Security components troubleshooting tips

This document explains basic resources and steps for diagnosing security-related issues in WebSphere Application Server.

Basic resources and steps for diagnosing security-related issues in WebSphere Application Server include:
The following security-related problems are addressed elsewhere in the information center:

If none of these steps solves the problem, check to see if the problem is identified and documented using the links in Diagnosing and fixing problems: Resources for learning.

For an overview of WebSphere Application Server security components such as z/OS Secure Authentication Services (z/SAS) and how they work, see Getting started with security.

Using SDSF

When troubleshooting the security component, use System Display and Search Facility (SDSF) to browse logs for the server that hosts the resource you are trying to access. The following sample of messages helps you see from a server in which the security service has started successfully:

 +BBOM0001I com_ibm_security_SAF_unauthenticated: WSGUEST.
 +BBOM0001I com_ibm_security_SAF_EJBROLE_Audit_Messages_Suppress: 0.
 +BBOM0001I com_ibm_userRegistries_type: security:LocalOSUserRegistry.
 +BBOM0001I com_ibm_userRegistries_CustomUserRegistry_realm: NOT SET, 278
 DEFAULT=CustomRealm.
 +BBOM0001I com_ibm_userRegistries_LDAPUserRegistry_realm: NOT SET, 279
 DEFAULT=LDAPRealm.
 +BBOM0001I com_ibm_ws_logging_zos_errorlog_format_cbe: NOT SET, 280
 DEFAULT=0.
 +BBOM0001I com_ibm_CSI_claim_ssl_sys_v2_timeout: NOT SET, DEFAULT=100.
 +BBOM0001I com_ibm_CSI_claim_ssl_sys_v3_timeout: 600.
 +BBOM0001I com_ibm_CSI_claimClientAuthenticationtype: 283
 +BBOM0001I com_ibm_CSI_claimClientAuthenticationRequired: 0.
 +BBOM0001I com_ibm_CSI_claimClientAuthenticationSupported: 1.
 +BBOM0001I com_ibm_CSI_claimIdentityAssertionSupported: 0.
 +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeCert: 0.
 +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeDN: 0.
 +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeSAF: 0.
 +BBOM0001I com_ibm_CSI_claimKeyringName: WASKeyring.
 +BBOM0001I com_ibm_CSI_claimMessageConfidentialityRequired: 0.
 +BBOM0001I com_ibm_CSI_claimMessageIntegrityRequired: NOT SET, 292
 DEFAULT=1.
 +BBOM0001I com_ibm_CSI_claimMessageIntegritySupported: NOT SET, 293
 DEFAULT=1.
 +BBOM0001I com_ibm_CSI_claimSecurityCipherSuiteList: NOT SET.
 +BBOM0001I com_ibm_CSI_claimSecurityLevel: HIGH.
 +BBOM0001I com_ibm_CSI_claimStateful: 1.
 +BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 0.
 +BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 1.
 +BBOM0001I com_ibm_CSI_claimTLClientAuthenticationRequired: 0.
 +BBOM0001I com_ibm_CSI_claimTLClientAuthenticationSupported: 1.
 +BBOM0001I com_ibm_CSI_perform_ssl_sys_v2_timeout: NOT SET, 301
 DEFAULT=100.
 +BBOM0001I com_ibm_CSI_perform_ssl_sys_v3_timeout: 600.
 +BBOM0001I com_ibm_CSI_performClientAuthenticationtype: 303
 +BBOM0001I com_ibm_CSI_performIdentityAssertionRequired: 0.
 +BBOM0001I com_ibm_CSI_performIdentityAssertionSupported: 0.
 +BBOM0001I com_ibm_CSI_performKeyringName: WASKeyring.
 +BBOM0001I com_ibm_CSI_performMessageConfidentialityRequired: 0.
 +BBOM0001I com_ibm_CSI_performMessageConfidentialitySupported: 1.
 +BBOM0001I com_ibm_CSI_performMessageIntegrityRequired: 1.
 +BBOM0001I com_ibm_CSI_performMessageIntegritySupported: 1.
 +BBOM0001I com_ibm_CSI_performSecurityCipherSuiteList: NOT SET.
 +BBOM0001I com_ibm_CSI_performSecurityLevel: HIGH.
 +BBOM0001I com_ibm_CSI_performStateful: 1.
 +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSRequired: 0.
 +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSSupported: 1.
 +BBOM0001I com_ibm_CSI_performTLClientAuthenticationRequired: 0.
 +BBOM0001I com_ibm_CSI_performTLClientAuthenticationSupported: 0.
 +BBOM0001I security_disable_daemon_ssl: NOT SET, DEFAULT=0.
 +BBOM0001I security_kerberos_allowed: 0.
 +BBOM0001I security_local_identity: WSGUEST.
 +BBOM0001I security_remote_identity: WSGUEST.
 +BBOM0001I security_sslKeyring: NOT SET. 
 +BBOM0001I security_sslType1: 0.
 +BBOM0001I security_userid_passticket_allowed: 1.
 +BBOM0001I security_userid_password_allowed: 0.
 +BBOM0001I security_zOS_domainName: NOT SET.
 +BBOM0001I security_zOS_domainType: 0.
 +BBOM0001I security_zSAS_ssl_repertoire: SY1/DefaultIIOPSSL.
 +BBOM0001I security_EnableRunAsIdentity: 0.
 +BBOM0001I security_EnableSyncToOSThread: 0.
 +BBOM0001I server_configured_system_name: SY1.
 +BBOM0001I server_generic_short_name: BBOC001.
 +BBOM0001I server_generic_uuid:  457
 *** Message beginning with BBOO0222I apply to Java within *** 
 *** WebSphere Application Server Security *** 
 +BBOO0222I: SECJ6004I: Security Auditing is disabled.
 +BBOO0222I: SECJ0215I: Successfully set JAAS login provider 631
 configuration class to com.ibm.ws.security.auth.login.Configuration.
 +BBOO0222I: SECJ0136I: Custom 632
 Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized
 +BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: 633
 com.ibm.ws.security.core.SAFAuthorizationTableImpl

General approach for troubleshooting security-related issues

When troubleshooting security-related problems, the following questions are very helpful:
Does the problem occur when security is disabled?
This question is a good litmus test to determine that a problem is security related. However, just because a problem only occurs when security is enabled does not always make it a security problem. More troubleshooting is necessary to ensure the problem is really security-related.
Did security seem to initialize properly?
A lot of security code is visited during initialization. So you can see problems there first if the problem is configuration related.
SASRas        A CWWSA0001I: Security configuration initialized. 
SASRas        A CWWSA0002I: Authentication protocol: CSIV2/IBM 
SASRas        A CWWSA0003I: Authentication mechanism: SWAM 
SASRas        A CWWSA0004I: Principal name: BIRKT20/pbirk 
SASRas        A CWWSA0005I: SecurityCurrent registered. 
SASRas        A CWWSA0006I: Security connection interceptor initialized. 
SASRas        A CWWSA0007I: Client request interceptor registered. 
SASRas        A CWWSA0008I: Server request interceptor registered. 
SASRas        A CWWSA0009I: IOR interceptor registered. 
NameServerImp I CWNMS0720I: Do Security service listener registration. 
SecurityCompo A CWSCJ0242A: Security service is starting 
UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt.
NTLocalDomainRegistryImpl has been initialized 
SecurityCompo A CWSCJ0202A: Admin application initialized successfully 
SecurityCompo A CWSCJ0203A: Naming application initialized successfully 
SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully 
SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully 
SecurityCompo A CWSCJ0243A: Security service started successfully 

