If you need to capture SSL trace information when making an HTTPS call from your web application running under Websphere 7, add a jvm -D property for javax.net.debug with a value of ssl and any other additional tracing levels as defined in the link below. For example:
-Djavax.net.debug=ssl,handshake,data,trustmanager
Refer to this link:
JSSE Reference Guide
This will allow you to see trust store information, certificate chaining details and other information that should help you debug issues with making https calls from your server. If you are trying to connect to a web server that has a self-signed certificate, you’ll need the signer cert added to the \java\jre\lib\security\cacerts keystore within the Websphere install directory. Note – the default password for keystores is “changeit”.
Here’s an example of the output from the tracing. You can see the trace tells you the location of the cacerts file used for cert lookup:
[1/23/11 20:23:32:578 CST] 00000023 SystemOut O setting up default SSLSocketFactory
[1/23/11 20:23:32:578 CST] 00000023 SystemOut O class com.ibm.jsse2.SSLSocketFactoryImpl is loaded
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O Installed Providers =
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMJCE
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O BC
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMJSSE
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMJSSE2
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMJGSSProvider
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMCertPath
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMPKCS11Impl
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMCMSProvider
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMSPNEGO
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMSASL
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMXMLCRYPTO
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O IBMXMLEnc
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O Policy
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O keyStore is: C:\Program Files\IBM\SDP75\runtimes\base_v7\java\jre\lib\security\cacerts
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O keyStore type is: jks
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O keyStore provider is:
[1/23/11 20:23:32:593 CST] 00000023 SystemOut O init keystore
[1/23/11 20:23:32:640 CST] 00000023 SystemOut O init keymanager of type IbmX509
[1/23/11 20:23:32:640 CST] 00000023 SystemOut O trustStore is: C:\Program Files\IBM\SDP75\runtimes\base_v7\java\jre\lib\security\cacerts
[1/23/11 20:23:32:640 CST] 00000023 SystemOut O trustStore type is: jks
[1/23/11 20:23:32:640 CST] 00000023 SystemOut O trustStore provider is:
[1/23/11 20:23:32:640 CST] 00000023 SystemOut O init truststore
[1/23/11 20:23:32:656 CST] 00000023 SystemOut O adding as trusted cert:
[1/23/11 20:23:32:656 CST] 00000023 SystemOut O Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
[1/23/11 20:23:32:656 CST] 00000023 SystemOut O Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
[1/23/11 20:23:32:656 CST] 00000023 SystemOut O Algorithm: RSA; Serial number: 0x444c0
[1/23/11 20:23:32:656 CST] 00000023 SystemOut O Valid from Wed Oct 22 12:07:37 GMT 2008 until Mon Dec 31 12:07:37 GMT 2029
Could you explain where/how in the AdminConsole to set
-Djavax.net.debug=ssl,handshake,data,trustmanager
Thanks!
Select your application server (Servers / Websphere application servers / ) Under Server Infrastructure, select Java and Process Management / Process Definition Select Java Virtual Machine
Drop your -D parms in the ‘Generic JVM arguments’ field.