How to troubleshoot issues with Java security settings applied to a TIBCO Streaming application
Article ID: KB0072893
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
Some unexpected behavior is observed in a TIBCO Streaming application, which may related to Java security settings. How can we get more detailed logging on activities relating to Java security?
Issue/Introduction
Discusses debug options for issues relating to the java.security settings for a TIBCO Streaming application.
Resolution
The Java security settings are configured under $STREAMBASE_HOME/jdk/conf/security/java.security. To enable debug logging for the java.security configuration, set the 'java.security.debug' system property.
For example, set -Djava.security.debug=certpath to validate information on certificates used by the application. Sample debug output:
Set -Djava.security.debug=configfile to troubleshoot issues relating to a JAAS configuration (as used, for example, when using Kerberos SASL/SSL authentication).
Set -Djava.security.debug=keystore to get more details on any keystores being used by the application. Sample debug output:
Set -Djava.security.debug=pkcs12 to troubleshoot issues relating to key/trust stores in pkcs12 (*.p12) format.
For more details, follow Oracle's guidance on troubleshooting security-related issues.
For example, set -Djava.security.debug=certpath to validate information on certificates used by the application. Sample debug output:
com.tibco.ep.dtm.stderr: certpath: X509CertSelector.match(SN: 66c9fcf99bf8c0a39e2f0788a43e696365bca com.tibco.ep.dtm.stderr: Issuer: CN=Amazon Root CA 1, O=Amazon, C=US com.tibco.ep.dtm.stderr: Subject: CN=Amazon Root CA 1, O=Amazon, C=US) com.tibco.ep.dtm.stderr: certpath: X509CertSelector.match returning: true com.tibco.ep.dtm.stderr: certpath: YES - try this trustedCert com.tibco.ep.dtm.stderr: certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Amazon Root CA 1, O=Amazon, C=US com.tibco.ep.dtm.stderr: certpath: AlgorithmChecker.contains: SHA256withRSA com.tibco.ep.dtm.stderr: certpath: AnchorCertificate.contains: matched CN=Amazon Root CA 1, O=Amazon, C=US
Set -Djava.security.debug=configfile to troubleshoot issues relating to a JAAS configuration (as used, for example, when using Kerberos SASL/SSL authentication).
Set -Djava.security.debug=keystore to get more details on any keystores being used by the application. Sample debug output:
com.tibco.ep.dtm.stderr: keystore: JavaKeyStore load: private key count: 0. trusted key count: 93 com.tibco.ep.dtm.stderr: keystore: Loaded a keystore in JKS format
Set -Djava.security.debug=pkcs12 to troubleshoot issues relating to key/trust stores in pkcs12 (*.p12) format.
For more details, follow Oracle's guidance on troubleshooting security-related issues.
Feedback
Yes
No
Powered by
