Provide feedback on the IBM HTTP Server forum on IBM developerWorks (yes, the IHS forum).
Configuring IBM Caching Proxy to write trace can be done with the TraceModule and TraceLog config directives.
Note that the command line arguments -debug
and -mtv
must also be specified when starting IBM Caching Proxy.
It is also necessary to redirect stdout
and stderr
to a file so that configuration details are also collected. This can be done
using a redirect:
ibmproxy -mtv -debug 2>&1 > /opt/ibm/edge/cp/server_root/logs/ibmproxy.log
To trace all modules, the "all" argument can be specified for TraceModule:
TraceLog /path/to/trace/file
TraceModule All
Setting TraceModule all
is generally too verbose, and only relevant modules should be enabled. For example, the list of modules
typically used to debug a caching problem is:
TraceLog /path/to/trace/file
TraceModule htcaio
TraceModule htcbio
TraceModule htccompact
TraceModule htcfs
TraceModule htcfsck
TraceModule htcfsops
TraceModule htcgc
TraceModule htcgceval
TraceModule htchash
TraceModule htcheap
TraceModule htchio
TraceModule htcio
TraceModule htciter
TraceModule htclock
TraceModule htclsort
TraceModule htcwhdr
TraceModule htcwrtr
aa | auth | bag | base | cfgdll |
cgi | config | content | dirbrw | dll |
dns | error | fileio | format | ftp |
gcother | gopher | hash | heap | htcaio |
htcbio | htccompact | htcfs | htcfsck | htcfsops |
htcgc | htcgceval | htchash | htcheap | htchio |
htcio | htciter | htclock | htclsort | htcwhdr |
htcwrtr | http | icapi | if | javelinbase |
javelinpics | lex | list | log | mempool |
netmonitor | nls | oru | perfmon | pics |
proxy | proxycache | proxychain | proxyinit | workqueue |
rcacfg | rcaclnt | rcacomm | rcahash | rcalatency |
rcaoop | rcaserv | rchunk | request | selftest |
snmp | socket | socks | ssi | ssl |
stack | status | stringlib | syscall | tcp |
time | timer | threadpool | user | url |
vary | workthread | workthread-callback | connection-pool | rtsp |
persist | res | scm | javelin | proxygroup |
rcagroup | gcgroup |
Additional MustGather should be provided in order to troubleshoot the PAC-LDAP authorization module: PacErr_Client.log and PacErr_Server.log. To increase the detail of the trace, two enviornment variables should be set prior to starting the IBM Caching Proxy:
PAC_DEBUG_LEVEL=64
LDAP_DEBUG=65535
LDAP_DEBUG_FILE=/opt/ibm/edge/cp/server_root/logs/ldapclient_trace.log
export PAC_DEBUG_LEVEL
export LDAP_DEBUG
export LDAP_DEBUG_FILE
On Linux, you're likely missing the 32-bit compat-libstdc++-33 operating system package.
The SSL/TLS protocols enabled by default change several times in Caching Proxy 8.5.5. The changes are summarized in the following table and are described in more detail after the table.
Versions (inclusive) | Protocols Enabled by Default |
---|---|
8.5.5.0 - 8.5.5.3 | SSLv3, TLSv1.1 |
8.5.5.4 | SSLv3 |
8.5.5.5 - 8.5.5.11 | None |
8.5.5.12 - | TLSv1.0, TLSv1.1 |
Caching Proxy enables SSLv3 and disables TLSv1.0 by default. GSKit enables TLSv1.1 by default, but is not disabled by Caching Proxy.
PI23780 adds two directives to configure the TLS version and its ciphers.
The directives are TLSVersion
and TLSCipherSpecs
,
respectively. All TLS protocols are disabled by default and can be enabled
with the TLSV1Enable
directive.
This APAR effectively causes all SSL/TLS protocols to be disabled from 8.5.5.5
to 8.5.5.11. In addition to TLS protocols already being disabled by default,
PI28050 adds the TLSOnly
directive which disables SSLv2 and
SSLv3 by default.
The TLSv1.0 and TLSv1.1 protocols are now enabled by default in order to have SSL working out-of-the-box when SSLEnable is ON. TLSv1.2 was not enabled by default since it is possible that it would cause some certificates to no longer be accepted.