SecurityCompo A CWSCJ0210A: Security enabled true 
The following sequence of messages generated in the SDSF active log indicate normal code initialization of an application server. Non-security messages have been removed from the sequence that follows. This sequence will vary based on the configuration, but the messages are similar:
 Trace: 2005/05/06 17:27:31.539 01 t=8E96E0 c=UNK key=P8 (13007002)
   ThreadId: 0000000a 
   FunctionName: printProperties 
   SourceId: com.ibm.ws390.orb.CommonBridge
   Category: AUDIT
   ExtendedMessage: BBOJ0077I java.security.policy = 
                    /WebSphere/V6R0M0/AppServer/profiles/default/pr
 Trace: 2005/05/06 17:27:31.779 01 t=8E96E0 c=UNK key=P8 (13007002) 
   ThreadId: 0000000a
   FunctionName: printProperties 
   SourceId: com.ibm.ws390.orb.CommonBridge 
   Category: AUDIT 
   ExtendedMessage: BBOJ0077I java.security.auth.login.config = 
                    /WebSphere/V6R0M0/AppServer/profiles/default/pr
 Trace: 2005/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.core.SecurityDM 
   SourceId: com.ibm.ws.security.core.SecurityDM  
   Category: INFO  
   ExtendedMessage: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic 
                    Module com.ibm.ws.security.core.Secur
 red successfully: true. 
 Trace: 2005/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (0000000A) 
   Description: Log Boss/390 Error 
   from filename: ./bborjtr.cpp
   at line: 932  
   error message: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic 
                  Module com.ibm.ws.security.core.Securit
 red successfully: true. 
 Trace: 2005/05/06 17:27:41.054 01 t=8E96E0 c=UNK key=P8 (13007002) 
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.audit.AuditServiceImpl 
   SourceId: com.ibm.ws.security.audit.AuditServiceImpl 
   Category: AUDIT  
   ExtendedMessage: BBOO0222I: SECJ6004I: Security Auditing is disabled. 
 Trace: 2005/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (13007002) 
   ThreadId: 0000000a 
   FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl  
   SourceId: com.ibm.ws.security.core.distSecurityComponentImpl    
   Category: INFO 
   ExtendedMessage: BBOO0222I: SECJ0309I: Java 2 Security is disabled.  
 Trace: 2005/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (0000000A)   
   Description: Log Boss/390 Error    
   from filename: ./bborjtr.cpp 
   at line: 932 
   error message: BBOO0222I: SECJ0309I: Java 2 Security is disabled.   
 Trace: 2005/05/06 17:27:42.239 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.auth.login.Configuration   
   SourceId: com.ibm.ws.security.auth.login.Configuration   
   Category: AUDIT 
   ExtendedMessage: BBOO0222I: SECJ0215I: Successfully set JAAS login provider 
                    configuration class to com.ibm.ws.securit
 Configuration.  
 Trace: 2005/05/06 17:27:42.253 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl 
   SourceId: com.ibm.ws.security.core.distSecurityComponentImpl  
   Category: INFO
   ExtendedMessage: BBOO0222I: SECJ0212I: WCCM JAAS configuration information 
                    successfully pushed to login provider clas
 Trace: 2005/05/06 17:27:42.254 01 t=8E96E0 c=UNK key=P8 (0000000A)   
   Description: Log Boss/390 Error   
   from filename: ./bborjtr.cpp  
   at line: 932 
   error message: BBOO0222I: SECJ0212I: WCCM JAAS configuration information 
                  successfully pushed to login provider class.
 Trace: 2005/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (13007002) 
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl 
   SourceId: com.ibm.ws.security.core.distSecurityComponentImpl  
   Category: INFO
   ExtendedMessage: BBOO0222I: SECJ0240I: Security service initialization 
                    completed successfully  
 Trace: 2005/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (0000000A)   
   Description: Log Boss/390 Error 
   from filename: ./bborjtr.cpp 
   at line: 932  
   error message: BBOO0222I: SECJ0240I: Security service initialization 
                  completed successfully 
 Trace: 2005/05/06 17:27:42.952 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.objectpool.ObjectPoolService  
   SourceId: com.ibm.ws.objectpool.ObjectPoolService   
   Category: INFO
   ExtendedMessage: BBOO0222I: OBPL0007I: Object Pool Manager service is disabled.  
 Trace: 2005/05/06 17:27:53.512 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a   
   FunctionName: com.ibm.ws.security.registry.UserRegistryImpl   
   SourceId: com.ibm.ws.security.registry.UserRegistryImpl    
   Category: AUDIT  
   ExtendedMessage: BBOO0222I: SECJ0136I: Custom 
                    Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl 
                    has been init
 Trace: 2005/05/06 17:27:55.229 01 t=8E96E0 c=UNK key=P8 (13007002)   
   ThreadId: 0000000a  
   FunctionName: com.ibm.ws.security.role.PluggableAuthorizationTableProxy 
   SourceId: com.ibm.ws.security.role.PluggableAuthorizationTableProxy  
   Category: AUDIT 
   ExtendedMessage: BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: 
                    com.ibm.ws.security.core.SAFAuthorizationTab
 Trace: 2005/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (13007002) 
   ThreadId: 0000000a   
   FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl  
   SourceId: com.ibm.ws.security.core.distSecurityComponentImpl 
   Category: INFO   
   ExtendedMessage: BBOO0222I: SECJ0243I: Security service started successfully   
 Trace: 2005/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (0000000A) 
   Description: Log Boss/390 Error   
   from filename: ./bborjtr.cpp 
   at line: 932   
   error message: BBOO0222I: SECJ0243I: Security service started successfully  
 Trace: 2005/05/06 17:27:56.482 01 t=8E96E0 c=UNK key=P8 (13007002)  
   ThreadId: 0000000a 
   FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl  
   SourceId: com.ibm.ws.security.core.distSecurityComponentImpl   
   Category: INFO 
   ExtendedMessage: BBOO0222I: SECJ0210I: Security enabled true  
 Trace: 2005/05/06 17:27:56.483 01 t=8E96E0 c=UNK key=P8 (0000000A)   
   Description: Log Boss/390 Error   
   from filename: ./bborjtr.cpp 
   at line: 932  
   error message: BBOO0222I: SECJ0210I: Security enabled true  
Is there a stack trace or exception printed in the system log file?
A single stack trace tells a lot about the problem. What code initiated the code that failed? What is the failing component? Which class did the failure actually come from? Sometimes the stack trace is all that is needed to solve the problem and it can pinpoint the root cause. Other times, it can only give us a clue, and can actually be misleading. When support analyzes a stack trace, they can request additional trace if it is not clear what the problem is. If it seems to be security-related and the solution cannot be determined from the stack trace or problem description, you are asked to gather the following trace specification: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled from all processes involved.
Is this a distributed security problem or a local security problem?
  • If the problem is local, that is the code involved does not make a remote method invocation, then troubleshooting is isolated to a single process. It is important to know when a problem is local versus distributed because the behavior of the object request broker (ORB), among other components, is different between the two. When a remote method invocation takes place, an entirely different security code path is entered.
  • When you know that the problem involves two or more servers, the techniques of troubleshooting change. You need to trace all the servers involved simultaneously so that the trace shows the client and server sides of the problem. Make sure the timestamps on all machines match as closely as possible so that you can find the request and reply pair from two different processes.

