API Gateway: Log and debug SSL/TLS traffic on the Gateway

book

Article ID: 132334

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

This article will discuss enabling logging and debugging for SSL and TLS traffic on the API Gateway appliances. In some cases, reviewing SSL communication executed by the underlying Gateway Java system is necessary to troubleshoot handshake issues between (for example) an application client and the API Gateway. In order to do so, Java SSL debug must be turned on.

This is recommended only for troubleshooting purposes.

Environment

This article applies to all supported versions of the API Gateway up to and including Gateway 10.0 CR02. There is a JDK defect which affects the ability to follow these steps successfully on Gateway 10 CR03 so the steps below will not work yet on Gateway version 10 CR03.

Resolution

In order to enable the SSL debug level:

  1. Set the io.debugSsl cluster property from false to true to enable SSL/TLS debugging globally
  2. Set the log.stdoutLevel cluster property from INFO to FINE
  3. Update the log.levels cluster property to include the line STDOUT.level = FINE
  4. Create a custom log file where SSL debug can be printed into:
    • Click on Task > Logging and Auditing > Manage Log Audit/Sinks
      Click on Create and create a new custom log with the following properties:
      Name: ssl
      Description: ssl debug
      Severity Threshold: FINE
      Add two Filters: 
      Filter Type = Category, Filter Details = Gateway Log
      Filter Type = Package, Filter Details = STDOUT
      Check the Enabled option before to save (see below reference picture)
  5. Edit the ssgruntimedefs.sh script: vi /opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh
    1. Append the following line: default_java_opts="$default_java_opts -Djavax.net.debug=ssl"
    2. Restart the Gateway service: service ssg restart
From now on, SSL communication will be shown in the default Gateway SSG logs and additional info in the custom SSL logs (/opt/SecureSpan/Gateway/node/default/var/logs/ssg_0_0.log & /opt/SecureSpan/Gateway/node/default/var/logs/ssl_0_0.log)

Attachments