/conf/admin.conf`.
### [warn] (OS 10038)An operation was attempted on something that is not a socket.
If this message occurs just after IHS has begun shutting down (\"Child
process is ending\"), it can be safely ignored.
If this message occurs during steady-state, it is likely the result of
buggy third-party firewall or anti-virus software. See [other
entry](#LSP).
### (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : **proxy**: HTTP: \....
This error occurs when IBM HTTP Server is asked to rapidly create
connections to the same backend server via mod\_proxy\_http, but windows
is configured to only allow a lower number of local (ephemeral) ports.
This FAQ is only correct when the error message includes the \"proxy\"
text bolded above, not anytime the preceding part of the message appears
as a prefix of other messages.
See the `MaxUserPort` TCP/IP registry settings to increase this limit.
### [crit] (OS 5)Access is denied. : Parent: Failed to create the child process
This can occur if startup fails due to firewall or antivirus software.
## Startup messages
### /opt/IBMHttpServer/bin/httpd: relocation error: /opt/IBMHttpServer/bin/httpd: undefined symbol: apr\_table\_compress
This is a symptom of IBM HTTP Server finding the wrong version of the
`libapr-0.so` at runtime. `libapr-0.so` is provided with the IBM HTTP
Server installation in the lib/ subdirectory, and is found by a
platform-specific environment variable in `IHSROOT/bin/envvars`.
- Verify that the library path set in `IHSROOT/bin/envvars` includes
the libs/ subdirectory if you have altered your installation.
- If you\'ve modified the `apachectl` script, or are using some other
custom method to start IHS, make sure it\'s sourcing the proper
`IHSROOT/bin/envvars` file
### [crit] (17)File exists: unable to create scoreboard \"/opt/IBMIHS/logs/*xxxx*
The *xxxxx* portion of the message varies based on the value of the
[ScoreBoardFile](http://publib.boulder.ibm.com/httpserv/manual60/mod/mpm_common.html#scoreboardfile)
directive.
Either there are multiple web server instances configured with the same
ScoreBoardFile directive or there is a single instance configured with
ScoreBoardFile and it did not shutdown cleanly.
The recommended solution in either case is to remove the ScoreBoardFile
directive and restart.
The only situation where ScoreBoardFile is needed is if a third-party
application which reads the web server shared memory is in use and that
application specifies that the ScoreBoardFile directive is required.
That is very rare.
### [crit] (67)Address already in use: make\_sock: could not bind to address nnn.nnn.nnn.nnn port 80
This can occur at startup or restart if some other process is listening
to the specified port and optional address.
### [error] SSL0157E: Initialization error, The function call, gsk\_attrib\_set\_buffer(env\_handle, GSK\_STRICTCHECK\_CBCPADBYTES, 1, has an invalid ID
This can occur at startup for IHS 6.1.0.47 if the PI31516 interim fix is
applied without first upgrading GSKit to a minimum required version as
described in the `Prerequisites` section of the [PI31516 interim fix
document](http://www-01.ibm.com/support/docview.wss?uid=swg24039197).
Upgrade the global GSKit as specified to resolve the problem.
## SSL-specific messages
### SSL0200E: SSL Handshake Failed: \...
SSL0200E is issues for SSL handshake errors that do not have a more
specific error code associated with them. Often, a numeric code will be
listed that contains additional detail.
* SSL0200E: SSL Handshake Failed: (447)GSK\_ERROR\_CERTIFICATE\_INVALIDSIGALG.
GSK\_ERROR\_CERTIFICATE\_INVALIDSIGALG is returned by two separate
cases. Both require reviewing a binary, unfortmatted packet capture.
* If the client sent no list of acceptable signature algorithms
during the handshake, the server is only permitted to respond
with a relatively weak SHA1 certificate. If the configured
certificate is not signed with exactly SHA1, this error is
issued.
* If the client sent a list of acceptable signature algorithms,
and the configured certificate does not overlap with the
algorithms in the handshake, this error is issued.
In later releases, this sub-message is replaced by SSL0280E.
* SSL0200E: SSL Handshake Failed: (454)GSK_ERROR_ILLEGAL_PARAMETER
* This requires GSKit 8.0.55.13 or later in PH21804.
* SSL0200E: SSL Handshake Failed: (14)GSK_ERROR_UNEXPECTED_INT_EXCEPTION.
* This often means a certificate in the server certificates trust chain
has becom expired after server startup. After a restart, the symptom
will turn into SSL0208E: SSL Handshake Failed, Certificate validation error.
* See [https://www.ibm.com/support/pages/node/6218244](https://www.ibm.com/support/pages/node/6218244)
* Anything else: Must be diagnosed by support with a binary packet
capture and GSKit trace.
### SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.
TLS 1.2 and later allows a client to inform the server what certificate signature algorithms it finds acceptable. Among other things, this allows a server to choose from multiple certificates based on client capabilities.
Under normal circumstances, SSL0280E usually means that the server has no certificate that matches the clients preferences. Browser based clients will often retry with a larger and more lenient set of acceptable signature algorithms, for example adding SHA1 back into the acceptable list.
- On AIX, Linux, and Windows only the leaf/personal certificate is checked by the server, not the entire certificate chain.
- On z/OS, the entire certificate chain is validated against the clients list of signature algorithms.
