Environment
Novell Access Manager 3.1 Linux Access Gateway
Situation
AM 3.1 Formfill cheat sheet
====================
Functionality: Goal of formfill is simply to fill a login page on Web server with a <form> tag and <input> tags.
Formfill Log settings required to capture all relevant info:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_HTTP_HEADERS=1
DEBUG_SOAP_MESSAGES=0
Formfill touch files:
1. /tmp/.forceUTF8CharSet - May be required by customers in Asia or EMEA. Used to force UTF8 charset in the html pages, using formfill. When this file is present, LAG Formfill forces UTF8 charset by inserting the following into the html source in between the <head> and </head> tags, provided a similar tag (though with another charset) is not already present. Not needed for US customers.
2. /var/novell/.enableInPlaceSilentFill - With this file present, LAG Formfill will not generate a new page when autosubmit is enabled, but will fill in the page that has been received from the webserver [similar to the way it does when autosubmit is disabled] and will also make the text/password/unspecified type fields hidden. However, a couple of options found in the formfill policy configuration will not work - (1)Debug Submit (2)Functions to Keep. With advanced login forms containing javascript, this is something we should be trying out regularly.
3. /tmp/.ffDebug - undocumented touch file which, when enabled, gives more details on the formfill processing. Only usually needed when getting malformed URLs or formfill policy not being executed.
Info to request:
0. Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/log/ics_dyn.log
1. Admin Console Server
- output of amdiagcfg.sh script (from /opt/novell/devman/bin directory). This will allow us to view the formfill policy
2. Identity (IDP) Server
- /var/opt/novell/tomcat5/logs/catalina.out. Will allow us view the SOAP requests for formfill attributes if ESP does not have them in cache
2. Linux Access Gateway (LAG) Server
- /var/opt/novell/tomcat5/logs/catalina.out
- /var/log/ics_dyn.log
- /var/log/laghttpheaders
- formfillprob.cap output file from 'tcpdump -i any -s 0 -w formfillprob.cap' command on web server
3. Browser Workstation
- Go to login page of back end application, view it and save the source
- Run STRACE (http://www.microsoft.com/downloads/details.aspx?familyid=f5ec767f-27f2-4fb3-90a5-4bf0d5f4810a&displaylang=en), dup the issue and get the STRACE output log
4. (If secret store enabled) Verify whether the problem is specific to secret store by populating the input fields with LDAP credentials or string attributes instead for testing.
What to look for in log files:
- Look at STRACE output and locate the URL of the login page. Note a unique identifier in the HTTP headers of the GET request e.g. a session cookie
- search the LAGHTTPHeaders output for the URL, and make sure that it includes the unique identifier (in case multiple users hitting the same URL in the log files!). Note the request number eg. '345'
- open the ics_dyn.log file and using the request number from laghttpheaders file above, search for EVENTID#<$request_number> eg. EVENTID#345
- walk through all events in ics_dyn.log for that request and search for the following formfill string:
# "Content-Type () Formfill is interested in this response" (implies we found a matching policy)
# "FF Sending GetAttribute soaprequest:XXXX to eSP" where XXXX is the requestID (implies we are looking for the attributes). The XXXX ID can be searched in the catalina.out file for specifics on the SOAP request
# "backchannel receivedResp" (implies we got a response from the SOAP backchannel with hopefully the required attributes)
# "FF Adjusting content length" (implies we have injected the attributes into the form and are sending it back to the browser)
# "Process request " (the next process request string from the browser should be to the action tag from the form)
- walk through the SOAP requests in catalina.out file for details on whether the attributes were successfully retrieved (as above, search for the requestID)
- for security reasons, the attribute values are masked in the catalina.out and ics_dyn.log files. The tcpdump command above will allow you to filter on TCP 8080 and get the attrib values!
- if the browser cannot auto submit the data, there may be javascript issues. The STRACE output can be searched for the <form> details to make sure that all javascript referenced in the HTML login page exists. Make sure that the javascript option is enabled in the formfill policy, and add all javascript functions to the 'statements to execute' field.
Useful TIDs:
1. How to troubleshoot formfill issues on Novell Access Manager's Linux Access Gateway - https://support.microfocus.com/kb/doc.php?id=7002780&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
2. Blank page accessing formfill enabled protected resource with Access Gateway - https://support.microfocus.com/kb/doc.php?id=3283370&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
3. Working iChain formfill policy not working with Access Manager shared secrets - https://support.microfocus.com/kb/doc.php?id=3823293&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
4. Cannot autosubmit data formfill policy information with Linux Access Gateway - https://support.microfocus.com/kb/doc.php?id=3925869&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
====================
Functionality: Goal of formfill is simply to fill a login page on Web server with a <form> tag and <input> tags.
Formfill Log settings required to capture all relevant info:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_HTTP_HEADERS=1
DEBUG_SOAP_MESSAGES=0
Formfill touch files:
1. /tmp/.forceUTF8CharSet - May be required by customers in Asia or EMEA. Used to force UTF8 charset in the html pages, using formfill. When this file is present, LAG Formfill forces UTF8 charset by inserting the following into the html source in between the <head> and </head> tags, provided a similar tag (though with another charset) is not already present. Not needed for US customers.
2. /var/novell/.enableInPlaceSilentFill - With this file present, LAG Formfill will not generate a new page when autosubmit is enabled, but will fill in the page that has been received from the webserver [similar to the way it does when autosubmit is disabled] and will also make the text/password/unspecified type fields hidden. However, a couple of options found in the formfill policy configuration will not work - (1)Debug Submit (2)Functions to Keep. With advanced login forms containing javascript, this is something we should be trying out regularly.
3. /tmp/.ffDebug - undocumented touch file which, when enabled, gives more details on the formfill processing. Only usually needed when getting malformed URLs or formfill policy not being executed.
Info to request:
0. Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/log/ics_dyn.log
1. Admin Console Server
- output of amdiagcfg.sh script (from /opt/novell/devman/bin directory). This will allow us to view the formfill policy
2. Identity (IDP) Server
- /var/opt/novell/tomcat5/logs/catalina.out. Will allow us view the SOAP requests for formfill attributes if ESP does not have them in cache
2. Linux Access Gateway (LAG) Server
- /var/opt/novell/tomcat5/logs/catalina.out
- /var/log/ics_dyn.log
- /var/log/laghttpheaders
- formfillprob.cap output file from 'tcpdump -i any -s 0 -w formfillprob.cap' command on web server
3. Browser Workstation
- Go to login page of back end application, view it and save the source
- Run STRACE (http://www.microsoft.com/downloads/details.aspx?familyid=f5ec767f-27f2-4fb3-90a5-4bf0d5f4810a&displaylang=en), dup the issue and get the STRACE output log
4. (If secret store enabled) Verify whether the problem is specific to secret store by populating the input fields with LDAP credentials or string attributes instead for testing.
What to look for in log files:
- Look at STRACE output and locate the URL of the login page. Note a unique identifier in the HTTP headers of the GET request e.g. a session cookie
- search the LAGHTTPHeaders output for the URL, and make sure that it includes the unique identifier (in case multiple users hitting the same URL in the log files!). Note the request number eg. '345'
- open the ics_dyn.log file and using the request number from laghttpheaders file above, search for EVENTID#<$request_number> eg. EVENTID#345
- walk through all events in ics_dyn.log for that request and search for the following formfill string:
# "Content-Type () Formfill is interested in this response" (implies we found a matching policy)
# "FF Sending GetAttribute soaprequest:XXXX to eSP" where XXXX is the requestID (implies we are looking for the attributes). The XXXX ID can be searched in the catalina.out file for specifics on the SOAP request
# "backchannel receivedResp" (implies we got a response from the SOAP backchannel with hopefully the required attributes)
# "FF Adjusting content length" (implies we have injected the attributes into the form and are sending it back to the browser)
# "Process request " (the next process request string from the browser should be to the action tag from the form)
- walk through the SOAP requests in catalina.out file for details on whether the attributes were successfully retrieved (as above, search for the requestID)
- for security reasons, the attribute values are masked in the catalina.out and ics_dyn.log files. The tcpdump command above will allow you to filter on TCP 8080 and get the attrib values!
- if the browser cannot auto submit the data, there may be javascript issues. The STRACE output can be searched for the <form> details to make sure that all javascript referenced in the HTML login page exists. Make sure that the javascript option is enabled in the formfill policy, and add all javascript functions to the 'statements to execute' field.
Useful TIDs:
1. How to troubleshoot formfill issues on Novell Access Manager's Linux Access Gateway - https://support.microfocus.com/kb/doc.php?id=7002780&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
2. Blank page accessing formfill enabled protected resource with Access Gateway - https://support.microfocus.com/kb/doc.php?id=3283370&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
3. Working iChain formfill policy not working with Access Manager shared secrets - https://support.microfocus.com/kb/doc.php?id=3823293&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483
4. Cannot autosubmit data formfill policy information with Linux Access Gateway - https://support.microfocus.com/kb/doc.php?id=3925869&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122129262&stateId=0%200%20122127483