PI75968 changes TLSV1Enable from OFF to ON_TLSV10_TLSV11 by default. It also added functionality
to the TLSVersion directive to allow multiple TLS protocols to be specified. The default value
for TLSVersion, which controls which TLS protocols are enabled by default, also changed from
ALL
to TLSV10 TLSV11
. To allow older configurations to work, TLSVersion
will still enable all TLS protocols if TLSV1Enable is set to ON
.
Versions (inclusive) | Protocols Enabled by Default |
---|---|
9.0.0.0 - 9.0.0.4 | None |
9.0.0.5 - | TLSv1.0, TLSv1.1 |
This is a basic configuration you can append to the sample ibmproxy.conf:
# Basic SSL config SSLEnable ON KeyRing .../key.kdb KeyRingStash .../key.sth # Must be present to cache requests that show up over SSL SSLCaching ON # Before PI75968 only: # V3CipherSpecs Must be specified. Can be "". V3CipherSpecs "352F0A" TLSV1Enable ON # end pre-PI75968 # After PI75968, opt in to TLSV1.2 TLSVersion ALL # Use PI74512 defaults prior to PI74512: TLSV11CipherSpecs 2F350A TLSV12CipherSpecs 9C9D3C3D2F350A
For more details, consult this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21693751
Prior to PI74512, all suppored ciphers are enabled by default. After PI74512, the defaults are 2F350A.
2F - TLS_RSA_WITH_AES_128_CBC_SHA 35 - TLS_RSA_WITH_AES_256_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA # Note: ciphers below are disabled by default after PI74512. 05 - TLS_RSA_WITH_RC4_128_SHA 04 - TLS_RSA_WITH_RC4_128_MD5 09 - TLS_RSA_WITH_DES_CBC_SHA 02 - TLS_RSA_WITH_NULL_SHA 01 - TLS_RSA_WITH_NULL_MD5
Prior to PI74512, all suppored ciphers are enabled by default. After PI74512, the defaults are 9C9D3C3D2F350A
9C - TLS_RSA_WITH_AES_128_GCM_SHA256 9D - TLS_RSA_WITH_AES_256_GCM_SHA384 3C - TLS_RSA_WITH_AES_128_CBC_SHA256 3D - TLS_RSA_WITH_AES_256_CBC_SHA256 2F - TLS_RSA_WITH_AES_128_CBC_SHA 35 - TLS_RSA_WITH_AES_256_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA # Note: ciphers below are disabled by default after PI74512. 3B - TLS_RSA_WITH_NULL_SHA256 02 - TLS_RSA_WITH_NULL_SHA
No other cipers, such as those including ECDHE or ECDSA, are supported.
The Redirect directive can be used to redirect clients from HTTP to HTTPS. Since this mapping rule should be applied first, the Redirect directive should be above other mapping rules (e.g. Pass directives).
# Redirect HTTP to HTTPS
Redirect /* https://server-name/* server-name:80
This error can happen for a variety of reasons. The obvious reason for this error is that the pac_keyfile.kdb
is not found in the expected path, which is cp-root/server_root/pac/creds/pac_keyfile.kdb
.
The error can also happen if the IBM Tivoli LDAP library can't load the GSKit library. A potential cause of
this is if LDAP library wants to load GSK 7 but the system has GSK 8. In such a case, this error can be resolved
by setting the GSKIT_CLIENT_VERSION
environment variable to the GSK version desired (for example:
GSKIT_CLIENT_VERSION=8
).
To diagnose any other issues, the LDAP client traces should be collected and reviewed. Please see the PAC-LDAP MustGather section for information on how to collect the LDAP client traces.
The PidFile directive ships commented out by default, but points to a directory that is not writable by the nobody/nogroup user Caching Proxy changes to before writing out its pid file. Changing the PidFile to point to the server_root/logs/ directory instead is a writable alternative.
Some causes on Windows for cpwizard to fail:
java -cp "%~dp0\cpwizard.jar" com.ibm.websphere.edge.wizard.CPWizard
LimitRequestFiedSize and LimitRequestField don't seem to work properly. The former seems to trigger arbitrarily once you reach a certain size, and the latter cannot be raised.