Troubleshoot: IBM HTTP Server
Troubleshooting IBM HTTP Server documentation

Troubleshooting


What to do first

Check that you have the right level of browser. You must have Netscape Navigator 4.6 or higher or Microsoft Internet Explorer 4.0 or higher.

Note: Netscape 6.0 and 6.01 do not currently support the IBM Administration Server. Refer to the IBM HTTP Server Web site for updates to this support.

Applies to AIX
Applies to HP
Applies to Linux
Applies to Solaris
Applies to Windows
  • Ensure you are running Java Development Kit 1.1.6 or the Java Runtime Environment 1.1.6. On Windows and Solaris, the JRE installs automatically as part of the Global Security Kit. On AIX, Linux, and HP, you must install the JDK or the JRE yourself.
  • Check the error log to help you determine what the problem might be.
    • On Windows: The error log is in the logs directory.
    • On AIX: The error log is in the /usr/HTTPServer/logs directory.
    • On Solaris: The error log is in the /opt/IBMHTTPD/logs directory.
    Applies to Windows

    Administration Server Logon Failure on Windows

    When installing the IBM HTTP Server, you are prompted for a login ID and password. The ID you select must have the capability to log on as a service. If you get an error when you try to start the Administration Server, indicating a failure to start as a service, try the following:

    On Windows NT:

    1. Select Start>Programs>Admin Tools>User Manager.
    2. Select the user from the User Manager list.
    3. Click Policies>User Rights.
    4. Check the Show Advanced User Rights box.
    5. Choose Log on as a Service, from the right drop-down menu.

    On Windows 2000:

    1. Select Start>Settings>Control Panel.
    2. Open Administrative Tools.
    3. Open Services. The local user you select is created in Local Users and Groups, under Computer Management.
    4. Select Service>Actions>Properties.
    5. Choose the Log on tab.
    6. Select this account option and click Browse to select the user to associate with the service.

    Using CAServlet Certificates to Access the Netscape Directory Server

    When using LDAP with SSL to access the Netscape Directory Server, the Netscape Directory Server will be unable to make a secure connection if the certificate is signed using CAServlet. The Netscape Directory Server will give the following errors:
    • ldapu_get_cert_subject_dn(01136924) -301 Could not extract the issuer DN from the certificate.
    • ldapu_get_cert_issuer_dn(01136924) -301 Could not extract the issuer DN from the certificate.

    Viewing Logs

    To view the Administration Server logs, go to Getting Started > View Admin Logs. You can view the Access log and the Error log.

    Error messages

    • Message: mod_ibm_ssl: Failure obtaining Cert data for label <certificate label>
      • Reason: Didnít supply a valid certificate/key label
      • Solution: Rename certificate label to default or valid certificate/key
      • Notes: None
    • Message: mod_ibm_ssl: keyfile does not exist: <keyfile>
      • Reason: Specified a keyfile for keyfile directive that did not exist
      • Solution: Create a keyfile
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake failed, The GSK library unloaded
      • Reason: GSK library unloaded
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake failed, internal error
      • Reason: The communication between client and the server failed
      • Solution: Retry connection from the client
      • Notes: None
    • Message: mod_ibm_ssl: Failure obtaining Cert data for label <certificate label>
      • Reason: Didnít supply a valid certificate/key label
      • Solution: Rename certificate label to default or valid certificate/key
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, GSK handle is in an invalid state for operation
      • Reason: Incorrect state for GSK handle
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, key-file label not found
      • Reason: Could not find the certificate/keyfile label
      • Solution: Specify a certificate/keyfile label
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Certificate is not available
      • Reason: Could not find the certificate
      • Solution: Specify a certificate
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Unsupported certificate type.
      • Reason: Does not support certificate type
      • Solution: Use certificate type that is supported
      • Notes: None
    • Message: mod_ibm_ssl: Failure attempting to load GSK library.
      • Reason: The GSK toolkit is not installed, permissions problem, or the file does not exist.
      • Solution: Install the GSK toolkit, check permissions on the library.
      • Notes: None.
    • Message: mod_ibm_ssl: GSK function address undefined.
      • Reason: Incorrect version of the GSK installed.
      • Solution: Install the correct version of the GSK.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid SSLV2 Cipher Spec.
      • Reason: The SSL Version 2 cipher specs passed into the handshake were invalid.
      • Solution: Change the specified Version 2 cipher specs.
    • Message: mod_ibm_ssl: SSL handshake Failed, Invalid SSLV3 Cipher Spec.
      • Reason: The SSL Version 3 cipher specs passed into the Handshake were invalid.
      • Solution: Change the specified Version 3 cipher specs.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid security type.
      • Reason: The SSL security type field passed into the handshake is not valid.
      • Solution: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid security type combination.
      • Reason: The SSL security type field that is passed into the handshake is not valid.
      • Solution: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, No read function specified.
      • Reason: The read funtion was not passed into the handshake properly.
      • Solution: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, No write function specified.
      • Reason: The write funtion was not passed into the handshake properly.
      • Solution: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, No ciphers specified.
      • Reason: The client did not specify any cipher specifications during the handshake.
      • Solution: Client problem.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, No certificate.
      • Reason: The client did not specify a certificate.
      • Solution: Client problem
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid certificate.
      • Reason: The client did not specify a valid certificate.
      • Solution: Client problem.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Unsupported certificate type.
      • Reason: The client did not specify a certificate that is supported by the GSK toolkit.
      • Solution: The client needs to specify a different certificate.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, I/O error.
      • Reason: The communication between the client and the server failed.
      • Solution: Retry the connection from the client.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid MAC.
      • Reason: The communication between the client and the server failed.
      • Solution: Retry the connection from the client.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Handshake Failed, Unsupported.
      • Reason: The communication between the client and the server failed.
      • Solution: Retry the connection from the client.
      • Notes: None.
    • Message: Missing ldap.client.rte.2.1.1.0 # Base Level Fileset
      • Reason: LDAP client toolkit not installed.
      • Solution: Install the LDAP client toolkit.
      • Notes: None.
    • Message: mod_ibm_ssl: Failure obtaining Cert data for label <certificate label>
      • Reason: Did not supply a valid certificate/key label
      • Solution: Rename certificate label to default or valid certificate/key
      • Notes: None
    • Message: mod_ibm_ssl: keyfile does not exist: <keyfile>
      • Reason: Specified a keyfile for keyfile directive that did not exist
      • Solution: Create a keyfile
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake failed, The GSK library unloaded
      • Reason: GSK library unloaded
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake failed, GSK internal error
      • Reason: The communication between client and the server failed
      • Solution: Retry connection from the client
      • Notes: None
    • Message: mod_ibm_ssl: Failure obtaining Cert data for label <certificate label>
      • Reason: Didn't supply a valid certificate/key label
      • Solution: Rename certificate label to default or valid certificate/key
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, GSK handle is in an invalid state for operation
      • Reason: Incorrect state for GSK handle
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, keyfile label not found
      • Reason: Could not find the certificate/keyfile label
      • Solution: Specify a certificate/keyfile label
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Certificate is not available
      • Reason: Could not find the certificate
      • Solution: Specify a certificate
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Certificate is not available
      • Reason: Could not find the certificate
      • Solution: Specify a certificate
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Certificate validation error.
      • Reason: Certificate was not validated
      • Solution: Create another ceritifcate or retry connection
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Error processing cryptography
      • Reason: Invalid crytography
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Error validating ASN fields in certificate.
      • Reason: Invalid ASN fields in certificate
      • Solution: Create valid ASN fields in certificate
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Error connecting to LDAP server.
      • Reason: The communication between LDAP server and web server failed
      • Solution: retry connection between LDAP server and web server
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal unknown error.
      • Reason: Unknown