    Enable Secure Authentication Services (SAS) and Security trace using the trace specification: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled.

    For more information on enabling trace, see Enabling trace.

    For more information on enabling trace, see Working with Trace.

Is the problem related to authentication or authorization?
Most security problems fall under one of these two categories. Authentication is the process of determining who the caller is. Authorization is the process of validating that the caller has the proper authority to invoke the requested method. When authentication fails, typically this failure is related to either the authentication protocol, authentication mechanism or user registry. When authorization fails, this is usually related to the application bindings from assembly and deployment and to the caller's identity who is accessing the method and the roles that are required by the method.
Is this a Web or EJB request?

Web requests have a completely different code path than Enterprise JavaBeans (EJB) requests. Different security features exist for Web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the Lightweight Third-Party Authentication (LTPA) authentication mechanism, the single sign-on feature (SSO) is available for Web requests but not for EJB requests. Web requests involve HTTP header information that is not required by EJB requests due to the protocol differences. Also, the Web container or servlet engine is involved in the entire process. Any of these components can be involved in the problem and all require consideration during troubleshooting, based on the type of request and where the failure occurs.

Secure EJB requests are passed from the controller to the servant. Web requests are mostly ignored by the controller. As a result, EJB requests are first processed and authenticated by the zSAS or Common Security Interoperability Version 2 (CSIv2) layers of security. Authorization is done by the servant. If an authentication failure occurs, the zSAS type level of tracing must be turned on to diagnose the problem. Other problems can be diagnosed using the WebSphere Application Server component tracing (CTRACE) facility.

