This chapter describes SSL debugging, which provides detailed information about the SSL events that occur during an SSL handshake in WebLogic Server 12.1.3.
This chapter includes the following sections:
The SSL debug trace displays information about the following:
Trusted certificate authorities
SSL server configuration information
Server identity (private key and digital certificate)
The encryption strength that is allowed
Enabled ciphers
SSL records that were passed during the SSL handshake
SSL failures detected by WebLogic Server (for example, trust and validity checks and the default host name verifier)
I/O related information
SSL debugging dumps a stack trace whenever an ALERT is created in the SSL process. The types and severity of the ALERTS are defined by the Transport Layer Security (TLS) specification.
The stack trace dumps information into the log file where the ALERT originated. Therefore, when tracking an SSL problem, you may need to enable debugging on both sides of the SSL connection (on both the SSL client or the SSL server). The log file contains detailed information about where the failure occurred. To determine where the ALERT occurred, confirm whether there is a trace message after the ALERT. An ALERT received after the trace message indicates the failure occurred on the peer. To determine the problem, you need to enable SSL debugging on the peer in the SSL connection.
When tracking an SSL problem, review the information in the log file to ensure:
The correct config.xml
file was loaded
The setting for domestic, or export, is correct
The trusted certificate authority was valid and correct for this server.
The host name check was successful
The certificate validation was successful
Note:
Sev 1 type 0 is a normal close ALERT, not a problem.Use the following command-line properties to enable SSL debugging:
-Djavax.net.debug=all -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
Note the following:
The -Djavax.net.debug=all
property enables debug logging within the JSSE-based SSL implementation.
The -Dssl.debug=true
and -Dweblogic.StdoutDebugEnabled=true
command-line properties enable debug logging of the SSL calling code within WebLogic Server.
You can include SSL debugging properties in the start script of the SSL server, the SSL client, and the Node Manager. For a Managed Server started by the Node Manager, specify this command-line argument on the Remote Start page for the Managed Server.
For information about using WebLogic logging properties with the JSSE SSL logging system, see Using Debugging with JSSE SSL.
For information about debugging utilities available for JSSE, see "Debugging Utilities" in the Java™ Secure Socket Extension (JSSE) Reference Guide, available at the following URL:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug