Debugging System SSL keyring problems will require the use of IBM's System SSL trace tool: gsktrace.
Information on the tool is located in Chapter 11, "Obtaining Diagnostic Information" in the IBM z/OS Cryptographic Services System Secure Sockets Layer Programming.
How do you set up and reset a gsktrace?
Resolution
Here are the procedures for setting up and resetting a gsktrace.
On OMVS:
/bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory
ls -otrE slapd.env* # You should seeslapd.env
/bin/cp slapd.env slapd.env.gsk # This will copy the slapd.env to another file named slapd.env.gsk
ls -otrE slapd.env* # You should see slapd.env.gsk and slapd.env
/bin/echo "GSK_TRACE=0xffff" >>slapd.env # Make sure there's two >> characters. it will add variable to end of your sldap.env
On SYSVIEW or SDSF:
Recycle your LDAP server and execute the transaction. (Pause and Start your LDAP server)
On OMVS:
/bin/cd /tmp # Change directory to /tmp
/bin/ls -otr gskssl* # Look for the latest trace file, where the last displayed is the newest
gsktrace input_trace_file > output_trace_file # Create readable trace file as in example above
Ship the output_trace_file back for analysis.
NOTE: To clean up from the tests do the following on OMVS:
/bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory
/bin/mv slapd.env.gsk slapd.env # Move the original slapd.env back into place.
/bin/cd /tmp # Change directory to the /tmp directory