Does the problem seem to be related to the Secure Sockets Layer (SSL)?

SSL is a totally distinct separate layer of security. Troubleshooting SSL problems is usually separate from troubleshooting authentication and authorization problems, and you have many considerations. Usually, SSL problems are first-time setup problems because the configuration can be difficult. Each client must contain the signer certificate of the server. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. Transport Layer Security (TLS)), and listener port problems related to stale Interoperable Object References (IORs), that is IORs from a server, that reflect the port prior to the server restarting.

In z/OS, two variations of SSL are used. To determine the cause of an SSL problem on z/OS, you have to be aware of what protocol is being used.
  • System SSL is used by the Internet Inter-ORB Protocol (IIOP) and HTTPS protocols
  • Java Secure Socket Extension (JSSE) is used by all other protocols, for example, SOAP.
  • System SSL requests are handled in the controller and are used by z/SAS and CSIv2 security.
  • SJSSE is predominately used by the servant, but cases exist where JSSE is used in the controller as well.
For SSL problems, sometimes you get a request for an SSL trace to determine what is happening with the SSL handshake. The SSL handshake is the process that occurs when a client opens a socket to a server. If anything goes wrong with the key exchange, cipher exchange, and so on, the handshake fails and the socket is not valid. Tracing JSSE (the SSL implementation that is used in WebSphere Application Server) involves the following steps:
  • Set the following system property on the client and server processes: -Djavax.net.debug=true. For the server, add the system property to the Generic JVM Arguments property of the Java virtual machine settings page.
  • Recreate the problem.
    The SYSOUT data set for the region's started task contains the JSSE trace. Using SDSF, this trace is similar to the following:
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2139,localport=8878]]
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2140,localport=8878]]
     TrustManagerFactoryImpl: trustStore is :
     /WebSphere/V6R0M0/AppServer/etc/DummyServerTrustFile.jks
     TrustManagerFactoryImpl: trustStore type is : JKS
     TrustManagerFactoryImpl: init truststore
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2142,localport=8878]]
     KeyManagerFactoryImpl: keyStore is : 
    /WebSphere/V6R0M0/AppServer/etc/DummyServerKeyFile.jks
     KeyManagerFactoryImpl: keyStore type is : JKS
     KeyManagerFactoryImpl: init keystore
     KeyManagerFactoryImpl: init keystore
     JSSEContext: handleConnection[Socket
    [addr=boss0106.plex1.l2.ibm.com/9.38.48.108,port=2143,localport=8878]]
     JSSEContext: handleSession[Socket
    [addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,localport=2145]]
     JSSEContext:  confirmPeerCertificate
    [Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/9.38.48.108,port=8879,
      localport=2145]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     10094996692239509074796828756118539107568369566313889955538950668
    6622953008589748001058216362638201577071902071311277365773252660799
     128781182947273802312699983556527878615792292244995317112436562491
    489904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     1009499669223950907479682875611853910756836956631388995553895066866
    22953008589748001058216362638201577071902071311277365773252660799
     1287811829472738023126999835565278786157922922449953171124365624914
    89904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=2144,localport=8878]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2145]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2146]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2147]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2148]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2149]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2150]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2151]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2152]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2153]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2154]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2155]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2156]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2157]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2158]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2159]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2160]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2161]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2162]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2163]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2164]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2165]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2166]]
     
