How to enable SSL handshake debugging for IS

, ,
1

It is often helpful to turn on detailed SSL handshake debugging in Integration Server when troubleshooting HTTPS connection issues related to X509 certificates.

Setting the JVM parameter -Djavax.net.debug=all will not work and using packet capture tools such as Ethreal or Packetyzer are helpful only if you are enough of a network geek to read the output of those tools.

Tim Bond tipped me off to these IS server settings that enable the low-level SSL handshake debugging output. This output will be sent to stderr, so it is necessary to start IS from the command line to view this or to pipe stderr to
a file.

For outbound SSL debug, set

watt.ssl.iaik.debug=true

For inbound SSL debug, set

watt.net.ssl.debug=true

The output will look something like the following when the partner’s certificate is not yet trusted by IS:

ssl_debug(4): Sending server_hello handshake message.
ssl_debug(4): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(4): Selecting CompressionMethod: NULL
ssl_debug(4): Sending certificate handshake message with server certificate...
ssl_debug(4): Sending certificate_request handshake message...
ssl_debug(4): Sending server_hello_done handshake message...
ssl_debug(4): Received certificate handshake message with client certificate.
ssl_debug(4): Client sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(4): Received client_key_exchange handshake message.
ssl_debug(4): Received certificate_verify handshake message.
ssl_debug(4): ChainVerifier: No trusted certificate found, rejected.
ssl_debug(4): Sending alert: Alert Fatal: bad certificate
ssl_debug(4): Shutting down SSL layer...
ssl_debug(4): SSLException while handshaking: Client certificate rejected by ChainVerifier.
2

This is a good help Marc.

3

This was very good advise, and we were very happy to find it, as we are investigating SSL issue and would require detailed SSL handshake debug information.
We have tried to activate the SSL debugger as advised here, but haven’t been able to get any output with it. Could someone please help here?

We have added these two lines to server.cnf.
watt.ssl.iaik.debug=true
watt.net.ssl.debug=true

And to get the stderr, we have added >> $MYLOG 2>&1 to server.sh at the end of line below.
${JAVA_RUN} -DWM_HOME=${WM_HOME} -Djavax.net.debug=all -classpath ${CLASSPATH} ${IS_PROXY_MAIN} ${IS_DIR}/bin/ini.cnf $ ${PREPENDCLASSES_SWITCH} ${PREPENDCLASSE
S} ${APPENDCLASSES_SWITCH} ${APPENDCLASSES} ${ENV_CLASSPATH_SWITCH} ${SAVED_CP}: $* >> $MYLOG 2>&1

However, there is nothing coming for ssl to the log file given in MYLOG. In fact, there’s only two errors (about /usr/lib/dld.sl) coming to mylog when ever IS is started, nothing else.
Even grepping for ssl_debug in doesn’t find anything in any file in any folder.

Could someone please comment if there is another way we could try to get the debug information? Or can you see what we are doing wrong?

Any comments are most appreciated.

4

It turned out that we could not get the SSL debug information, because this feature was introduced in IS version 6.5.

So this might be worth noticing, in case someone has similar issues with SSL debugger.

5

Hi mcarlson,

We are using wM 6.5, and did turn on the SSL debug as your suggestion; however, we could not be able to see the output as you shown from server log.

Can you please advise where we would need to look for the output?

Your help is very much appreciated.

Thanks,
AYCHEN

6

Did you follow solaukka’s instructions above and start IS from the command line?

Mark

7

Hi Mark,

We did adding this code to the server.sh, and restarted IS from the command line; however, I could not be able to locate where the MYLOG created.

Any suggestion please.

Thanks,
AYCHEN

8

You would need to define an environment variable called $MYLOG or just replace it in the server.sh with a hardcoded filename such as “ssldebug.log”. You might need to get some assistance from your Unix sysadmin.

Mark

9

Hi Mark,

It works. I can see the ssl log now.

Thanks,
AYCHEN

10

The watt.ssl.iaik.debug=true parameter is quite useful.
:confused:
Do you know if there is any possibility to create a log (textfile) when the IS is started as a Windows service and not from command line?

11

Not sure if anybody could help!

  1. I created our certs and ca certs (all in der format)
  2. Placed partners certs and ca certs in trusted floder (all in der format)
  3. Configured wMAdmin - > Security tab settings
  4. Then created a HTTPS 443 port and set this as primary port
  5. Restarted IS

After this when I do http://tech.forums.softwareag.com:443 from IE, it didnt work, I thought it will??

Also from openssl, I gave ‘openssl s_client -connect localhost:443’, but it errored out
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Se
rver CA - Class 3/OU=Verisign is a global provider of domain name registry services and internet infrastructure - Verisign Incorp.by Ref. LIABILITY LTD.(c)97 Ver
iSign verify error:num=20:unable to get local issuer certificate verify return:024524:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:.\ssl\s3_pkt.c:1060:SSL alert number 2024524:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_li b.c:188:

I dont know about ssl stuff much. But has anyone faced similar issue? Please help

Sue

12

Nobody have faced this issue??? I cant believe this!

wMUsers forum used to be one-stop shop for webMethods!:rolleyes:

13

The certificate “O=Verisign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign” is valid from Thursday, April 17, 1997 to Wednesday, January 7, 2004.

[url]https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO7094[/url]