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Error connecting to LDAP server.
      • Reason: The communication between LDAP server and web server failed
      • Solution: Retry connection between LDAP server and web server
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Open failed due to cipher error.
      • Reason: Invalid Cipher
      • Solution: Make sure specified correct cipher
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, I/O error reading keyfile.
      • Reason: Could not read keyfile
      • Solution: Create valid keyfile
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Keyfile has an invalid internal format. Recreate keyfile.
      • Reason: Keyfile has an invalid format
      • Solution: Recreate keyfile
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Keyfile has two entries with the same key. Use iKeyman to remove the duplicate key.
      • Reason: Placed two identical keys in keyfile
      • Solution: Use iKeyman to remove duplicate key
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Keyfile has two entries with the same label.
      • Use IKEYMAN to remove the duplicate label.
      • Reason: Placed two identical key labels in keyfile
      • Solution: Use iKeyman to remove duplicate label
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The default key in the keyfile has an expired certificate.
      • Use IKEYMAN to remove certificates that are expired.
      • Reason: An expired certificate is in the keyfile
      • Solution: Use IKEYMAN to remove certificates that are expired
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The keyfile password is used as an integrity check.
      • Either the keyfile has become corrupted or the password is incorrect.
      • Reason: Corrupted or incorrect password for keyfile
      • Solution: Generate new password for keyfile
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, There was an error loading one of the GSKdynamic link libraries. Be sure GSK was installed correctly.
      • Reason: Could not load one of the GSKdynamic link libraries
      • Solution: Make sure the Gskit got installed correctly
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid date.
      • Reason: The system date was set to an invalid date
      • Solution: Change the system date toa valid date
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, I/O error during handshake.
      • Reason: An I/O error occurred on a data read or write
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid key length for export.
      • Reason: In a restricted cryptography environment, the key size is too long to be supported.
      • Solution: Make key size smaller
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - read failed.
      • Reason: The read failed
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - write failed.
      • Reason: The write failed.
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Socket has been closed.
      • Reason: The client closed the socket before the protocol completed.
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - SSL Handle creation failure.
      • Reason: The handle could not be created
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - GSK initialization has failed.
      • Reason: Initialization failed
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, LDAP server not available.
      • Reason: Unable to access the specified LDAP directory when validating a certificate
      • Solution: Make sure LDAP server is available
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The specified key did not contain a private key.
      • Reason: Key did not contain a private key
      • Solution: Create key with private key
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The PKCS#11 driver failed to find the token label specified by the caller.
      • Reason: Specified invalid PKCS#11 token label
      • Solution: Specify a valid PKCS#11 token label
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, A failed attempt was made to load the specified PKCS#11 shared library.
      • Reason: Specified invalid PKCS#11 shared library/module
      • Solution: Specify a valid PKCS#11 shared library/module
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, A PKCS#11 token is not present for the slot.
      • Reason: PKCS#11 token not present
      • Solution: Specify valid slot for PKCS#11 token
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The password/pin to access the PKCS#11 token is either not present or invalid.
      • Reason: Specified user password/pin for PKCS#11 token is not present or invalid
      • Solution: Specify a valid user password/pin for PKCS#11 token
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The SSL header received was not a properly SSLV2 formated header.
      • Reason: Incorrectly formatted SSLV2 header.
      • Solution: Retry connection between client and server with valid SSLV2 cipher
      • Notes: None
    • Message: mod_ibm_ssl: SSL Internal error - SSLV3 is required for reset_cipher, and the connection uses SSLV2.
      • Reason: SSLV3 is required for reset_cipher, and the connection uses SSLV2
      • Solution: None
    • Message: mod_ibm_ssl: SSL Internal error - An invalid ID was specified for the gsk_secure_soc_misc function call.
      • Reason: Specified an invalid ID for the gsk_secure_soc_misc function call
      • Solution: None
    • Message: mod_ibm_ssl: SSL Internal error - An invalid ID was specified for the gsk_secure_soc_misc function call.
      • Reason: Specified an invalid ID for the gsk_secure_soc_misc function call
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - The attribute has a negative length in: <argument>.
      • Reason: Attribute has a negative length
      • Solution: Make sure attribute does not have a negative length
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The enumeration value is invalid for the specified enumeration type in: <argument>.
      • Reason: Invalid enumeration value for attribute
      • Solution: Specify valid enumeration value for argument
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The attribute has an invalid numeric value: <argument>.
      • Reason: Invalid numeric value for attribute.
      • Solution: Specify valid numeric value
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid or improperly formatted certificate
      • Reason: Client certificate is invalid
      • Solution: Client problem
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The function call, <argument>, has an invalid ID
      • Reason: Function call has invalid ID
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, GSK internal error
      • Reason: The communication between client and the server failed
      • Solution: Retry connection from the client
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The GSK library unloaded
      • Reason: GSK library unloaded
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, keyfile label not found
      • Reason: Could not find the certificate/keyfile label
      • Solution: Specify a certificate/keyfile label
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Certificate is not available
      • Reason: Could not find the certificate
      • Solution: Specify a certificate
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Certificate validation error.
      • Reason: Certificate was not validated
