Instructions: 

Java provides a handy setting that will log detail of the SSL handshake and transferred data  into stdout by adding the parameter -Djavax.net.debug=all to the java runtime startup. 

Enable the debug SSL in SPS  

For SPS the files to apply that debug setting are : 

• Windows : proxy-engine/conf/SmSpsProxyEngine.properties
• Unix  : proxy-engine/proxyserver.sh

And we need to add the parameter -Djavax.net.debug=all to the java startup command as pictured below for each environment.

(Note: Please make sure you edit the correct one for your environment; for Windows you will need to stop the proxy-engine service before it will allow you to save the .properties file)

The proxy-engine service needs to be restarted for the setting to take effect. 

Review the SSL trace details in the nohup log

Once the service is restarted trace information for any SSL connection from the proxy-engine to the backend is written to the timestamped nohup*.out file.

In the following we can see details of the SSL ClientHello message send to the backend server. 

Particular details to look for in the logs are:

• The TLS versions and acceptable cipher suites send from the proxy-engine to the backend in the SSL ClientHello message
• The cipher suite chosen by the backend server in the returned SSL ServerHello message.
• The details of the backend server's X.509 certificate also in the SSL ServerHello message
• Details for tracing the trust certificate chain for the backend server's certificate, as provided in the SSL ServerHello and the locally loaded CA Certificates.
• The encryption and digest for the first message send from the proxy-engine to the backend server after the handshake (A failure at this point can indicate that the java JVM has export limited cryptography settings - see java unlimited jurisdiction policy files note at the end )