Debugging System SSL keyring problems will require the use of IBM's System SSL trace tool: gsktrace.

Information on the tool is located in Chapter 11, "Obtaining Diagnostic Information" in the IBM z/OS Cryptographic Services System Secure Sockets Layer Programming.

How do you set up and reset a gsktrace?

Here are the procedures for setting up and resetting a gsktrace.

On OMVS:

1. /bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory
   
   
2. ls -otrE slapd.env* # You should see slapd.env
   
   
3. /bin/cp slapd.env slapd.env.gsk # This will copy the slapd.env to another file named slapd.env.gsk
   
   
4. ls -otrE slapd.env* # You should see slapd.env.gsk and slapd.env
   
   
5. /bin/echo "GSK_TRACE=0xffff" >> slapd.env # Make sure there's two >> characters. it will add variable to end of your sldap.env

On SYSVIEW or SDSF:

Recycle your LDAP server and execute the transaction. (Pause and Start your LDAP server)

On OMVS:

1. /bin/cd /tmp # Change directory to /tmp
   
   
2. /bin/ls -otr gskssl* # Look for the latest trace file, where the last displayed is the newest
   
   
3. gsktrace input_trace_file > output_trace_file # Create readable trace file as in example above
   
   
4. Ship the output_trace_file back for analysis.

NOTE: To clean up from the tests do the following on OMVS:

1. /bin/cd <LDAP-DIRECTORY> # Change directory to the LDAP installed directory
   
   
2. /bin/mv slapd.env.gsk slapd.env # Move the original slapd.env back into place.
   
   
3. /bin/cd /tmp # Change directory to the /tmp directory
   
   
4. /bin/rm gskssl* # Remove all GSK file