- Prior to z/OS APAR OA63632, a behavior change in z/OS 2.5 prevents browsers from performing a retry and can result in the browser displaying an ERR_BAD_SSL_CLIENT_AUTH_CERT error.
### SSL0232W: SSL Handshake Failed, Unsupported SSL protocol or unsupported certificate type.
See [ssl_questions.html#TLS13](ssl_questions.html#TLS13)
### SSL0235W: SSL Handshake Failed, Invalid peer.
* Note: This item has been largely n/a since RC4 was removed in
8.5.5.6 and later.
In IHS 8.0 and later with `SSLProxyEngine` enabled, *SSL0235W* can
be issued if `SSLCipherSpec` has not been configured and the backend
negotiates TLS1.2 + an RC4 cipher. The defaults are desgigned for
server side usage, not client side as in the proxy.
```apache
SSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_SHA -SSL_RSA_WITH_RC4_128_MD5
```
If your symptom is not related to `SSLProxyEngine`, this entry is
unlikely to apply.
* If upgrading past 8.5.5.12 with `SSLProxyEngine`, the failure could
be related to connecting to a non-TLS1.2 backend that chooses
ECDHE\_RSA ciphers added to the TLS1.2 defaults in 8.5.5.12. Due to
a limitation of the SSL protocol, the server cannot know that IHS
does not suppor the ECDHE\_RSA ciphers for TLS1.1 or TLS1.2.
To resolve the issue, configure the backend server to use TLS1.2 or
disable ECDHE\_RSA ciphers in IHS.
### [crit] SSL0193W: Error setting GSK\_ALLOW\_ABBREVIATED\_RENEGOTIATION to 0 (701)
Starting IHS with LD\_LIBRARY\_PATH that includes /usr/lib forces a
global GSKit to be used rather than the one bundled with IHS and
configured via SHLIB\_PATH. Remove any directories that contain GSKit or
Apache files from any LD\_LIBRARY\_PATH set before invoking `apachectl`,
or unset it entirely in \$IHSROOT/bin/envvars.
### SSL0166E Failure attempting to load GSK library
See [gather_startup_doc.html#SSL0166E](gather_startup_doc.html#SSL0166E)
### [error] SSL0104S: GSK could not initialize, Invalid password for keyfile.
The InfoCenter lists this message as `SSL0104E` instead of `SSL0104S`.
For each KDB file IHS is configured to use, IHS will also try to open a
file with the same file extension changed to *.sth*. If IHS cannot find,
open, or read this file the above error will be reported.
- 9.0.0.8/8.5.5.13 and earlier can fail to properly read stash files
if they were created with a later level of IHS (via gskcapicmd)
or Java (via WAS, Ikeyman, ikeycmd, or gskcmd). This is related to
a flaw in "version 2" stash files.
- 8.5.5.10/9.0.0.2 and earlier can fail to properly read stash files
if they were created with a later level of IHS (via gskcapicmd)
or Java (via WAS, Ikeyman, ikeycmd, or gskcmd). This is due to the
use of "version 2" stash files.
- If the stash file does not exist, it can be created in Ikeyman or
gskcapicmd.
- Be sure the userid and group that IHS is configured to run under
have read and execute access to every intermediate directory and to
the .sth file itself.
- IHS can fail to properly read the stash files if a GSKit other than the one bundled with IHS is being loaded. If the GSKit version reported in the error log is different from that reported by bin/gskver, check bin/envvars and bin/apachectl for any non-IHS paths included in LD_LIBRARY_PATH and LD_PRELOAD.
### SSL0154E: Initialization error, A PKCS\#11 token is not present for the slot
With GSKit v8, if the `SSLServerCert` looks correct and verifies in
Ikeyman, check the following items:
- [ikeyman V8 new configuration steps were used](cryptohw.html#ikeymanv8)
- [LoadFile or LD\_PRELOAD used with IHS and gskcapicmd on z/Linux](cryptohw.html#Z90CRYPT)
Depending on the level of Linux used, this may manifest as other
SSL0xxxx codes.
### [error] SSL0208E: SSL Handshake Failed, Certificate validation error.
#### GSKit 8.0.50.88 or 8.0.55.11 (IHS 9.0.5.2 and 9.0.5.3)
IHS with GSKit 8.0.50.88 through 8.0.55.11 (inclusive) can erroneously report this error
when a certificate in the servers chain does not have explicit "signature algorithm parameters".
Apply 9.0.5.4 or later, or contact support for an interim fix containing a cumulative GSKit
update (PH24493 or later).
#### Typical causes
This message may appear if your `KeyFile` does not contain all of the necessary
intermediate and root certificate authorities necessary for validating your
personal certificate.
You must acquire the complete cert chain from your Certificate vendor,
and \"add\" a complete cert chain (from the top down) using Ikeyman.
The following steps illustrate how to determine which certificate may be problematic
or missing:
1. Determine the path to your `KeyFile` by reviewing httpd.conf. For example,
`conf/key.kdb`
1. Determine the certificate label you're using by either finding
`SSLServerCert` in your httpd.conf or viewing the "default certificate"
via :
> bin/gskcapicmd -cert -getdefault -db conf/key.kdb -stashed
For example, "my-certlabel"
1. Validate the certificate being used on the command line:
> bin/gskcapicmd -cert -validate -db conf/key.kdb -label my-certlabel -stashed
1. Look for an error message beginning with `GSKKM_VALIDATIONFAIL_SUBJECT` and observe
the Issuer and Subject of the certificate which cannot be validated.
