It is often helpful to turn on detailed SSL handshake debugging in Integration Server when troubleshooting HTTPS connection issues related to X509 certificates.
Setting the JVM parameter -Djavax.net.debug=all will not work and using packet capture tools such as Ethreal or Packetyzer are helpful only if you are enough of a network geek to read the output of those tools.
Tim Bond tipped me off to these IS server settings that enable the low-level SSL handshake debugging output. This output will be sent to stderr, so it is necessary to start IS from the command line to view this or to pipe stderr to
For outbound SSL debug, set
For inbound SSL debug, set
The output will look something like the following when the partner’s certificate is not yet trusted by IS:
ssl_debug(4): Sending server_hello handshake message. ssl_debug(4): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_MD5 ssl_debug(4): Selecting CompressionMethod: NULL ssl_debug(4): Sending certificate handshake message with server certificate... ssl_debug(4): Sending certificate_request handshake message... ssl_debug(4): Sending server_hello_done handshake message... ssl_debug(4): Received certificate handshake message with client certificate. ssl_debug(4): Client sent a 1024 bit RSA certificate, chain has 1 elements. ssl_debug(4): Received client_key_exchange handshake message. ssl_debug(4): Received certificate_verify handshake message. ssl_debug(4): ChainVerifier: No trusted certificate found, rejected. ssl_debug(4): Sending alert: Alert Fatal: bad certificate ssl_debug(4): Shutting down SSL layer... ssl_debug(4): SSLException while handshaking: Client certificate rejected by ChainVerifier.