      • Solution: Create another ceritifcate or retry connection
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Error processing cryptography
      • Reason: Invalid crytography
      • Solution: none
    • Message: mod_ibm_ssl: Initialization error, Error validating ASN fields in certificate.
      • Reason: Invalid ASN fields in certificate
      • Solution: Create valid ASN fields in certificate
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Error connecting to LDAP server.
      • Reason: The communication between LDAP server and web server failed
      • Solution: retry connection between LDAP server and web server
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Internal unknown error.
      • Reason: Unknown
      • Solution: none
    • Message: mod_ibm_ssl: Initialization error, Open failed due to cipher error.
      • Reason: Invalid Cipher
      • Solution: Make sure specified correct cipher
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, I/O error reading keyfile.
      • Reason: Could not read keyfile
      • Solution: Create valid keyfile
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Keyfile has an invalid internal format. Recreate keyfile.
      • Reason: Keyfile has invalid format
      • Solution: Recreate keyfile
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Keyfile has two entries with the same key. Use IKEYMAN to remove the duplicate key.
      • Reason: Placed two identical keys in keyfile
      • Solution: Use iKeyman to remove duplicate key
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Keyfile has two entries with the same label. Use IKEYMAN to remove the duplicate label.
      • Reason: Placed two identical key labels in keyfile
      • Solution: Use iKeyman to remove duplicate label
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The keyfile password is used as an integrity check. Either the keyfile has become corrupted or the password is incorrect.
      • Reason: Corrupted or incorrect password for keyfile
      • Solution: Generate new password for keyfile
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The default key in the keyfile has an expired certificate. Use iKeyman to remove certificates that are expired.
      • Reason: An expired certificate is in the keyfile
      • Solution: Use iKeyman to remove certificates that are expired
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, There was an error loading one of the GSKdynamic link libraries. Be sure GSK was installed correctly.
      • Reason: Could not load one of the GSKdynamic link libraries
      • Solution: Make sure the Gskit got installed correctly
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Unsupported certificate type.
      • Reason: The client did not specify a certificate that is supported by the GSK toolkit.
      • Solution: The client needs to specify a different certificate
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, I/O error during handshake.
      • Reason: An I/O error occurred on a data read or write
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid key length for export.
      • Reason: In a restricted cryptography environment, the key size is too long to be supported.
      • Solution: Make key size smaller
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Internal error - read failed.
      • Reason: The read failed
      • Solution: none
    • Message: mod_ibm_ssl: Initialization error, Internal error - write failed.
      • Reason: The write failed.
      • Solution: none
    • Message: mod_ibm_ssl: Initialization error, Socket has been closed.
      • Reason: The client closed the socket before the protocol completed.
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid SSLV2 Cipher Spec.
      • Reason: The SSL version 2 cipher specs passed during initialization were invalid.
      • Solution: Change the version 2 cipher specs that are specified
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid SSLV3 Cipher Spec.
      • Reason: The SSL version 3 cipher specs passed during initialization were invalid.
      • Solution: Change the version 3 cipher specs that are specified
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid security type.
      • Reason: The SSL security type field that is passed during initialization was not valid
      • Solution: Change the version 3 cipher specs that are specified
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid security type combination.
      • Reason: The SSL security type field that is passed during initialization was not valid.
      • Solution: Change the version 3 cipher specs that are specified
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Internal error - SSL Handle creation failure.
      • Reason: The handle could not be created
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, Internal error - GSK initialization has failed.
      • Reason: Initialization failed
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, LDAP server not available.
      • Reason: Unable to access the specified LDAP directory when validating a certificate
      • Solution: Make sure LDAP server is available
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The specified key did not contain a private key.
      • Reason: Key did not contain a private key
      • Solution: Create key with private key
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The PKCS#11 driver failed to find the token label specified by the caller.
      • Reason: Specified invalid PKCS#11 token label
      • Solution: Specify a valid PKCS#11 token label
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, A failed attempt was made to load the specified PKCS#11 shared library.
      • Reason: Specified invalid PKCS#11 shared library/module
      • Solution: Specify a valid PKCS#11 shared library/module
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, A PKCS#11 token is not present for the slot.
      • Reason: PKCS#11 token not present
      • Solution: Specify valid slot for PKCS#11 token
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The password/pin to access the PKCS#11 token is either not present or invalid.
      • Reason: Specified user password/pin for PKCS#11 token is not present or invalid
      • Solution: Specify a valid user password/pin for PKCS#11 token
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The SSL header received was not a properly SSLV2 formated header.
      • Reason: Incorrectly formatted SSLV2 header.
      • Solution: Retry connection between client and server with valid SSLV2 cipher
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The function call, <argument>, has an invalid ID
      • Reason: Function call has invalid ID
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, Internal error - The attribute has a negative length in: <argument>.
      • Reason: Attribute has a negative length
      • Solution: Make sure attribute does not have a negative length
      • Notes: None
    • Message: Initialization error, The enumeration value is invalid for the specified enumeration type in: <argument>.
      • Reason: Invalid enumeration value for attribute
      • Solution: Specify valid enumeration value for argument
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The attribute has an invalid numeric value: <argument>.
      • Reason: Invalid numeric value for attribute.
      • Solution: Specify valid numeric value
      • Notes: None

    Critical Messages

    • Message: mod_ibm_ssl: GSK could not initialize, no keyfile specified
      • Reason: Did not supply a keyfile for keyfile directive
      • Solution: Specify keyfile for keyfile directive
      • Notes: None
    • Message: mod_ibm_ssl: If CRL is turned on, you must specify an LDAP hostname for the SSLCRLHostname directive
      • Reason: Did not specify an LDAP TCP/IP name or address for SSLCRLHostname directive when CRL is enabled
      • Solution: Specify an LDAP TCP/IP name or address for SSLCRLHostname directive
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - Bad handle
      • Reason: Bad handle
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal memory allocation failure
      • Reason: Could not allocate internal memory
      • Solution: None
    • Message: mod_ibm_ssl: GSK could not initialize, no keyfile specified
      • Reason: Didn't supply a keyfile for keyfile directive,/li>
      • Solution: Specify keyfile for keyfile directive
      • Notes: None
    • Message: mod_ibm_ssl: If CRL is turned on, you must specify an LDAP hostname for the SSLCRLHostname directive
      • Reason: Didn't specify an LDAP TCP/IP name or address for SSLCRLHostname directive when CRL is enabled
      • Solution: Specify an LDAP TCP/IP name or address for SSLCRLHostname directive
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal error - Bad handle
      • Reason: Bad handle
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Internal memory allocation failure
      • Reason: Could not allocate internal memory
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Specified label could not be found in key file.
      • Reason: Specified key label is not present in keyfile
      • Solution: Specify a valid key label
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid password for keyfile.
      • Reason: The keyfile may be corrupt or the password for keyfile may be incorrect
      • Solution: Specify a valid keyfile and password for keyfile
      • Notes: None
    • Message: mod_ibm_ssl: GSK could not initialize, Neither the password nor the stash-file name was specified. Could not open keyfile.
      • Solution: Specify a valid password and stash-file for keyfile
      • Notes: None
    • Message: mod_ibm_ssl: GSK could not initialize, Could not open keyfile.
      • Reason: Either the path to the keyfile was specified incorrectly or the file permissions did not allow the file to be opened.
      • Solution: Supply valid path to keyfile and make sure permissions are valid
      • Notes: None
    • Message: mod_ibm_ssl: Internal error - GSK could not initialize, Unable to generate a temporary key pair.
      • Reason: GSK could not generate a temporary key pair
      • Solution: None
    • Message: mod_ibm_ssl: GSK could not initialize, Invalid password for keyfile.
      • Reason: The keyfile may be corrupt or the password for keyfile may be incorrect
      • Solution: Specify a valid keyfile and password for keyfile
      • Notes: None
    • Message: mod_ibm_ssl: GSK could not initialize, Invalid label.
      • Reason: Specified key label is not present in keyfile
      • Solution: Specify a valid key label
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Internal error - Bad handle
      • Reason: Bad handle
      • Solution: None
    • Message: mod_ibm_ssl: GSK could not initialize, Internal memory allocation failure
      • Reason: Could not allocate internal memory
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, Invalid date.
      • Reason: The system date was set to an invalid date
      • Solution: Change the system date to a valid date
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, No ciphers specified.
      • Reason: The client did not supply any cipher specifications during the handshake
      • Solution: Client problem
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, No certificate.
      • Reason: The client did not supply a certificate
      • Solution: Client problem
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, The received certificate was formatted incorrectly.
      • Reason: Client certificate is invalid
      • Solution: Client problem
      • Notes: None

    Error messages that can be ignored

    The following error messages may appear, but can be ignored:
    • mod_ibm_ssl: SSL Handshake Failed, Invalid or improperly formatted certificate.
    • mod_ibm_ssl: SSL Handshake Failed, Bad message sent.
    • Mod_ibm_ssl: SSL Handshake Failed, I/O error during handshake.