> GSKKM_VALIDATIONFAIL_SUBJECT: [Class=]GSKVALMethod::PKIX[Issuer=]CN=my-signer[#=]549ab2886a97f86f[Subject=]CN=example.com,O=ibm,C=US
* This output shows details about the certificate within the chain that failed validation. It may be invalid (rare) or its
issuer may not exist in the keystore (common). Use a series of `-list` and `-details` to double-check that the signer is present.
> bin/gskcapicmd -cert -list -db conf/key.kdb -stashed
> bin/gskcapicmd -cert -details -db conf/key.kdb -label ... -stashed | egrep '^(Subject|Issuer)'
1. If any signer is not present, obtain it from your certificate authority and add it:
> bin/gskcapicmd -cert -add -db conf/key.kdb -label my-certlabel-ca -stashed -file downloaded-cert.cer
There are some obscure problems which can cause components of a
seemingly complete certificate chain to be disregarded by GSKit. The
gskcapicmd and gskcmd utilities bundled with IBM HTTP Server V8R0 and
later understand a \"-cert -validate\" option which allows the chain to
be validated outside of the webserver. If this fails despite a seemingly
complete certificate chain, review the chain for the issues below:
1. A certificate in the chain is signed with Signature Algorithm
RSASSA-PSS (1.2.840.113549.1.1.10) (visible with gskcapicmd -cert
-details \...) which is the default algorithm in some Microsoft
based certificate tools but is not supported by IHS. It is also not
supported by TLS1.2.
2. What appears to be a valid certificate chain by comparing the
Distinguished Name of each issuer, but the actual issuer has a
different SubjectKeyIdentifier then the issued certificates
AuthorityKeyIdentifier
This means two issuers exist with the same DN, but different Key
ID\'s, and likely different private keys used for signatures. A
GSKit trace might report \'cms\_setSSLKey bad rc\' and
> \'Verify failed: : error:0407006A:rsa
> routines:RSA\_padding\_check\_PKCS1\_type\_1:block type is not 01
> error:04067072:rsa routines:RSA\_EAY\_PUBLIC\_DECRYPT:padding
> check failed
### [error] SSL0209E: SSL Handshake Failed, ERROR processing cryptography.
- If this message appears during IBM HTTP Server restart or shutdown:
The message can be ignored. The crypto accelerator operation was
aborted during shutdown.
- If this message appears continuously during normal operation:
1. Verify that the crypto accelerator configuration is correct.\
If the crypto accelerator is accessed using a PKCS11 driver, a
common configuration error is that the IHS user id has not been
added to the pkcs11 group. Check the User directive in
httpd.conf for the relevant user id.
2. If a configuration problem cannot be found, contact the vendor
of the cryptographic accelerator for assistance with diagnosing
the error returned by the accelerator.
3. If a high ThreadsPerChild is used, make sure ulimit -n is more
than 3-4 times ThreadsPerChild
4. If it happens for a particular client with \'SSLClientAuth\'
configured, that client is likely broken or has an invalid
key-pair.
5. On z/Linux with TLS13, see APAR PH39992 (9.0.5.10)
- If this message appears without PKCS11 crypto hardware, see the final section
of the diagnostic info for [SSL0212E](#SSL0212E).
### [error] SSL0115E: Initialization error, Error validating ASN fields in certificate.
SSL0115E occurs when the server certificate has a problem that's detected at startup
and will result in a startup failure.
See [Error processing X509 certificate](gather_certificate_doc.html#X509) for some
possible causes; they are the same problems that could also be reported
when importing or receiving a certificate.
For a historical cause of SSL0115E not directly related to the ASN.1 encoding of
certificates, see [gather_startup_doc.html#SSLERR](gather_startup_doc.html#SSLERR)
### [error] SSL0210E: SSL Handshake Failed, ERROR validating ASN fields in certificate.
SSL0210 occurs when the server certificate has a problem. See [Error
processing X509 certificate](gather_certificate_doc.html#X509) for some
possible causes; they are the same problems that could also be reported
when importing or receiving a certificate.
### [error] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect
This means a certificate in the servers certificate chain has expired. It could be the personal certificate
of the server, an intermediate, or the root.
- Check that the expected `KeyFile` is in use
- If `SSLServerCert` is not in use, verify the default certificate in the key store is not expired
- If `SSLServerCert` is in use, check that the expected label is used and that it's not expired
- Check the system time
### [warn] SSL0222W: SSL Handshake Failed, No ciphers specified.
SSL0222W occurs when the client and server don\'t share any SSL ciphers,
which may be a result of overly-restrictive values for
`SSLProtocolDisable` or `SSLCipherSpec`
- If a protocol was recently disabled with `SSLProtocolDisable`, it\'s
likely the client was using that protocol. A binary packet capture
will reveal the clients requested protocol.
- If you just updated to 8.5.5.4 or later from an earlier fixpack,
your clients likely depend on SSLv3 which i disabled by default in
this maintenance level. It is recommended to fix the client rather
than re-enabling SSLv3.
