This chapter includes the following sections:
About the SSL Debug Trace
The SSL debug trace provides information about the trusted certificate authorities, SSL server configuration, server identity, SSL records that were passed during the SSL handshake, and more. The SSL debugging stack trace dumps such information into a log file.
The SSL debug trace displays information about the following:
Trusted certificate authorities
SSL server configuration information
Server identity (private key and digital certificate)
The encryption strength that is allowed
SSL records that were passed during the SSL handshake
SSL failures detected by WebLogic Server (for example, trust and validity checks and the default host name verifier)
I/O related information
SSL debugging dumps a stack trace whenever an ALERT is created in the SSL process. The types and severity of the ALERTS are defined by the Transport Layer Security (TLS) specification.
The stack trace dumps information into the log file where the ALERT originated. Therefore, when tracking an SSL problem, you may need to enable debugging on both sides of the SSL connection (on both the SSL client or the SSL server). The log file contains detailed information about where the failure occurred. To determine where the ALERT occurred, confirm whether there is a trace message after the ALERT. An ALERT received after the trace message indicates the failure occurred on the peer. To determine the problem, you need to enable SSL debugging on the peer in the SSL connection.
When tracking an SSL problem, review the information in the log file to ensure:
config.xmlfile was loaded
The setting for domestic, or export, is correct
The trusted certificate authority was valid and correct for this server.
The host name check was successful
The certificate validation was successful
Sev 1 type 0 is a normal close ALERT, not a problem.
Command-Line Properties for Enabling SSL Debugging
Use the command-line properties to enable debug logging within the JSSE-based SSL implementation as well as logging of the SSL calling code within WebLogic Server.
Use the following command-line properties to enable SSL debugging:
-Djavax.net.debug=all -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
Note the following:
-Djavax.net.debug=allproperty enables debug logging within the JSSE-based SSL implementation.
-Dweblogic.StdoutDebugEnabled=truecommand-line properties enable debug logging of the SSL calling code within WebLogic Server.
You can include SSL debugging properties in the start script of the SSL server, the SSL client, and the Node Manager. For a Managed Server started by the Node Manager, specify this command-line argument on the Remote Start page for the Managed Server.
For information about using WebLogic logging properties with the JSSE SSL logging system, see Using Debugging with JSSE SSL.
For information about debugging utilities available for JSSE, see "Debugging Utilities" in the Java™ Secure Socket Extension (JSSE) Reference Guide, available at the following URL: