Troubleshooting

NAVIGATE CONTENT
Ex Libris Developer Network Alma Documentation Integrations Stunnel Troubleshooting

Stunnel troubleshooting tips

  • Stunnel runs in the background by default and does not display any error messages. Stunnel can also be instructed to run in the foreground by adding the following command to the configuration file (above the service configuration):
foreground = yes

Note that this is relevant for Unix only.

  • As with all services, the best method of diagnosing problems is through the service’s log messages. Enable Stunnel’s logging facilities by adding the following commands to the configuration file (above the service configuration):
debug = 7

output = /tmp/stunnel.log
  • If you are running Stunnel in the foreground for testing or debugging, you can redirect the log messages to standard output:
debug = 7

output = /dev/stdout
  • Check the OS firewall on the Stunnel server, and verify that it is not blocking the connections.
  • Log on to the Stunnel box, open a command prompt, and do a netstat -an. The ports should be open in LISTENING mode. If they are not, verify that Stunnel is running. If you have trouble launching Stunnel, check the stunnel.log file.
  • When selecting port assignments for services such as Stunnel, do not select a port already in use by another active process or your service may not start.
  • If you are running Stunnel on a Linux machine and you get an error (such as the following), make sure that you have installed openssl version 1.0.1 or later:
client1.pem: /CN=199572950001281|1281

error 20 at 0 depth lookup:unable to get local issuer certificate

To check the version, enter the openssl version command. For example:

[root@alma-api ~]# openssl version

OpenSSL 1.0.1e 11 Feb 2013

Using a Local Stunnel Installation to Perform End-to-End Testing of Your Connection to Alma

To use a local Stunnel installation to perform end-to-end testing of your SIP2 connection to Alma:
  1. Install Stunnel on your PC
  2. Place stunnel.conf and client.pem under the C:\Program Files (x86)\Stunnel directory.
  3. Connect to Alma using telnet, with the hostname and port defined under connect= in stunnel.conf, for example :

Note: Use a space to separate between the hostname and the port and not a colon (:).

If successful, a black screen is displayed:

Note: If the message Connecting To <hostname>… is displayed and the window closes, this indicates that there is no access from your PC to Alma. Contact Ex Libris support.

  1. Edit stunnel.conf and change the line accept = line to accept = 127.0.0.1:5003. This configures Stunnel to accept requests coming from your PC (localhost) on port 5003.
  2. From the Stunnel menu, select Configuration> Reload stunnel.conf
  3. Check the log terminal. It should appear like the following:
2013.08.06 18:04:26 LOG7[4816:1880]: Dispatching signals from the signal pipe

2013.08.06 18:04:26 LOG7[4816:1880]: Processing SIGNAL_RELOAD_CONFIG

2013.08.06 18:04:26 LOG5[4816:1880]: Reading configuration from file stunnel.conf

2013.08.06 18:04:26 LOG5[4816:1880]: FIPS mode is disabled

2013.08.06 18:04:26 LOG7[4816:1880]: Compression not enabled

2013.08.06 18:04:26 LOG7[4816:1880]: Snagged 64 random bytes from C:/.rnd

2013.08.06 18:04:26 LOG7[4816:1880]: Wrote 0 new random bytes to C:/.rnd

2013.08.06 18:04:26 LOG7[4816:1880]: PRNG seeded successfully

2013.08.06 18:04:26 LOG6[4816:1880]: Initializing service [Integration Profile 1]

2013.08.06 18:04:26 LOG7[4816:1880]: Certificate: client.pem

2013.08.06 18:04:26 LOG7[4816:1880]: Certificate loaded

2013.08.06 18:04:26 LOG7[4816:1880]: Key file: client.pem

2013.08.06 18:04:26 LOG7[4816:1880]: Private key loaded

2013.08.06 18:04:26 LOG7[4816:1880]: SSL options set: 0x01000004

2013.08.06 18:04:26 LOG5[4816:1880]: Configuration successful

2013.08.06 18:04:26 LOG7[4816:1880]: Closing service [Integration Profile 1]

2013.08.06 18:04:26 LOG7[4816:1880]: Service [Integration Profile 1] closed (FD=636)

2013.08.06 18:04:26 LOG7[4816:1880]: Sessions cached before flush: 0

2013.08.06 18:04:26 LOG7[4816:1880]: Sessions cached after flush: 0

2013.08.06 18:04:26 LOG7[4816:1880]: Service [Integration Profile 1] closed

2013.08.06 18:04:26 LOG7[4816:1880]: Service [Integration Profile 1] (FD=800) bound to 127.0.0.1:5003

2013.08.06 18:04:26 LOG7[4816:1880]: Signal pipe is empty
  1. Simulate a self-check machine by contacting Stunnel. Run: telnet 127.0.0.1 5003. If the attempt is successful, a black screen is displayed.
Note: If the message Connecting To 127.0.0.1…is displayed and the window closes, you may have an issue with stunnel.conf or your firewall settings.
  1. If an error message is displayed, compare your log with the following:
013.08.06 18:28:24 LOG6[4816:64348]: Read socket closed (readsocket)

