Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Functionality: Troubleshooting Access Manager 3.1 Authorization policy issues
Log settings required to capture all relevant info:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_HTTP_HEADERS=1
DEBUG_SOAP_MESSAGES=0
Info to request
1. "catalina.out" on the IDP
2. "catalina.out" on the LAG
3. "ics_dyn.log" on the LAG
BEFORE obtaining logs: (1) set the DEBUG levels, and (2) DELETE the logs.
DELETE (zero-out) the logs with ">"...for example:
# > /var/opt/novell/tomcat5/logs/catalina.out
# > /var/log/ics_dyn.log
What to look for in log files:
In the "catalina.out" log...
Look for any "SEVERE" log entries.
Look for "Evaluating policy" string, and then the "Status" string below it:
<amLogEntry> 2007-08-02T15:55:05Z INFO NIDS Application: AM#501101050:
AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#459O8443-N8P5-KO21-68OMK172P107N4O5:
NXPESID#1743: Evaluating policy
</amLogEntry>
<amLogEntry> 2007-08-02T15:55:06Z INFO NIDS Application: AM#501102050:
PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: NXPESID#1743: AGAuthorization
Policy Trace:
~~RL~1~~~~Rule Count: 2~~Success(0)
~~RU~RuleID_1186068489688~Title_auth~DNF~~1:1~~Success(0)
~~CS~1~~ANDs~~1~~True(69)
~~CO~1~LdapAttribute(6647):NEPXurn~3Anovell~3Aldap~3A2006-
02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribut
e~5B~40ldap~3AtargetAttribute~3D~22title~22~5D:hiddenvalue:~
com.novell.nxpe.condition.NxpeOperator@string-equals~(0):hiddenparam:
hidden-value:~~~True(69)
~~PA~1~~Permit Access~~~~Success(0)
~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisher
Container,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerCo
ntainer,o=novell:romaContentCollectionXMLDoc),Policy=(Title_auth),Rule=(1::Ru
leID_1186068489688),Action=(Permit::1)~~~~Success(0)
</amLogEntry>
<amLogEntry> 2007-08-02T15:55:06Z INFO NIDS Application: AM#501101021:
PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: NXPESID#1743:
Response sent: Status - success
</amLogEntry>
NOTE: most authorization policies would reference a "role" (example: if "role" != NTS, action = deny). This means that we need to make sure that the role is set correctly for that user (this done at the IDP server).
You can also check the user's role in the "catalina.out" file from the LAG when a user authenticates:
<NIDPSetSession XLibid="0000000093022495ba157142a2ad8997243b858a" hardExpire="239" id="C26E83BC0E9FC2DCE65045BE88744FED" pid=":#W5HS^3q,4lJ53Y@v-2%
{6-C" softExpire="155"><store type="ldap"><dn>cn=ncashell,o=novell</dn></store>
<authentications>
<contracts>
<contract>uscell/secure/name/password/uri</contract>
</contracts>
</authentications>
<roles>
<role>NTS</role>
<role>Manager</role>
<role>authenticated</role>
</roles>
</NIDPSetSession>
Useful TID's:
1. "Troubleshooting Access Manager Policies" in the Access Manager "Policy Management Guide"
2. KB 7001127: (TLS issue) "504 Gateway Time-Out accessing secure Web server with Linux Access Gateway"
Resolution: Touch the /var/novell/.doNotUseTLS file on the Linux Access Gateway. There are some webservers that do not support TLS protocol. By default, LAG tries with the TLS protocol and if the web server doesn't support this, it will abort the SSL handshake.
https://support.microfocus.com/kb/doc.php?id=7001127&sliceId=1&docTypeID=DT_TID_1_1&dialogID=71746028&stateId=1%200%2071742340
Log settings required to capture all relevant info:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_HTTP_HEADERS=1
DEBUG_SOAP_MESSAGES=0
Info to request
1. "catalina.out" on the IDP
2. "catalina.out" on the LAG
3. "ics_dyn.log" on the LAG
BEFORE obtaining logs: (1) set the DEBUG levels, and (2) DELETE the logs.
DELETE (zero-out) the logs with ">"...for example:
# > /var/opt/novell/tomcat5/logs/catalina.out
# > /var/log/ics_dyn.log
What to look for in log files:
In the "catalina.out" log...
Look for any "SEVERE" log entries.
Look for "Evaluating policy" string, and then the "Status" string below it:
<amLogEntry> 2007-08-02T15:55:05Z INFO NIDS Application: AM#501101050:
AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#459O8443-N8P5-KO21-68OMK172P107N4O5:
NXPESID#1743: Evaluating policy
</amLogEntry>
<amLogEntry> 2007-08-02T15:55:06Z INFO NIDS Application: AM#501102050:
PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: NXPESID#1743: AGAuthorization
Policy Trace:
~~RL~1~~~~Rule Count: 2~~Success(0)
~~RU~RuleID_1186068489688~Title_auth~DNF~~1:1~~Success(0)
~~CS~1~~ANDs~~1~~True(69)
~~CO~1~LdapAttribute(6647):NEPXurn~3Anovell~3Aldap~3A2006-
02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribut
e~5B~40ldap~3AtargetAttribute~3D~22title~22~5D:hiddenvalue:~
com.novell.nxpe.condition.NxpeOperator@string-equals~(0):hiddenparam:
hidden-value:~~~True(69)
~~PA~1~~Permit Access~~~~Success(0)
~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisher
Container,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerCo
ntainer,o=novell:romaContentCollectionXMLDoc),Policy=(Title_auth),Rule=(1::Ru
leID_1186068489688),Action=(Permit::1)~~~~Success(0)
</amLogEntry>
<amLogEntry> 2007-08-02T15:55:06Z INFO NIDS Application: AM#501101021:
PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: NXPESID#1743:
Response sent: Status - success
</amLogEntry>
NOTE: most authorization policies would reference a "role" (example: if "role" != NTS, action = deny). This means that we need to make sure that the role is set correctly for that user (this done at the IDP server).
You can also check the user's role in the "catalina.out" file from the LAG when a user authenticates:
<NIDPSetSession XLibid="0000000093022495ba157142a2ad8997243b858a" hardExpire="239" id="C26E83BC0E9FC2DCE65045BE88744FED" pid=":#W5HS^3q,4lJ53Y@v-2%
{6-C" softExpire="155"><store type="ldap"><dn>cn=ncashell,o=novell</dn></store>
<authentications>
<contracts>
<contract>uscell/secure/name/password/uri</contract>
</contracts>
</authentications>
<roles>
<role>NTS</role>
<role>Manager</role>
<role>authenticated</role>
</roles>
</NIDPSetSession>
Useful TID's:
1. "Troubleshooting Access Manager Policies" in the Access Manager "Policy Management Guide"
2. KB 7001127: (TLS issue) "504 Gateway Time-Out accessing secure Web server with Linux Access Gateway"
Resolution: Touch the /var/novell/.doNotUseTLS file on the Linux Access Gateway. There are some webservers that do not support TLS protocol. By default, LAG tries with the TLS protocol and if the web server doesn't support this, it will abort the SSL handshake.
https://support.microfocus.com/kb/doc.php?id=7001127&sliceId=1&docTypeID=DT_TID_1_1&dialogID=71746028&stateId=1%200%2071742340