- If you\'ve configured a custom cipher list, and enabled ONLY
ECDHE\_ECDSA ciphers, this failure will occur unless you have a
relatively uncommon certificate with an ECDSA private key (instead
of an RSA private key). It is not currently portable to use
ECDHE\_ECDSA if your clients are normal web browsers.
After APAR PI27904, this message has an added suffix indicating that the
problem could be any missing overlap in ciphers or protocols.
### [error] SSL0212E: SSL Handshake Failed, Internal unknown error. Report problem to service
- If this error occurs after GSKit 8.0.55.31 (IFPH52546, 9.0.5.16, 8.5.5.24) and `SSLFIPSEnable` is specified,
remove any added RSA Key Exchange ciphers. RSA Key Exchange ciphers are disabled by default, and after 8.0.55.31 will fail
under FIPS.
- If this error is accompanied by long handshake times, it may be a misreported SSLHandhsakeTimeout
which defaults to 10 seconds.
- If this error occurs after moving 9.0.5.2 or 9.0.5.3, and no PKCS11 hardware is in use,
apply the cumulative GSKit update PH21804. For relief, disable TLSv13 by setting
`SSLProtocolDisable TLSv13` after each `SSLEnable` directive.
This error normally means IHS asked a PKCS11 adapter to perform an operation and it
unexpectedly failed. The sequence of PKCS11 calls can be analyzed by IBM support, but it
will generally only be useful in giving the PKCS11 vendor a basic description of the error.
Over time, IBM support has noted several PKCS11 misconfigurations of various
PKCS11 libraries:
- With Luna adapters, ensure `Apache = 1;` is set in the `Misc` section of `Chrystoki.conf`
(or similar Luna configuration file)
- On SLES 11 SP1, overlapping copies of the `libica` library can break
PKCS11 offload in IHS. Remove all versions of `libica` from the
system, then install the packages from the latest major revision of
the `libica` packages for 64-bit and 32-bit. Contact Novell for more
information about the coexistence of these two packages that have
the same filesystem contents. Note: libica is only used for the built-in
crypto offload on z/Linux.
- On Linux, using z/Linux crypto or any other PKCS11 adapter that uses "pkcssslotd",
this error message or a crash can occur if the user set in
the User directive is not a member of the pkcs11 group, or if the
pkcsslotd daemon is not started.
- On Solaris, this error can occur when Niagra-based crypto hardware
has not been correctly configured. GSkit trace reveals the following
error:
[`C_Login() returned error 0x32 (CKR_DEVICE_REMOVED)`]{style="margin-left; 1em"}.\
Solution: Check the ownership of the directory and contents of the
SOFTTOKEN\_DIR and make sure the configured \"User\" and \"Group\"
directives match. On Niagra, these values should generally not be
\"nobody\" but some user/group created to use the crypto offload.
- On Luna (Gemalto) HSM's with High Availability (HA) configured, this can happen
if the PKCS11 client library loses connectivity to an HA member. If there is only
1 HA member, connectivity will never be re-restablished without a webserver restart.
If this is the cause, a GSKit trace will show `C_OpenSession` returning `CKR_TOKEKN_NOT_PRESENT`.
- On HSMs with a hard limit on the number of "open sessions", this error could be returned
if IHS exceeds that limit. This should be unlikely as IHS does _not_ use one session
per connection. IHS uses one session per SSL enabled virtual host using PKCS11 per
IHS child process.
- If no specific matching cause is listed, traces have to be analyzed by support. If the
PKCS11 adapter fails to perform some operation that has been delegated to it, only the vendor
can debug further.
In some rare cases, this message is issued when no PKCS11 adapter is present.
- On Solaris, GSKit prior to 8.0.55.8 may begin issuing this error after an internal
crypto library failure. If applying APAR PH13105 does not resolve the issue,
IBM support should be engaged to analyze the results/traces resulting from the following:
1. Test with gsk8/lib64/C removed (full stop/start required).
1. Touch the file `/tmp/GSKIT_CRYPTO.log` and recreate the symptom and share the report with IBM (full stop/start required)
### [error] SSL0223E: SSL Handshake Failed, No certificate.
Verify that at least one personal certificate exists in the KDB file
specified by the `KeyFile` directive. If no certificate is marked as
default (an asterisk appears next to its label), your configuration must
include an `SSLServerCert` directive for each virtual host containing an
`SSLEnable` directive.
If TLSv1.3 is enabled, this error can be reported if the configured certificate
chain uses banned signature algorithms such as MD5 and SHA224, even if the client
doesn't try to negoiate TLSv1.3. This is a specification requirement for all
negotiated protocols.
Additionally with TLSv1.3, clients specify a list of acceptable signature algorithms. Some
browsers will omit the legacy SHA1 signature algorithm, resulting in this error.
Note: Some levels of IHS can report this error instead of [SSL0222W](#SSL0222W).
### SSL0234W: SSL Handshake Failed, The certificate sent by the peer has expired or is invalid.
- With `SSLProxyEngine ON` see the advice above for error SSL0266E.
- This message can be written when OCSP or CRL verification encounters a
revoked certificate
- This message can also be written when ASN.1 parsing of a client
certificate fails. See [gather\_certificate.doc.html\#T.61](gather_certificate_doc.html#T.61)
for details
### [warn] SSL0226I: SSL Handshake Failed, I/O error during handshake.
The communication between the client and the server failed. This is a
common error when the client closes the connection before the handshake
has completed.