     JSSEContext: handleSession[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     JSSEContext:  confirmPeerCertificate[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=WAS z/OS Deployment Manager, O=IBM
       Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     12840948267119651469312486548020957441946413494498370439558603901582589
    8755033448419534105183133064366466828741516428176579440511007
     6258795528749232737808897160958348495006972731464152299032614592135114
    19361539962555997136085140591098259345625853617389396340664766
     649957749527841107121590352429348634287031501
     public exponent:
     65537
    0  Validity: [From: Fri Jul 25 05:00:00 GMT 2003,
                    To: Mon Jul 26 04:59:59 GMT 2004]
       Issuer: CN=WAS CertAuth, C=US
       SerialNumber: [    02]
    0Certificate Extensions: 3
     [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
     Extension unknown: DER encoded OCTET string =
     0000: 04 3C 13 3A 47 65 6E 65   72 61 74 65 64 20 62 79  .<.:Generated by
     0010: 20 74 68 65 20 53 65 63   75 72 65 57 61 79 20 53   the SecureWay S
     0020: 65 63 75 72 69 74 79 20   53 65 72 76 65 72 20 66  ecurity Server f
     0030: 6F 72 20 7A 2F 4F 53 20   28 52 41 43 46 29        or z/OS (RACF)
    -[2]: ObjectId: 2.5.29.14 Criticality=false
     SubjectKeyIdentifier [
     KeyIdentifier [
     0000: 05 6A CD 7F AE AF 89 78   99 A8 F1 5B 64 8B 9F AF  .j.....x...[d...
     0010: 73 1B 58 65                                        s.Xe
     ]
     ]
    0[3]: ObjectId: 2.5.29.35 Criticality=false
     AuthorityKeyIdentifier [
     KeyIdentifier [
     0000: 7E D1 7B 17 74 D3 AD D1   7D D8 F8 33 85 19 04 F8  ....t......3....
     0010: 36 51 57 16                                        6QW.
     ]
    0]
    0]
       Algorithm: [SHA1withRSA]
       Signature:
     0000: 73 0D FC E1 8A B3 42 E1   04 73 72 B1 C6 C9 87 54  s.....B..sr....T
     0010: 87 57 02 FA 41 32 D8 B0   39 09 86 CB 6B 03 B6 F9  .W..A2..9...k...
     0020: 62 8D 95 36 56 0E D4 D2   F7 7A 8D 4B FB 0B FD 91  b..6V....z.K....
     0030: 89 A8 08 41 30 E2 27 DC   15 5F 2C F4 CD 2F 6B 8E  ...A0.'.._,../k.
     0040: 21 2A 88 53 46 27 68 9B   55 14 38 8E 1F 50 95 BC  !*.SF'h.U.8..P..
     0050: A8 46 F6 68 97 9E 7B 65   9E E8 A7 34 B2 C8 63 CF  .F.h...e...4..c.
     0060: 73 C8 4E 25 0A EF C5 8F   04 A4 EB 8C CC 33 84 26  s.N%.........3.&
     0070: 5D FD 7C AD 7B 02 13 5A   86 A1 89 93 1E A4 93 63  ]......Z.......c
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=WAS CertAuth, C=US
       Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     1167408593733331602218385578183389496484587418638676352829560040529918
    40558681208199977833401609895748222369066230329785148883251144
     2382911186804921983976695395381692334250582278359056431484427844566504
    41491799952592864895242987037929408453455627552772317382077015
     828713585220212502839546496071839496308430393
     public exponent:
     65537
    0  Validity: [From: Fri Jul 25 05:00:00 GMT 2003,
                    To: Sat Jul 24 04:59:59 GMT 2010]
       Issuer: CN=WAS CertAuth, C=US
       SerialNumber: [  0  ]
    0Certificate Extensions: 4
     [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
     Extension unknown: DER encoded OCTET string =
     0000: 04 3C 13 3A 47 65 6E 65   72 61 74 65 64 20 62 79  .<.:Generated by
     0010: 20 74 68 65 20 53 65 63   75 72 65 57 61 79 20 53   the SecureWay S
     0020: 65 63 75 72 69 74 79 20   53 65 72 76 65 72 20 66  ecurity Server f
     0030: 6F 72 20 7A 2F 4F 53 20   28 52 41 43 46 29        or z/OS (RACF)
    -[2]: ObjectId: 2.5.29.14 Criticality=false
     SubjectKeyIdentifier [
     KeyIdentifier [
     0000: 7E D1 7B 17 74 D3 AD D1   7D D8 F8 33 85 19 04 F8  ....t......3....
     0010: 36 51 57 16                                        6QW.
     ]
     ]
    0[3]: ObjectId: 2.5.29.15 Criticality=true
     KeyUsage [
       Key_CertSign
       Crl_Sign
     ]
    0[4]: ObjectId: 2.5.29.19 Criticality=true
     BasicConstraints:[
     CA:true
     PathLen:2147483647
     ]
    0]
       Algorithm: [SHA1withRSA]
       Signature:
     0000: 43 88 AB 19 5D 00 54 57   5E 96 FA 85 CE 88 4A BF  C...].TW^.....J.
     0010: 6E CB 89 4C 56 BE EF E6   8D 2D 74 B5 83 1A EF 9C  n..LV....-t.....
     0020: B3 82 F2 16 84 FA 5C 50   53 2A B4 FD EB 27 98 5D  ......\PS*...'.]
     0030: 43 48 D3 74 85 21 D1 E1   F2 63 9E FB 58 2A F3 6A  CH.t.!...c..X*.j
     0040: 44 D2 F5 7D B2 55 B9 5E   32 11 78 B6 34 8E 4B 1D  D....U.^2.x.4.K.
     0050: F3 82 1D C1 5F 7B 3F AD   C9 29 FA FF D1 D1 13 2C  ...._.?..).....,
     0060: 57 F7 7B 51 02 99 6F ED   54 E1 51 34 B8 51 BE 97  W..Q..o.T.Q4.Q..
     0070: 30 AC 4F 89 AB AA 8A B2   E1 40 89 2E 18 C7 0E 15  0.O......@......
    0]
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=9443,localport=2167]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2168]]
     