    Viewing Error Messages from a Target Server Start

    If you encounter an error starting a target server, the error message, line number in the configuration file and the actual line text that caused the error display. To view the line text error in context:

    1. Select the text.
    2. Copy the text.
    3. Go to View Config > Edit Config and press Ctrl + F for "Find"
    4. Paste the text
    5. Click OK.

    Warning Messages

    • Message: mod_ibm_ssl: Setting the LIBPATH for GSK failed.
      • Reason: Memory allocation failure.
      • Solution: The process is low on memory and should be restarted.
      • Notes: None.
    • Message: mod_ibm_ssl: mod_ibm_ssl: Setting the LIBPATH for GSK failed, could not append /usr/lib.
      • Reason: Memory allocation failure.
      • Solution: The process is low on memory and should be restarted.
      • Notes: None.
    • Message: mod_ibm_ssl: SSL Connection attempted when SSL did not initialize.
      • Reason: Should be a previous error message telling why the library did not initialize properly.
      • Solution: Fix the library loading problem.
      • Notes: None.
    • Message: mod_ibm_ssl: Client did not supply a certificate, closing the connection.
      • Reason: The client who connected failed to send a client certificate and the server is configured to require a certificate.
      • Solution: Nothing on the server side.
      • Notes: None.
    • Message: mod_ibm_ssl: Setting the LIBPATH for GSK failed, could not append /usr/opt/gskkm/lib.
      • Reason: Memory allocation failed
      • Solution: The process is low on memory and should be restarted.
      • Notes: None
    • Message: mod_ibm_ssl: Setting the LD_LIBRARY_PATH for GSK failed.
      • Reason: Could not set library path, memory allocation failed
      • Solution: The process is low on memory and should be restarted.
      • Notes: None
    • Message: mod_ibm_ssl: Setting the LD_LIBRARY_PATH for GSK failed, could not append /usr/lib.
      • Reason: Memory allocation failed
      • Solution: The process is low on memory and should be restarted.
      • Notes: None
    • Message: mod_ibm_ssl: Setting the LD_LIBRARY for GSK failed.
      • Reason: Could not set library path, memory allocation failed
      • Solution: The process is low on memory and should be restarted.
      • Notes: None
    • Message: mod_ibm_ssl: Setting the LD_LIBRARY for GSK failed, could not append /usr/lib.
      • Reason: Memory allocation failed
      • Solution: The process is low on memory and should be restarted.
      • Notes: None
    • Message: mod_ibm_ssl: Client did not supply a certificate.
      • Reason: Client certificate not supply
      • Solution: Create a client certificate
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, An incorrectly formatted SSL message was received.
      • Reason: Client sent incorrectly formatted SSL message
      • Solution: Client problem
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Could not verify MAC.
      • Reason: The message authentication code (MAC) was not successfully verified
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Unsupported SSL protocol or unsupported certificate type
      • Reason: Specifed SSL protocol or certificate type was unsupported
      • Solution: Specify a supported SSL protocol or certificate type
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid certificate signature.
      • Reason: The received certificate contained an incorrect signature
      • Solution: Send a certificate with a correct signature
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid certificate sent by client.
      • Reason: Incorrectly formatted certificate sent by client
      • Solution: Send correct formatted certificate to server from client
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Invalid peer.
      • Reason: Invalid SSL protocol received from the client
      • Solution: Send valid SSL protocol to server from client
      • Notes: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, Permission denied.
      • Reason: Internal error
      • Solution: None
    • Message: mod_ibm_ssl: SSL Handshake Failed, The self-signed certificate is not valid.
      • Reason: Specified invalid self-signed certificate
      • Solution: Create valid self-signed certificate
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, GSK handle is in an invalid state for operatio
      • Reason: Incorrect state for GSK handle
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, An incorrectly formatted SSL message was received.
      • Reason: Client sent incorrectly formatted SSL message
      • Solution: Client problem
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Could not verify MAC.
      • Reason: The message authentication code (MAC) was not successfully verified
      • Solution: Retry connection between client and server
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Unsupported SSL protocol or unsupported certificate type
      • Reason: Specifed SSL protocol or certificate type was unsupported
      • Solution: Specify a supported SSL protocol or certificate type
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid certificate signature.
      • Reason: The received certificate contained an incorrect signature
      • Solution: Send a certificate with a correct signature
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid certificate sent by client.
      • Reason: Incorrectly formatted certificate sent by client
      • Solution: Send correct formatted certificate to server from client
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Invalid peer.
      • Reason: Invalid SSL protocol received from the client
      • Solution: Send valid SSL protocol to server from client
      • Notes: None
    • Message: mod_ibm_ssl: Initialization error, Permission denied.
      • Reason: Internal error
      • Solution: None
    • Message: mod_ibm_ssl: Initialization error, The self-signed certificate is not valid.
      • Reason: Specified invalid self-signed certificate
      • Solution: Create valid self-signed certificate
      • Notes: None
    Applies to UNIX