If a load balancer is configured to try to establish a TCP connection to
the SSL port at intervals, the SSL0226I message can occur repeatedly, at
the configured interval.
### SSL0263W: SSL Connection attempted when SSL did not initialize
In very old releases, SSL0263W could repeatedly occur if there was a
fatal SSL configuration error, such as a missing `KeyFile`. Most of
these kinds of errors now result instead in a startup failure.
SSL0263W can be issued if mod\_ibm\_ssl goes from being not loaded (via
`LoadModule`) to being loaded across an *graceful* restart. While in
general modules may be removed or added during a graceful restart,
mod\_ibm\_ssl cannot support this sequence.
### [warn] SSL0265W: Client did not supply a certificate.
This message is received when SSLClientAuth required is specified, but
IBM HTTP Server did not receive a client certificate during the SSL
handshake. Additionally a 403 Forbidden error will appear at the
browser. If the browser has a certificate installed, verify that the
certificate authority (CA) which created the client certificate has a
signer certificate installed in IBM HTTP Server\'s key database (.kdb)
file. If not, use iKeyman to import the signer certificate information
from the client certificate.
Under TLSv13, this can be reported when the client sends a "post_handshake_auth"
extension during the handshake. The client certificate is not available with the
initial handshake and IHS will not recognize it at this time.
### [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
This error is reported for almost any SSLProxyEngine error on an
outgoing connection. If it is not followed by a more specific error
message (on the next line), recreate with LogLevel debug and look
for a secondary error message.
* If this message appears when moving to 9.0.5.2 or 9.0.5.3 for the first
time, it is likely the backend server has the deprecated SHA1 signature
algorithm somewhere in its certificate chain. The message will have a suffix
including 'GSKit error 414: GSK_ERROR_BAD_CERT'.
To resolve, add the following directives after `SSLProxyEngine ON`:
```
SSLAttributeSet proxy:483 1`
SSLAttributeSet proxy:4027 1
```
This allows mod_proxy to accept ALL signature algorithms. The first directive applies to TLS1.2 and earlier and
the second directive applies to TLS 1.3.
### [error] SSL0224E: SSL Handshake Failed, Invalid or improperly formatted certificate
SSL0224E can have multiple causes. The error message has been lengthened
post-GA to include more specific information relevant mostly to TLSv1.2.
1. If the message has trailing information about a \"bad\_certificate\"
TLS alert coming from the client, the client may simply not trust
the server. In later service levels, this may be reported as
SSL0282E.
User Action: Configure the trust store on the client
2. The servers certificate chain may be using weak signature algorithms
(MD5, SHA1) or small key sized.
User Action: Review the strength of the servers certificate chain
and replace if necessary.
3. The client requested a TLS1.2 connection and restricted the set of
certificate signature algorithms it was willing to accept, but no
cert chain with matching signature algorithms was available in IHS.
User Action:
- Obtain a certificate for IHS matching the algorithms requested
by the strict client \-- consult your CA.
- Configure the client to be more permissive \-- consult the
vendor of the client.
- Disable TLSV1.2 with SSLProtocolDisable to force protocols that
do not use the signature algorithm extension.
### SSL0279E: SSL Handshake Failed due to fatal alert from client.
This message is issued when the client/browser side of an HTTPS connection
terminates the handshake by sending a TLS alert. The message will continue
to display the particular alert IHS received that signaled the end of the
handshake.
Common alerts and their meanings:
#### Alert: certificate_unknown
>Client sent fatal alert [level 2 (fatal), description 46 (certificate_unknown)]
The "certificate_unknown" alert means the client/browser rejected the servers TLS
certificate for unspecified reasons. It is likely that the end user saw a HTTPS-related warning about an untrusted server. Some potential reasons are listed below:
If the hostname requested by the client doesn't match any `Subject Alternative
Name` extension in the servers certificate, recent popular browsers may treat
the server as untrusted, even if the hostname requested matches the certificates
`Common Name` (CN). To remedy this situation, access the server by a name listed
in the SAN extension or request a new certificate with additional names listed in
the SAN extension
This alert can also be sent when the certificate has been revoked by the
certificate authority, and the browser checks the online revocation source in
the certificate. Since not all browser/releases/configurations check revocation
lists, the failures may be grouped among certain users / IP addresses.
Notes:
- When this message is issued, no HTTP request was ever made. The browser may however retry on a new SSL connection after displaying a warning (or maybe not at all).
- If you are debugging any failure in processing an HTTP request, ignore this error.
- After PH19074, SSL0279E errors that are a result of `certificate_unknown` alerts will provide additional details under message id SSL0284E.
- Beginning in 9.0.5.5 and 8.5.5.18, SSL0279E and SSL0284E are reduced to LogLevel "info" from "error" when the certificate_uknown alert
is received.
#### Alert: unknown_ca
>Client sent fatal alert [level 2 (fatal), description 48 (unknown_ca)]
This alert is sent when the client/browser does not trust the certificate
authority that signed the servers certificate. To remedy this situation,
obtain a certificate from a trusted authority or establish trust of the current
issuer on each system that will access the server.
