SAS Trace
- To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:
- Edit the file TraceSettings.properties in the /WebSphere/AppServer/properties directory. For example, edit profile_root/properties/TraceSettings.properties.
- In this file, change traceFileName= to point to the path in which you want the output file created. For example, traceFileName=profile_root/logs/sas_client.
- n this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
- Point to this file from within your client application. On the Java command line where you launch the client, add the following system property:
-DtraceSettingsFile=TraceSettings.properties.Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.
- Enabling Server-Side CSIv2 and SAS Trace
- To enable SAS trace in an application server, complete the following:
- Add the trace specification, SASRas=all=enabled, to the server.xml file or add it to the Trace settings within the WebConsole GUI.
- Typically it is best to also trace the authorization security runtime in addition to the authentication protocol runtime. To do this, use the following two trace specifications in combination: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled.
- When troubleshooting a connection type problem, it is beneficial to trace both CSIv2 and SAS or CSIv2 and z/SAS and the ORB. To do this, use the following three trace specifications: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled:ORBRas=all=enabled.
- In addition to adding these trace specifications, for ORB trace there are a couple of system properties that also need to be set. Go to the ORB settings in the GUI and add the following two properties: com.ibm.CORBA.Debug=true and com.ibm.CORBA.CommTrace=true.
CSIv2 CORBA minor codes
Whenever exceptions occur within the security code on either the client or server, the eventual exception becomes a Common Object Request Broker Architecture (CORBA) exception. Any exception that occurs gets embedded in a CORBA exception because the CORBA architecture is used by the security service for its own inter-process communication. CORBA exceptions are generic and indicate a problem in communication between two components. CORBA minor codes are more specific and indicate the underlying reason that a component could not complete a request.
The following shows the CORBA minor codes that a client can expect to receive after running a security-related request such as authentication. It also includes the CORBA exception type that the minor code appears in.
The following exception shows an example of a CORBA exception where the minor code is 49424300
and indicates Authentication Failure. Typically, a descriptive message is also included in the
exception to assist in troubleshooting the problem. Here, the detailed message is: Exception
caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason:
com.ibm.WebSphereSecurity.AuthenticationFailedException
which indicates that the authentication
failed for user jdoe.
The completed field in the exception indicates whether the method was completed or not. In the
case of a NO_PERMISSION, never invoke the message; therefore it is always
completed:No. Other exceptions that are caught on the server side can have a
completed status of Maybe
or Yes
.
org.omg.CORBA.NO_PERMISSION: Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: Major Code[0] Minor Code[0] Message[Exception caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason: com.ibm.WebSphereSecurity.AuthenticationFailedException] minor code: 49424300 completed: No at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason. map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:83) at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.receive_request (CSIServerRI.java:1569) at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest (InterceptorManager.java:739) at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:398) at com.ibm.rmi.iiop.ORB.process(ORB.java:313) at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581) at com.ibm.rmi.iiop.GIOPConnection.doWork(GIOPConnection.java:1827) at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:81) at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:91) at com.ibm.ws.util.CachedThread.run(ThreadPool.java:149)
Minor code name | Minor code value (in hex) | Exception type (all in the package of org.omg.CORBA .*) | Minor code description | Retry performed by stand-alone client (when authenticationRetryEnabled = true) | Retry performed by server acting as a client (when authenticationRetryEnabled = true) |
---|---|---|---|---|---|
AuthenticationFailed | 49424300 | NO_PERMISSION | This code is a generic authentication failed error. It does not give any details about whether or not the user ID or password is valid. Some user registries can choose to use this type of error code, others can choose to use the next three types that are more specific. | Yes | Yes |
InterceptLocateException | 494210B8 | INTERNAL | This indicates a problem when processing an incoming locate request. | No | No |
InvalidUserid | 49424301 | NO_PERMISSION | This code occurs when the registry returns bad user ID. | Yes | No |
InvalidPassword | 49424302 | NO_PERMISSION | This code occurs when the registry returns a bad password. | Yes | No |
InvalidSecurityCredentials | 49424303 | NO_PERMISSION | This is a generic error indicating that the credentials are bad for some reason. It might be that the correct attributes are not set. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). | Yes |
InvalidRealm | 49424304 | NO_PERMISSION | This code occurs when the REALM in the token received from the client does not match the server's current realm. | No | No |
ValidationFailed | 49424305 | NO_PERMISSION | A validation failure occurs when a token is sent from the client or server to a target server but the token format or the expiration is not valid. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). | Yes |
