To obtain more information for troubleshooting without a restart, use the server's built-in debugging support.
-
To enable the debug log publisher and set the debug target, run the following
configuration changes:
-
Run dsconfig with the
create-debug-target option.
dsconfig create-debug-target \ --publisher-name "File-Based Debug Logger" \ --target-name com.unboundid.directory.server.extensions.TLSConnectionSecurityProvider \ --set debug-level:verbose
-
Run dsconfig with the
set-log-publisher-prop option.
dsconfig set-log-publisher-prop \ --publisher-name "File-Based Debug Logger" \ --set enabled:true
The logs/debug file captures a substantial amount of information about the TLS-related processing that the server is performing. Although this file doesn't provide as much detail as the Java virtual machine's (JVM) built-in debugging information, it might help to pinpoint the cause of the problem and to identify potential solutions. -
Run dsconfig with the
create-debug-target option.
-
To disable the debug log publisher and remove the debug target, run the
following configuration changes:
-
Run dsconfig with the
set-log-publisher-prop option.
dsconfig set-log-publisher-prop \ --publisher-name "File-Based Debug Logger" \ --set enabled:false
-
Run dsconfig with the
delete-debug-target option.
dsconfig delete-debug-target \ --publisher-name "File-Based Debug Logger" \ --target-name com.unboundid.directory.server.extensions.TLSConnectionSecurityProvider
Tip:To troubleshoot TLS communication with a non-Java client that does not offer its own TLS debugging mechanism, and if the server-side debugging support is insufficient, use a network protocol analyzer to capture the communication between the client and the server and to examine its content. The free, open-source Wireshark utility is a graphical tool that runs on a variety of platforms and provides support for understanding TLS communication. Even if you can't decipher the encrypted content, you can view at least some of the handshake messages.
Note:More of the handshake is encrypted in TLS 1.3 than in earlier versions of the protocol. Although this change improves security and privacy, it might interfere with troubleshooting attempts.
-
Run dsconfig with the
set-log-publisher-prop option.