### [error] SSL0267E: SSL Handshake Failed, Timeout during handshake operation.
This message is received when a timeout occurs at any stage in the SSL
handshake, indicating that the client did not send an expected message
in time. This includes the client sending its initial handshake message
after opening the connection.
This is controlled by the core
[Timeout](http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#timeout)
directive, not
[SSLV2Timeout](http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/rihs_ssldirs.html)
or
[SSLV3Timeout](http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/rihs_ssldirs.html)
.
Enabling log level debug and SSL trace might provide more information
about at what stage the problem is occurring.
### [error] SSL0404E: I/O failed RC [504]
This can occur when the client sends an invalid TLS record. In future
levels of IHS, it is reported as SSL0412E. Some known defects that
trigger this message follow.
1. The TLS specification limits the length of each record to 2\^14 /
16384 bytes. If a client specified anything between 2\^14 + 1 up to
2\^16 (65k), this error will be logged. The client needs to be
fixed.
This can be detected in `SSLTrace` or a GSKit trace. In `SSLTrace`
you will likely see a message like \"SSL read begin bytes
[16385]\" where the number in brackets is greater than 16384. In a
GSKit trace, the equivalent message is \"S\_Read trying to read
16385\"
### [error] SSL0404E: I/O failed, insufficient storage.
IHS 2.0.47.1 requires cumulative fix PK07831 [or
later](questions.html#20EFIX) to be compatible with GSKit versions
7.0.3.12 and higher.
### [error] [84a0a58] SSL0409I: I/O Error occurred.
This message can be written to the error log when a client disconnects,
and can be safely ignored. The message has been seen on Linux with fix
packs 6.1.0.15, 6.1.0.17, or 6.0.2.27. The unnecessary message is
removed with [APAR
PK64092](http://www-1.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&dc=DB550&uid=swg1PK64092&oc=en_US&cs=UTF-8&lang=en&rss=ct177websphere).
### [crit] \... SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file.
- This error can occur with `SSLFIPSEnable` and key stores created with GSKit 8.0.55.29 or later
without the `-pqc false` argument. A later release of GSKit will lift this limitation under FIPS.
To address, create a new KDB with `-pqc false` and import the contents from the first key store (or export to the new key store)
- If SSLServerCert is not present, check that the \*.kdb specified by
the KeyFile directive has a default certificate specified, or
specify SSLServerCert to select a certificate explicitly. KDB files
imported from other formats will not typically have a default.
- If SSLServerCert does not contain a colon (\':\') character, check
the the \*.kdb file specified by the KeyFile directive contains a
certificate with a matching label and that the certificate is marked as
a 'personal certificate'.
- If SSLServerCert is of the form `token:certlabel`, make sure configuration
was done using the "PKCS11Config" mechanism in Ikeyman V8 (included with
the Java bundled with IHS V7 and later.
See [cryptohw.html\#ikeymanv8](cryptohw.html#ikeymanv8) for more
information.
- If SSLServerCert is of the form `token:certlabel`, make sure the
\"certlabel\" component is in the proper case (you can view the
proper case with gsk7capicmd/gskcapicmd -crypto but not Ikeyman or
gsk7cmd/gskcmd).
### [crit] SSL0600S: Unable to connect to session ID cache
Also:
`[crit] (146)Connection refused: SSL0600S: Unable to connect to session ID cache`
Also:
`[crit] (13)Permission denied: SSL0600S: Unable to connect to session ID cache`
See [sidd connect failures](sidderror.html#CONNFAIL).
### SSL0230I: SSL Handshake Failed, An incorrectly formatted SSL message was received.
* This message can occur when TLSv13 is enabled (9.0.5.2 and later) and the client fails to connect with an SSLv2 record.
Many years ago, clients could send SSLv2 records with TLSv10 (or later) handshakes for maximum interoperability. This is not
supported when TLSv13 is enabled. In 9.0.5.8 SSL0230I was expanded to cover this case if the first byte of the handshake looks
like an SSLv2 record. This applies to Java 6 and IE11.
* This message can appear when SNI (Server Name Indication) is used for
certificate selection, but the selected label is not present, failed
validation, or does not match the clients signature algorithm requirements.
The message was expanded with SNI details in 9.0.5.3.
* With SSLProxyEngine ON and ProxyRemote in IHS 8.5.5 and earlier, this
message will appear because IHS does not support using ProxyRemote to
contact backend HTTPS servers. This is functionality added to Apache
HTTP Server 2.2.15 and not present in IBM HTTP Server.
* In 8.0 and later, many SSL0230I are reported as a different message code
[\#SSL0222W](#SSL0222W).
### SSL0240I: SSL Handshake Failed, Socket has been closed.
This message means that the client (browser) closed the underlying
connection unexpectedly during a TLS handshake. It is impossible for the
server to know why, it must be debugged on the client side.
* One historical case in which this message is issued is when Windows
based TLS clients detected a weak (md2, md5) signature in a
certificate chain.
### SSL0247E: Handshake Failed, LDAP server not available
If `SSLCRLHostname` is a hostname or IP address, the server is likely
down or firewalled.
If `SSLCRLHostname` is the special case value \"URI\", then the CRL
Distribution Point in a provided client certificate is either
unreachable, returned an invalid response, or returned a response over
the default HTTP CRL size limit (200KB). See
[gather\_crl\_doc.html\#limits](gather_crl_doc.html#limits) to increase
the limits.
## z/OS-specific messages
### core
#### \"apr\_pollset\_poll failed. Attempting to shutdown process gracefully\"
This message may be logged when the server is leaking resources due to
PI68803.
### mod\_auth\_saf
#### [error] [client *ip-address*] (*errno*)*error-string* (errno2=*errno2*): SAF user *userid*: authentication failure for \"*request-uri*\": Password Mismatch
The server logs this message when an invalid password is specified. The message may be more specific after PI85804.
Common error conditions are:
- 111, 0x*nnnn*0000 , The password is of a valid length but is not valid.
- 121, 0x*nnnn*02A7 (JRPasswordLenError), SAF reports that the password has an invalid length. (mod\_auth\_saf did not make this determination.)
#### [error] [client *ip-address*] (*errno*)*error-string* (errno2=*errno2*): SAF user *userid* not found: *request-uri*
The server logs this message when an invalid user id is specified. The message may be more specific after PI85804.
Common error conditions are:
- 143, 0x*nnnn*05DD, The user id is of a valid length but is not defined to SAF.
- 121, 0x*nnnn*02A6 (JRUserNameLenError), SAF reports that the user id has an invalid length. (mod\_auth\_saf did not make this determination.) |
#### [debug] (168)user [username]: SAF authentication failure 401-168 for [request-uri]: password has expired
The server logs this message when a user has entered a correct SAF
password, but the password has expired. A call to the function
\_\_passwd() returned EMVSEXPIRE. Access is denied.
To enable updating of expired SAF passwords using the server, code the
directive \"AuthSAFExpiration\". For example:
AuthSAFExpiration on
You may also tailor the message to be presented at the client by coding
some brief text instead of \"on\". For example:
AuthSAFExpiration "EXPIRED PW: oldpw/newpw/newpw"
You can also use the optional AuthSAFReEnter directive to further tailor
the next password message issued at the client. For example:
AuthSAFReEnter "New PW again:"
### [crit] [client *ip-address*] (157)EDC5157I An internal error has occurred. (errno2=0x090C02AF): user *userid*: SAF authentication failure 500 for *request-uri*: function is not supported
The server logs this message when a call to the function \_\_passwd()
returns EMVSERR.
Check the errnoJr value for the exact cause. The most common cause, as
seen in the example above where errno2 is 02AF, is that you have not
marked for program control one or more modules that the server loads.
You can use the command \"extattr +ap [modulename]\" to mark a module
program controlled.
#### [info] [client *ip-address*] (*errno-value*)*errno-description* (errno2=*errno2-value*) user *userid*: saf\_check\_pw=401 for *request-uri*: Other SAF failure; errno2=yyyyzzzz
The server logs this message when a call to the function \_\_passwd()
returns an error which the server does handles with specific messages.
The combination of errno and errno2 explain the problem.
UNIX System Services Messages and Codes describes all errno and errno2
values. C/C++ Run-Time Library Reference contains documentation for the
\_\_passwd() function.
- [z/OS V1R6.0 UNIX System Services Messages and
Codes](http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZA850/CCONTENTS?SHELF=EZ2ZO10E&DN=SA22-7807-05&DT=20040713143954)
- [z/OS V1R6.0 C/C++ Run-Time Library
Reference](http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/EDCLB150/CCONTENTS?SHELF=EZ2ZO10E&DN=SA22-7821-06&DT=20040722142304)
#### [error] [client *ip-address*] access to [request-uri] failed: [requirement]
The server logs this message when it denies access to a resource based
on the options in a \"Require\" directive in httpd.conf.
If access should have been granted, review the options in the
\"Require\" directive.
#### [info] [client *ip-address*] access to [request-uri] failed; reason: user [username] is not in the \"Require\" list
The server logs this message when it denies access to a resource because
a \"Require\" directive in httpd.conf does not specifically include the
username or a group containing the username.
If access should have been granted, review the options in the
\"Require\" directive.
#### [info] (xxx)rc=[return code] attempting to reset UID
The server logs this message when it has run a request under SAFRunAs
control and is attempting to delete the SAF security environment and
return to the server\'s default user ID (UID).
See the documentation for errno xxx and the pthread\_security\_np()
function in the z/OS C/C++ Run-Time Library Reference, document number
SA22-7821.
### mod\_ldap and mod\_auth\_ldap
#### [warn] [client 9.37.242.143] [16777781] auth\_ldap authenticate: user [xxxx] authentication failed; URI /ldapdir/index.html [User not found][No such object]
The server logs this message if auth\_ldap cannot find the requested dn
or user, but mod\_ldap is not authoritative.
The following messages will also be logged if no module is authoritative
and the user is not found by any authorization module:
```
[crit] [client 9.37.242.143] check_user_id hook called
[crit] [client 9.37.242.143] configuration error: couldn't check user. No user file?: /ldapdir/index.html
```
See
.
Each authorization module only authenticates based on its own knowledge.
If directive `AuthLDAPAuthoritative off` is specified, mod\_auth\_ldap
will not reject the request, but will allow it to be passed to other
possible authorization modules. Normally, mod\_auth\_ldap is the only
authorization module configured for a request and
[AuthLDAPAuthoritative](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_auth_ldap.html#authldapauthoritative)
is set to on.