     JSSEContext: handleConnection[Socket[addr=boss0106.plex1.l2.ibm.com
    /9.38.48.108,port=2235,localport=8878]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8879,localport=2236]]
     JSSEContext: handleSession[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8880,localport=2238]]
     JSSEContext:  confirmPeerCertificate[Socket
    [addr=BOSSXXXX.PLEX1.L2.IBM.COM
    /9.38.48.108,port=8880,localport=2238]]
     X509TrustManagerImpl: checkServerTrusted
     X509TrustManagerImpl: Certificate [
    
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     100949966922395090747968287561185391075683695663138899555389506686622953
    008589748001058216362638201577071902071311277365773252660799
     1287811829472738023126999835565278786157922922449953171124365624914
    89904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     X509TrustManagerImpl: Certificate [
     [
       Version: V3
       Subject: CN=jserver, OU=SWG, O=IBM, C=US
       Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    0  Key:  IBMJCE RSA Public Key:
     modulus:
     100949966922395090747968287561185391075683695663138899555389506
    686622953008589748001058216362638201577071902071311277365773252660799
     12878118294727380231269998355652787861579229224499531711243656249
    1489904381884265119355037731265408654007388863303101746314438337601
     264540735679944205391693242921331551342247891
     public exponent:
     65537
    0  Validity: [From: Fri Jun 21 20:08:18 GMT 2002,
                    To: Thu Mar 17 20:08:18 GMT 2005]
       Issuer: CN=jserver, OU=SWG, O=IBM, C=US
       SerialNumber: [    3d1387b2 ]
    0]
       Algorithm: [MD5withRSA]
       Signature:
     0000: 54 DC B5 FA 64 C9 CD FE   B3 EF 15 22 3D D0 20 31  T...d......"=. 1
     0010: 99 F7 A7 86 F9 4C 82 9F   6E 4B 7B 47 18 2E C6 25  .....L..nK.G...%
     0020: 5B B2 9B 78 D8 76 5C 82   07 95 DD B8 44 62 02 62  [..x.v\.....Db.b
     0030: 60 2A 0A 6D 4F B9 0A 98   14 27 E9 BB 1A 84 8A D1  `*.mO....'......
     0040: C2 22 AF 70 9E A5 DF A2   FD 57 37 CE 3A 63 1B EB  .".p.....W7.:c..
     0050: E8 91 98 9D 7B 21 4A B5   2C 94 FC A9 30 C2 74 72  .....!J.,...0.tr
     0060: 95 01 54 B1 29 E7 F8 9E   6D F3 B5 D7 B7 D2 9E 9B  ..T.)...m.......
     0070: 85 D8 E4 CF C2 D5 3B 64   F0 07 17 9E 1E B9 2F 79  ......;d....../y
    0]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2238]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2239]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2240]]
     JSSEContext: handleConnection[Socket[addr=BOSSXXXX.PLEX1.L2.IBM.COM/
    9.38.48.108,port=8880,localport=2241]]
    