    Common Problems with mod_dav

    The most common problems with mod_dav relate to the file-system permission settings on UNIX servers. The Web server process must have permission to perform the requested action on the server. If the Web server is running as nobody, then that means nobody needs write access to the files and directories the user wants changed. Also, local (server-side) manipulation of files in a DAV repository is not recommended. Specifically, file locks are implemented by mod_dav, not the file system. It is not suggested to look in the wecerr.txt file when you get a Windows error. Instead, refer to the server log.

    Getting started on the Administration Server with the Manage Server Task

    If the task Manage Servers under the folder Getting Started is greyed out:
    1. Ensure you are accessing the IHS Administration Server from the same machine on which the Administration Server is running. For security reasons, changes to the server being administered can only be made by someone who has a valid userid on the machine on which the server is running.
    2. If the "Manage Servers" page is still greyed out, even though you are accessing the Administration Server from a browser running on the same machine, make sure you are not using a proxy for local addresses.

      In Internet Explorer 5:

      1. Go to Tools >Internet Options
      2. Click Connections tab
      3. Click the Lan Settings... button.

        If the box labeled "Use a proxy server" is checked, make sure the box labeled "Bypass proxy server for local adddresses" is also checked. If you have entered the address of a proxy server by clicking on the "Advanced" button in this panel, make sure your local address is listed in the field entitled "Do not use proxy server for addresses beginning with...".

      In Netscape Navigator 4.7:

      1. Go to Edit menu
      2. Select Preferences...
      3. Click on the Advanced option
      4. Select Proxies.
      5. If Manual Proxy Configuration is selected, click on the View... button and make sure your local address is listed in the box with the label "Do not use proxy servers for domains beginning with:".

    Known Problems with Hardware Cryptographic Support

    Applies to AIX
    Applies to HP-UX
    Applies to Linux
    Applies to Solaris
    Applies to Windows NT

    You must have the bos.pkcs11 package installed on AIX, to get the PKCS11 module and to intialize the device on AIX. This requirement is not mentioned in the IBM4758 PKCS11 installation manual located at www.ibm.com/security/cryptocard.

    An update was added to the bos.pkcs11 package to fix a forking problem. This fix is not available on the AIX October and November Update CD.

    The ikmuser.sample file shipped with the GSKit Toolkit, is typically installed in the:

    • /usr/opt/ibm/gskkm/classes directory, on AIX
    • /opt/ibm/gsk5/classes directory, on HP
    • /usr/local/ibm/gsk5/classes directory, on Linux
    • /opt/ibm/gsk5/classes, on Solaris
    • C:\Program Files\ibm\gsk5\classes, on Windows NT

    Renaming this file to ikmuser.properties in the classes directory, enables IKEYMAN to use it for a cryptographic token.

    Applies to HP-UX

    Known Problems on HP

    You cannot install one version of GSKit onto another. Delete the current GSKit files from your system before installing a new GSKit version.

    Known Problems with Netscape

    Netscape 6.0 with transport level security (TLS) enabled, does not work with the IBM Administration Server, due to Javascript problems in Netscape 6.0. Use Netscape 4.7 or Internet Explorer 5.x or above. Netscape 6.0 is not working when configured through a SOCKS server.

    LDAP SSL Limitation with Netscape LDAP Server

    The LDAP client has a limitation when using SSL to communicate to a Netscape Directory server. If the Netscape Directory Server has client authentication enabled, the connection cannot be made. If the IBM HTTP Server is using SSL with LDAP, to check authentication information on a Netscape Directory Server, make sure that client authentication is not enabled on the directory server.

