WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How do I enable SSLTrace for IBM HTTP Server?

    Posted Thu December 09, 2021 09:45 PM

    IBM WebSphere support has asked me to turn on trace logging in IBM HTTP Server and GSK logging.

    I am following the directions on this page:

    https://www.ibm.com/support/pages/mustgather-ibm-http-server-ssl-handshake-and-configuration-problems

    I am not sure how to enable SSLTrace? Do I just type in SSLTrace in its own line in httpd.conf ? I restarted the IBM HTTP Server but no GSK logs.

    I read these other articles, no specific details on how SSLTrace is to be inserted/modified inside httpd.conf

    https://publib.boulder.ibm.com/httpserv/manual70/mod/mod_ibm_ssl.html#ssltrace

    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=SSAW57_9.0.5/com.ibm.websphere.ihs.doc/ihs/rihs_ssldirs.html#rihs_ssldirs__SSLTrace



    #Support
    #SupportMigration
    #WebSphereHTTPServer


  • 2.  RE: How do I enable SSLTrace for IBM HTTP Server?

    Posted Thu December 09, 2021 09:50 PM

    Yes, just append (to the bottom) of httpd.conf. It takes no arguments or anything.

    SSLTrace

    Note that this is a separate tracing than the "GSKit trace" which is activated with the environment variables starting with GSK*



    #Support
    #SupportMigration
    #WebSphereHTTPServer


  • 3.  RE: How do I enable SSLTrace for IBM HTTP Server?

    Posted Wed December 15, 2021 10:02 PM

    So, in Red Hat Linux, I placed the SSLTrace within the LoadModule. Hope I did that correctly.

    /opt/IBM/HTTPServer/conf/httpd.conf

    # To enable this support: # 1) Create a key database with ikeyman or bin/gskcapicmd # 2) Update the KeyFile directive below to point to that key database # 3) Uncomment the directives up through the end of the example # LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 443 #SSLCheckCertificateExpiration 30 <VirtualHost *:443> SSLEnable SSLTrace #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost> KeyFile /opt/IBM/HTTPServer/maximo.kdb # End of example SSL configuration

    I tried setting up all the variables using the EXPORT command, then restarted MXServer & webserver1 (IBM HTTP Server IHS). Got no log output.

    Re: GSKit trace, still can't get log output. Not sure if I misconfigured, or it is a file permission error. Maybe I will try /tmp and see if I get better results.



    #Support
    #SupportMigration
    #WebSphereHTTPServer


  • 4.  RE: How do I enable SSLTrace for IBM HTTP Server?

    Posted Wed December 22, 2021 12:28 AM

    I think I got the SSLTrace and GSK logging working. I appreciate the help.



    #Support
    #SupportMigration
    #WebSphereHTTPServer