IBM Support

How can I verify that an application is over-riding Websphere's default JSSE socket factory?

Question & Answer


Question

When my application attempts to establish an SSL connection, it is using IBM JDK default keystore cacerts. However, I expect it to use the WebSphere managed keystores instead. Is there a way to dump Java custom property information so that I can determine what might be over-riding the WebSphere configuration?

Answer

In the WebSphere Application Server, when the application attempts to establish an SSL connection, it uses WebSphere SSL socketfactory. WebSphere has its own custom SSLSocketFactory implementation (com.ibm.websphere.ssl.protocol.SSLSocketFactory), which it sets as the default for the IBM Java runtime it sits on top of. When application code calls APIs that use this WebSphere SSLSocketFactory for their connections, the WebSphere Application Server SSL settings (example, NodedefaultSSLsetting) are applied to the connection, and it will use the protocol, cipher suite, keystores, and truststore loaded from WebSphere Application Server SSL configuration (example NodedefaultSSLsetting)
Please see the following pictures
image-20220224084249-1
The following string will help to determine or track the caller stack using Java socketfactory. Use the following string under Generic JVM argument and it will send output to native_stderr.log

-Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,jstacktrace} -Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,javadump}

image-20200224113605-1

In the native_stderr.log you will see the following:
 

image-20200224113615-2

Xtrace for both SSLSocketFactory and System.setProperty

The following string will track both socket bypassed AND app setting System property

-Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,jstacktrace} -Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,javadump}

Please note that this isn't the only approach to getting this type of information. There are many other ways that application code can override default WebSphere configuration.

Detail Steps in WebSphere Application Server to Gather the xtrace to find caller using Java socketfactory

The administrative console set the javax.net.debug system property using one of the following options, depending on where the SSL issue is occurring:

For tracing an Application server, select the following: Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) - >Process definition > Java virtual machine > Custom properties > New...

Note: If you were not told which JVM to trace, or for some reason, you are not sure which of the JVMs need this kind of tracing... set it on all of them.

Type the following:

Name: javax.net.debug

Value: true

Click Apply, and Save your changes to the master configuration.

For tracing an Application server, select the following: Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) - >Process definition > Java virtual machine > under generic jvm argument define

-Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,jstacktrace} -Xtrace:print=mt,trigger=method{com/ibm/jsse2/SSLSocketFactoryImpl.createSocket,javadump}

Click Apply, and Save your changes to the master configuration.

Expand troubleshooting > Logs and trace > server_name.

Select Diagnostic Trace. Set the Maximum Number of Historical Files to 20.

Click Apply, then select Change log detail levels.

Set the trace specification string to:

*=info : SSL=all

Click Apply, and Save to the master configuration.

Stop the server(s) and backup/clear the logs directory for the server(s) you are tracing and the FFDC directory as well.

Start the server(s) and re-create the issue.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 February 2022

UID

ibm13379977

Page Feedback