The error you reported (SSLC0008E) is probably due to a protocol, or cipher problem, or to a bad certificate. When we get this kind of error we need to enable SSL Debug to know more details about the SSL Handshake Error . Some times we may need enable and share the ssl debug logs to the vendor for further investigation . We will see how we enable it in both the server and client side .
SSL trace specification:
Java Virtual Machine (JVM) Custom Property
Add javax.net.debug JVM PROPERTY
- In the administrative console, set the javax.net.debug system property using one of the following options, depending on where the SSL issue is occurring:
- For tracing an Application server, select the following:Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New…
- For tracing a Deployment Manager, select the following:System Administration > Deployment manager > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New…
- For tracing a Nodeagent, select the following:System Administration > Node agents > (pick a nodeagent) > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New…
- Enter the following:Name: javax.net.debug
- Click Apply, then Save your changes to the master configuration.
Enable SSL Tracing
- Expand Troubleshooting > Logs and trace > server_name
- Select Diagnostic Trace.
- Set the Maximum Number of Historical Files to 20.
- Click Apply
- Select Change log detail levels.
- Set the trace specification to:*=info:SSL=all
- Click OK, then OK
- Select JVM Logs.
- Under System.out, ensure that the Show application print statements box is checked under Installed Application Output.
- Click OK, then Save to the master configuration.
Once above settings are enabled then restart each server that we intend to reproduce the issue and re-produce the issue to gather more details .
Some SSL Cal’s use default java truststore even though Custom SSL is configured . So we may need to look at the the default java trust store in the below location
IBM Vendor may need more config ,logs and other details . in this case we need to run Collector Tool, collector.sh or collector.bat, which is located in the <PROFILE_ROOT>/bin directory.
We can also do from client side to see the error by Modify your calling script or add the following to your Java command line:
000000c4 SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at com.ibm.jsse2.b.a(b.java:22) at com.ibm.jsse2.nc.a(nc.java:350) at com.ibm.jsse2.nc.unwrap(nc.java:306) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:3) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:536) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:296)
If we get above error we need to verify the personal certificate expiry . For this log in to Websphere administration console.
Once logged in, proceed to “Security -> SSL certificate and key management”.
From there, select “Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates”.
Once the configured certificates are displayed, you have to check the expiration of the certificate.