Trace security

The classes that implement WebSphere Application Server security are:
  • com.ibm.ws.security.*
  • com.ibm.websphere.security.*
  • com.ibm.WebSphereSecurityImpl.*
  • com.ibm.ws.wim.* for tracing with a Virtual Member Manager (VMM) repository
Fine tuning Security traces:
If a subset of packages need to be traced, specify a trace specification more detailed than com.ibm.ws.security.*=all=enabled. For example, to trace just dynamic policy code, you can specify com.ibm.ws.security.policy.*=all=enabled. To disable dynamic policy trace, you can specify com.ibm.ws.security.policy.*=all=disabled.
Configuring CSIv2, or z/SAS Trace Settings
Situations arise where reviewing trace for the CSIv2 and z/SAS authentication protocols can assist in troubleshooting difficult problems. This section describes how to enable to CSIv2 and z/SAS trace.
Enabling Client-Side CSIv2 and z/SAS Trace
To enable CSIv2 and z/SAS trace on a pure client, the following steps need to be taken:
  • For all platforms, copy the TraceSettings.properties file from the was_app_server_root/properties directory to the profile_root/properties directory.
  • In the profile_root/properties/TraceSettings.properties file, change traceFileName= to point to the path in which you want the output file to be created. For Windows, make sure you put a double backslash (\\) between each subdirectory. For example, traceFileName=c:\\WebSphere\\AppServer\\logs\\sas_client.log
  • In this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
  • Point to this file from within your client application. On the Java command line where you launch the client, add the following system property: -DtraceSettingsFile=TraceSettings.properties.
    Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.
Enabling Server-Side CSIv2 and z/SAS Trace
To enable z/SAS trace in an application server, complete the following:
  • Add the trace specification, SASRas=all=enabled, to the server.xml file or add it to the Trace settings within the administrative console.
  • Typically it is best to also trace the authorization security runtime in addition to the authentication protocol run time. To do this, use the following two trace specifications in combination: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled.
  • When troubleshooting a connection type problem, it is beneficial to trace both CSIv2 and SAS or CSIv2 and z/SAS and the ORB. To do this, use the following three trace specifications: SASRas=all=enabled:com.ibm.ws.security.*=all=enabled:ORBRas=all=enabled.
  • In addition to adding these trace specifications, for ORB trace there are a couple of system properties that also need to be set. Go to the ORB settings in the administrative console and add the following two properties: com.ibm.CORBA.Debug=true and com.ibm.CORBA.CommTrace=true.
Configuring CSIv2, or SAS Trace Settings
Situations arise where reviewing trace for the CSIv2 or SAS authentication protocols can assist in troubleshooting difficult problems. This section describes how to enable to CSIv2 and SAS trace.
Enabling Client-Side CSIv2 and SAS Trace
To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:
  • Edit the file TraceSettings.properties in the /WebSphere/AppServer/properties directory.
  • In this file, change traceFileName= to point to the path in which you want the ouput file created. Make sure you put a double backslash (\\) between each subdirectory. For example, traceFileName=c:\\WebSphere\\AppServer\\logs\\sas_client.log
  • In this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
  • Point to this file from within your client application. On the Java command line where you launch the client, add the following system property: -DtraceSettingsFile=TraceSettings.properties.
    Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.
To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:
  • Edit the file TraceSettings.properties in the /WebSphere/AppServer/properties directory. For example, edit profile_root/properties/TraceSettings.properties.
  • In this file, change traceFileName= to point to the path in which you want the output file created. For example, traceFileName=profile_root/profile1/logs/sas_client.
  • n this file, add the trace specification string: SASRas=all=enabled. Any additional trace strings can be added on separate lines.
  • Point to this file from within your client application. On the Java command line where you launch the client, add the following system property: -DtraceSettingsFile=TraceSettings.properties.
    Note: Do not give the fully qualified path to the TraceSettings.properties file. Make sure that the TraceSettings.properties file is in your class path.

For current information available from IBM Support on known problems and their resolution, see the IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.




Related tasks
Troubleshooting security configurations
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=rtrb_securitycomp
File name: rtrb_securitycomp.html