CredentialTokenExpired | 49424306 | NO_PERMISSION | This code is more specific about why the validation failed. In this case, the token has an absolute lifetime and the lifetime has expired. Therefore, it is no longer a valid token and cannot be used. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). | Yes |
InvalidCredentialToken | 49424307 | NO_PERMISSION | This is more specific about why the validation failed. In this case, the token cannot be decrypted or the data within the token is not readable. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). | No |
SessionDoesNotExist | 49424308 | NO_PERMISSION | This indicates that the CSIv2 session does not exist on the server. Typically, a retry occurs automatically and successfully creates a new session. | Yes | Yes |
SessionConflictingEvidence | 49424309 | NO_PERMISSION | This indicates that a session already exists on the server that matches the context_id sent over by the client. However, the information provided by the client for this EstablishContext message is different from the information originally provided to establish the session. | Yes | Yes |
SessionRejected | 4942430A | NO_PERMISSION | This indicates that the session referenced by the client has been previously rejected by the server. | Yes | Yes |
SecurityServerNotAvailable | 4942430B | NO_PERMISSION | This error occurs when the server cannot contact the local or remote security server in order to authenticate or validate. | No | No |
InvalidIdentityToken | 4942430C | NO_PERMISSION | This error indicates that identity cannot be obtained from the identity token when Identity Assertion is enabled. | No | No |
IdentityServerNotTrusted | 4942430D | NO_PERMISSION | This indicates that the server ID of the sending server is not on the target
server's trusted principal list. Verify that the server ID of the sending server is permitted to the CBIND profile. |
No | No |
InvalidMessage | 4942430E | NO_PERMISSION | This indicates that the CSIv2 message format is not valid for the receiving server. | No | No |
MappingFailed | 4942430F | NO_PERMISSION | This indicates an error occurred mapping an inbound subject using the RMI Inbound system login configuration. | No | No |
RevokedSecurityName | 49424310 | NO_PERMISSION | This indicates that the user id is revoked. | Yes | No |
ExpiredPassword | 49424311 | NO_PERMISSION | This indicates that the password is expired. | Yes | No |
AuthenticationNotSupported | 49421090 | NO_PERMISSION | This error occurs when a mechanism does not support authentication (very rare). | No | No |
InvalidSecurityMechanism | 49421091 | NO_PERMISSION | This is used to indicate that the specified security mechanism is not known. | No | No |
CredentialNotAvailable | 49421092 | NO_PERMISSION | This indicates a credential is not available when it is required. | No | No |
SecurityMechanismNotSupported | 49421093 | NO_PERMISSION | This error occurs when a security mechanism that is specified in the CSIv2 token is not implemented on the server. | No | No |
ValidationNotSupported | 49421094 | NO_PERMISSION | This error occurs when a mechanism does not support validation, such as LocalOS. This error does not occur since the LocalOS credential is not a forwardable credential, therefore, validation never needs to be called on this credential. | No | No |
CredentialTokenNotSet | 49421095 | NO_PERMISSION | This is used to indicate that the token inside the credential is null. | No | No |
InvalidEvidence | 49421096 | NO_PERMISSION | This error indicates that client authentication is required at the server. However, authentication information is not present in the method request from the client. | No | No |
UserRegistryMethod_Protected | 49421098 | NO_PERMISSION | This error indicates that an attempt was made to remotely access a protected UserRegistry method. | No | No |
ServerConnectionFailed | 494210A0 | COMM_FAILURE | This error is used when a connection attempt fails. | Yes (via ORB retry) | Yes (via ORB retry) |
CorbaSystemException | 494210B0 | INTERNAL | This code is a generic CORBA specific exception in system code. | No | No |
JavaException | 494210B1 | INTERNAL | This is a generic error that indicated that an unexpected Java exception occurred. | No | No |
ValueIsNull | 494210B2 | INTERNAL | This code is used to indicate that a value or parameter that passed in is null. | No | No |
EffectivePolicyNotPresent | 494210B3 | INTERNAL | This indicates that an effective policy object for CSIv2 is not present. This object is used to determine what security configuration features are specified. | No | No |
NullPointerException | 494210B4 | INTERNAL | This code is used to indicate that a NullPointerException is caught in the runtime. | No | No |
ErrorGettingClassInstance | 494210B5 | INTERNAL | This indicates a problem loading a class dynamically. | No | No |
MalFormedParameters | 494210B6 | INTERNAL | This indicates parameters are not valid. | No | No |
DuplicateSecurityAttributeType | 494210B7 | INTERNAL | This indicates a duplicate credential attribute that is specified during the set_attributes operation. | No | No |
MethodNotImplemented | 494210C0 | NO_IMPLEMENT | This indicates that a method invoked is not implemented. | No | No |
GSSFormatError | 494210C5 | BAD_PARAM | This code indicates that a Generic Security Services (GSS) encoding or decoding routine has created an exception. | No | No |
TagComponentFormatError | 494210C6 | BAD_PARAM | This code indicates that a tag component cannot be read properly. | No | No |
InvalidSecurityAttributeType | 494210C7 | BAD_PARAM | This code indicates an attribute type specified during the set_attributes operation is not a valid type. | No | No |
SecurityConfigError | 494210CA | INITIALIZE | This code indicates a problem exists between the client and server configuration. | No | No |
For current information available from IBM Support on known problems and their resolution, see the IBM Support page.
IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.