    Using the Administration Server with Netscape

    When editing forms in the Administration Server on Netscape, there is a browser limitation that will not allow you to input large amounts of text. Forms that currently contain large amounts of text can be viewed, but not edited. There are no known limitations when using Internet Explorer.

    You may experience some character corruption when using an English version of Netscape for AIX, to view IBM Administration Server pages in DBCS (Double Byte Character Set) Languages.

    Applies to Solaris

    Known Problems on Solaris

    • ServerName Directive:

      On some Solaris machines (level unknown), an error is received on IHS server startup (apachectl). The error indicates that the ServerName directive is not set in the IHS configuration file (httpd.conf). To resolve this problem, supply a valid ServerName directive.

      This problem can occur starting the IHS Administration Server (adminctl). To resolve the problem with IHS Administration Server, update the ServerName directive in admin.conf.

    Applies to Windows NT

    Known Problems on Windows NT

    • The IHS Server does not start - Reference Apache FAQ.
    • IHS Server does not start. Error log contains this
    • Message: "[crit] (10045) The attempted operation is not supported for the type of object referenced: Parent: WSADuplicateSocket failed for socket ###">

      This problem occurs when IHS Server is run on a system along with a Virtual Private Networking client (e.g. Aventail Connect). Aventail Connect is a Layered Service Provider (LSP) that inserts itself, as a "shim", between the Winsock 2 API and Window's native Winsock 2 implementation. The Aventail Connect shim does not implement WASDuplicateSocket, which the cause of the failure. the shim is not unloaded when Aventail Connect is shut down.

      The problem is fixed by one of the following:

      • Explicitly unloading
      • Rebooting the machine
      • Temporarily removing the Aventail Connect V3.x shim
    Applies to AIX

    Reinstallation of WAS Plug-Ins Following New IHS Installation

    A WASPLUGIN (mod_ibm_app_server.so) is required if you want to use IHS 1.3.6.4 on AIX and are using WAS V2.0.3.1, WAS V3.0.2, or WAS V3.0.2.1. To install the plug-in, ensure the HTTP Server is not active.

    1. If your IBM HTTP Server is running, issue the ./apachectl stop command from the /usr/HTTPServer/bin directory.
    2. Determine which version of WebSphere is installed on your machine:
      lslpp -L|grep IBMWeb
      command from your command line.
    3. If you are using WAS V2.0.3.1, get the WASV2.0.3.1 plug-in from the download site.
    4. If you are using WAS V3.0.2, get the WASV3.0.2 plug-in from the download site.
    5. If you are using WAS V3.0.2.1, get the WASV3.0.2.1 plug-in from the download site.
    6. Untar the WAS plug-in file, by issuing the untar -xvf <WAS Plug-in filename.tar> command
    7. Once this file is untarred, mod_ibm_app_server.so file is present
    8. Change to the WAS bin directory, typically /usr/WebSphere/AppServer/bin, by issuing the cd /usr/WebSphere/AppServer/bin command.
    9. Once you are in the /usr/WebSphere/AppServer/bin directory, backup the mod_ibm_app_server.so file that is present, by issuing the cp mod_ibm_app_server.so mod_ibm_app_server.so.bak command.
    10. Copy the mod_ibm_app_server.so from the WAS plug-in tar file to the /usr/WebSphere/AppServer/bin directory, by issuing the cp / <directory to WAS plug-in mod_ibm_app_server.so file> /mod_ibm_app_server.so /usr/WebSphere/AppServer/bin command.
    11. Start the IBM HTTP Server and resume normal operations by issuing the ./apachectl start command from the /usr/HTTPServer/bin directory.

    Security on Internet Explorer 5.01x

    If IBM HTTP Server is using a Global Server ID for SSL transactions, a 40-bit encryption browser should be allowed a connection to a server at 128-bit encryption. This will not work for someone using Internet Explorer 5.01x. You can fix this situation, by adding the following directives to the IBM HTTP Server configuration file:

    Note: The directives must be added in the order shown.

     

    SSLCipherSpec 34
    SSLCipherSpec 35
    SSLCipherSpec 3A
    SSLCipherSpec 33
    SSLCipherSpec 36
    SSLCipherSpec 39
    SSLCipherSpec 32
    SSLCipherSpec 31
    SSLCipherSpec 30

    Customer Service and Support

    For help, see the WebSphere support page.

    You can also contact the IBM Software Support Center (1-800-IBM-SERV in the US and Canada). For more information on software support services and contact numbers in other countries, refer to the Software Support Handbook.