Debugging SSL Keyring Problems Requires SSL tool: GSKTRACE.

Document ID : KB000050055
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Debugging System SSL keyring problems will require the use of IBM's System SSL trace tool: gsktrace.

Information on the tool is located in Chapter 11, "Obtaining Diagnostic Information" in: IBM z/OS Cryptographic Services System Secure Sockets Layer Programming.

Solution:

Procedures for setting up and reset a gsktrace.

On OMVS:

  1. /bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory

  2. ls -otrE slapd.env* # You should see slapd.env

  3. /bin/cp slapd.env slapd.env.gsk # This will copy the slapd.env to another file named slapd.env.gsk

  4. ls -otrE slapd.env* # You should see slapd.env.gsk and slapd.env

  5. /bin/echo "GSK_TRACE=0xffff" >> slapd.env # Make sure there's two >> characters. it will add variable to end of your sldap.env

On CA-SYSVIEW or SDSF:

Recycle your LDAP server and execute the transaction. (Pause and Start your LDAP server)

On OMVS:

  1. /bin/cd /tmp # Change directory to /tmp

  2. /bin/ls -otr gskssl* # Look for the latest trace file, where the last displayed is the newest

  3. gsktrace input_trace_file > output_trace_file # Create readable trace file as in example above

  4. Ship the output_trace_file back for analysis.

NOTE: To clean up from the tests do the following on OMVS:

  1. /bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory

  2. /bin/mv slapd.env.gsk slapd.env # Move the original slapd.env back into place.

  3. /bin/cd /tmp # Change directory to the /tmp directory

  4. /bin/rm gskssl* # Remove all GSK file