#### [warn] [client 9.76.147.159] [43] auth\_ldap authenticate: user [username] authentication failed; URI [path/to/ldap/directory] [LDAP: ssl connections not supported][N/A]
The server logs this message if an LDAP session was requested but
failed.
If an SSL connection to the LDAP server is required, the url specified
in
[AuthLDAPURL](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_auth_ldap.html#authldapurl)
must begin with ldaps://, non-SSL must begin with ldap://. Additional
messages which describe the problem may have appeared earlier in the
error log.
#### [error] (121)EDC5121I Invalid argument. (errno2=0x07200316): LDAP cache: error while creating a shared memory segment: EDC5121I Invalid argument. (errno2=0x07200316)
Also: [error] (153)EDC5153I Catalog obtain error. (errno2=0xC5C7082A):
LDAP cache: error while creating a shared memory segment: EDC5153I
Catalog obtain error. (errno2=0xC5C7082A)
Ensure that the size specified by
[LDAPSharedCacheSize](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldapsharedcachesize)
is valid.
Ensure that the file specified in
[LDAPSharedCacheFile](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldapsharedcachefile)
is valid.
Delete the file specified in
[LDAPSharedCacheFile](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldapsharedcachefile)
and try starting IBM HTTP Server again.
If a
[LDAPSharedCacheFile](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldapsharedcachefile)
directive is specified remove it; if it is not specified then add it. If
the directive is specified, named shared memory will be used; otherwise,
anonymous shared memory will be used.
#### [crit] [return code] LDAP cache: failed to set mutex permissions
The server may log this message if the User or Group directive in
httpd.conf does not have appropriate permissions.
See the documentation for semctl() IPC\_SET operation in the z/OS C/C++
Run-Time Library Reference, document number SA22-7821.
#### [crit] LDAP: Invalid LDAPTrustedCAType directive - KDB\_FILE or SAF\_KEYRING type required or mismatched
The server logs this message if the KDB file, SAF keyring, or password
file are invalid.
- KDB file requirements: The file extension must be `.kdb` and the
associated associated password file must be have the same name as
the kdb file, but with a file extension of `.sth`.
- SAF keyring requirements: The name must be a maximum of 8 characters
and meet all RACF naming conventions. There is no password file.
#### DSA is unwilling to perform
```
[error] mod_ibm_ldap: failed to search 'LDAP Realm' with filter '(&(userid=xyzzy)(objectclass=*))': (53) DSA is unwilling to perform [warn] mod_ibm_ldap: LDAP server indicates that password is expired or user id is locked.`
```
If the LDAP *server* is on z/OS with the SDBM or RACF back-end, these
two messages are a result of the z/OS LDAP server not supporting
compound filters. Simplify the filter to a single condition - e.g.,
\"racfid=&v1\" - and if possible, test with ldapsearch to verify it
works before using in IHS.
#### [warn] LDAP: SSL initialization failed OR LDAP: SSL support unavailable
The server logs one or both of these messages if SSL was not requested,
or fails. If SSL support is required, check for additional messages in
the log and directives such as
[LDAPTrustedCA](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldaptrustedca)
and
[LDAPTrustedCAType](http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_ldap.html#ldaptrustedcatype).
## Linux-specific messages
### \*\*\* glibc detected \*\*\* free(): invalid next size (fast): 0x\...
Linux has detected memory corruption in IHS, and this particular child
process will likely be terminated. If your system is configured to
[create coredumps for IHS crashes](coredumps.html), the core can be
analyzed by the [GatherCrashDoc](gather_crash_doc.html) collector tool.
## Messages from third-party modules
Contact the supplier of any third-party modules in the configuration in
order to address these messages.
- `SemCounter ERROR: Cannot remove semaphore: 655433`
- `[notice] msgsnd() FAILED can't send, ipc msg queue is full (EAGAIN=Resource temporarily unavailable)`
- `[error] [client 1.2.3.4] (13)Permission denied: Could not open file /apps/opt/IBMHTTPD-SSO/logs/filter.52954`\
This message is known to originate from SiteMinder.
- `1172793600:28168: CSmSharedSegment::smalloc - attached to shared memory segment 5111808 using key 0x6910a016`\
This message is known to originate from SiteMinder. It appears to be
informational in nature (i.e., not indicate an operational problem),
but SiteMinder support would have to give a definitive explanation.
## fork() failures
Several web server functions depend on the `fork()` system call to
create a new process. Specific requests can fail or web server
performance can be degraded if this system call fails.
The specific cause for failure is usually one of the following:
- limits on processes for the user which started the web server may be
exceeded
- system-wide limits on processes may be exceeded
- there may be a system resource shortage (internal kernel tables,
paging space)
More information may be available in the operating system documentation
for the `fork()` subroutine.
**AIX**
The AIX documentation for `fork()` is
.
The applicable limit is `maxuproc`. The following commands show how to
display the current value and set it to a new value:
```
# lsattr -El sys0 -a maxuproc
maxuproc 2048 Maximum number of PROCESSES allowed per user True
# chdev -l sys0 -a maxuproc=4096
sys0 changed
```