This article will discuss enabling logging and debugging for SSL and TLS traffic on the API Gateway appliances. In some cases, reviewing SSL communication executed by the underlying Gateway Java system is necessary to troubleshoot handshake issues between (for example) an application client and the API Gateway. In order to do so, Java SSL debug must be turned on.
This is recommended only for troubleshooting purposes.
This article applies to all supported versions of the API Gateway. Please pay special attention to the steps which differ for version 10.0 CR03 and newer.
Follow the steps below to enable extra logging and debugging for SSL/TLS traffic to the API Gateway.
2. Create a new log sink for SSL debug logs:
3. Configure the JVM from the Gateway privileged shell:
4. Verify SSL debug logging is enabled by consuming a service using an HTTPS Listen Port.
- The debug logs are sent only to the configured log sink, and will appear in files based on the log sink name configured earlier. For example: /opt/SecureSpan/Gateway/node/default/var/logs/ssl_0_0.log
For container gateway:
Modify yaml file:
in config section
add the option
-Djavax.net.debug=ssl:handshake:verbose
to javaArgs.
With -Djavax.net.debug you get
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets