The CA Access Gateway (formerly CA Secure Proxy Server) is used as a reverse proxy to connect users via the SPS to backend servers. The connections from SPS to the backend servers will often be over SSL (ie accessed using HTTPS:). This article shows how to enable -Djavax.net.debug="all" logging so that problems can be identified and resolved.
All (windows, linux, solaris)
There can be a number of issues establishing a SSL connection from proxy-engine to the backend, there are some restrictions on the level of cryptographic that java is able to use; there can be different levels of SSL/TLS version supported by the backend server; and there can be issues with the trust path for the backend server certificates.
Java provides a handy setting that will log detail of the SSL handshake and transferred data into stdout by adding the parameter -Djavax.net.debug=all to the java runtime startup.
Enable the debug SSL in SPS
For SPS the files to apply that debug setting are :
Windows : proxy-engine/conf/SmSpsProxyEngine.properties
Unix : proxy-engine/proxyserver.sh
And we need to add the parameter -Djavax.net.debug=all to the java startup command as pictured below for each environment.
Notes: Please make sure you edit the correct one for your environment; Both will need a restart to effect and for Windows you will need stop the proxy-engine service before it will allow you to save the .properties file)
The proxy-engine service needs to be restarted for the setting to take effect.
Review the SSL trace details in the nohup log
Once the service is restarted trace information for any SSL connection from the proxy-engine to the backend is written to the timestamped nohup*.out file.
In the following we can see details of the SSL ClientHello message send to the backend server.
Particular details to look for in the logs are:
Java SE Debugging SSL/TLS Connections
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download
Details about SSL/TLS