2013.08.06 18:28:24 LOG7[4816:64348]: Sending close_notify alert

2013.08.06 18:28:24 LOG7[4816:64348]: SSL alert (write): warning: close notify

2013.08.06 18:28:24 LOG6[4816:64348]: SSL_shutdown successfully sent close_notify

alert

2013.08.06 18:28:24 LOG3[4816:64348]: transfer: s_poll_wait: TIMEOUTclose

exceeded: closing

2013.08.06 18:28:24 LOG5[4816:64348]: Connection closed: 6 byte(s) sent to SSL,

145 byte(s) sent to socket

2013.08.06 18:28:24 LOG7[4816:64348]: Remote socket (FD=732) closed

2013.08.06 18:28:24 LOG7[4816:64348]: Local socket (FD=644) closed

2013.08.06 18:28:24 LOG7[4816:64348]: Service [Integration Profile 1] finished (0

left)

2013.08.06 18:30:24 LOG7[4816:1880]: Service [Integration Profile 1] accepted

(FD=652) from 127.0.0.1:62537

2013.08.06 18:30:24 LOG7[4816:1880]: Creating a new thread

2013.08.06 18:30:24 LOG7[4816:1880]: New thread created

2013.08.06 18:30:24 LOG7[4816:37612]: Service [Integration Profile 1] started

2013.08.06 18:30:24 LOG5[4816:37612]: Service [Integration Profile 1] accepted

connection from 127.0.0.1:62537

2013.08.06 18:30:24 LOG6[4816:37612]: connect_blocking: connecting

117.20.42.32:6443

2013.08.06 18:30:24 LOG7[4816:37612]: connect_blocking: s_poll_wait

117.20.42.32:6443: waiting 200 seconds

2013.08.06 18:30:24 LOG5[4816:37612]: connect_blocking: connected

117.20.42.32:6443

2013.08.06 18:30:24 LOG5[4816:37612]: Service [Integration Profile 1] connected

remote server from 10.1.116.184:62538

2013.08.06 18:30:24 LOG7[4816:37612]: Remote socket (FD=732) initialized

2013.08.06 18:30:24 LOG7[4816:37612]: SNI: sending servername:

ap01.alma.exlibrisgroup.com

2013.08.06 18:30:24 LOG7[4816:37612]: SSL state (connect): before/connect

initialization

2013.08.06 18:30:24 LOG7[4816:37612]: SSL state (connect): SSLv3 write client

hello A

2013.08.06 18:30:24 LOG7[4816:37612]: SSL state (connect): SSLv3 read server

hello A

2013.08.06 18:30:25 LOG7[4816:37612]: SSL state (connect): SSLv3 read finished A

2013.08.06 18:30:25 LOG7[4816:37612]: SSL state (connect): SSLv3 write change

cipher spec A

2013.08.06 18:30:25 LOG7[4816:37612]: SSL state (connect): SSLv3 write finished A

2013.08.06 18:30:25 LOG7[4816:37612]: SSL state (connect): SSLv3 flush data

2013.08.06 18:30:25 LOG7[4816:37612]: 1 items in the session cache

2013.08.06 18:30:25 LOG7[4816:37612]: 3 client connects (SSL_connect())

2013.08.06 18:30:25 LOG7[4816:37612]: 3 client connects that finished

2013.08.06 18:30:25 LOG7[4816:37612]: 0 client renegotiations requested

2013.08.06 18:30:25 LOG7[4816:37612]: 0 server connects (SSL_accept())

2013.08.06 18:30:25 LOG7[4816:37612]: 0 server connects that finished

2013.08.06 18:30:25 LOG7[4816:37612]: 0 server renegotiations requested

2013.08.06 18:30:25 LOG7[4816:37612]: 2 session cache hits

2013.08.06 18:30:25 LOG7[4816:37612]: 0 external session cache hits

2013.08.06 18:30:25 LOG7[4816:37612]: 0 session cache misses

2013.08.06 18:30:25 LOG7[4816:37612]: 0 session cache timeouts

2013.08.06 18:30:25 LOG6[4816:37612]: SSL connected: previous session reused
Note: If any error messages are displayed, contact Ex Libris Support. Make sure you include the log, stunnel.conf, and client.pem as part of your support issue.
  1. If the above steps have completed successfully, run a self-check emulator:
  • Download TestTcp.jar
  • If you do not have Java on your PC download and install from www.java.com
  • Run:  “c:\Program Files (x86)\Java\jre7\bin\java.exe” -jar TestTcp.jar
Note: If SIP2 request and response are not displayed, contact Ex Libris Support. Make sure that you include the log, stunnel.conf, client.pem, and the output you received as part of your support issue.

Note: This tool can be used also for testing SLNP: “path\to\java.exe” -jar TestTcp 127.0.0.1 5003 “SLNPAlleBenutzerDaten\nBenutzerNummer:exl_impl\nSLNPEndCommand ”