Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
AM 3.1 Authentication cheat sheet
==========================
Functionality: To guard against unauthorized access, Access Manager supports a number of ways for users to authenticate.
You configure authentication at the Identity Server by creating authentication contracts that the components of Access Manager (such as an Access Gateway) can use to protect a resource.
Authentication log settings required to capture all relevant traffic:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_SOAP_MESSAGES=0
Authentication touch files:
1. lagDisableAuthIPCheck Located in the /etc directory.
Enabling this touch file switches off the proxy authentication cookie binding to client IP. Use this in a setup where two L4 switches are configured in parallel and the browser requests get bounced between the these L4 switches.
Info to request:
0. Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/opt/novell/tomcat5/logs/catalina.out
1. Admin Console Server
- output of amdiagcfg.sh script (from /opt/novell/devman/bin directory). This will allow us to view the class, method and contract configuration.
2. Identity (IDP) Server
- /var/opt/novell/tomcat5/logs/catalina.out. (If on Linux) Will allow us to view the initialization of the authentication classes.
- /Program Files/Novell/Tomcat/logs/stdout.log (If on Windows)
3. Dependend on what type of authentication is done you can request for User store log files to confirm if request have arrived or errors are shown.
- Use ndstrace with flags +nmas +pki +time +ldap on Linux (flags are dependend on what type of authentication you are troubleshooting)
- Use dstrace with flags +nmas +pki +time +ldap on Netware (flags are dependend on what type of authentication you are troubleshooting)
- Verify if user authentication works independent of Access Manager
4. Linux Access Gateway (LAG) Server
- /var/opt/novell/tomcat5/logs/catalina.out
- /var/log/ics_dyn.log
What to look for in log files:
- Look at the catallina.out output of the Identity Server.
- Locate username and scan for errors
For example in case of successfull login you see entries like this:
<amLogEntry> 2010-04-07T10:19:54Z INFO NIDS Application: AM#500105009: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Executing contract Name/Password - Form. </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z VERBOSE NIDS Application: Authentication method Name/Password - Form succeeded </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Performing LDAP search (&(cn=admin)(objectClass=User)) in context <nidsc:SearchContext(novell:nids:config:1:0:0)>: Context: o=connect Order: 0, Scope: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:20:00Z VERBOSE NIDS Application: LDAP search objects found: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:20:00Z INFO NIDS Application: AM#500105014: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Attempting to authenticate user cn=admin,o=connect with provided credentials. </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z INFO NIDS Application: AM#500105012: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Authenticated user cn=admin,o=connect in User Store oesnw with no roles. </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z INFO NIDS Application: AM#500105017: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: nLogin succeeded, redirecting to https://idpa.example.com:8443/nidp/app. </amLogEntry>
In case of failed login you would see entries like this:
<amLogEntry> 2010-04-07T10:19:38Z INFO NIDS Application: AM#500105009: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Executing contract Name/Password - Form. </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Performing LDAP search (&(cn=administrator)(objectClass=User)) in context<nidsc:SearchContext(novell:nids:config:1:0:0)>: Context: o=connect Order: 0, Scope: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:19:43Z VERBOSE nIDS Application: LDAP search objects found: 0 </amLogEntry>
<amLogEntry> 2010-04-07T10:19:43Z VERBOSE NIDS Application: Authentication contract 'Name/Password - Form' failed in method 'Name/Password - Form' for session 9380DA71EC0CD02FA00722B5D561EF69. NIDPMAIN.1528administrator </amLogEntry>
In this case dstrace or ndstrace on the defined userstore will be needed to see why LDAP search did not return a search result.
Useful TIDs/Coolsolutions:
1.Cannot access Identity Server login page when hitting protected resource after upgrading from Access Manager 3.1 to 3.1 Support Pack 1 https://support.microfocus.com/kb/doc.php?id=7004079&sliceId=1&docTypeID=DT_TID_1_1&dialogID=137151233&stateId=0%200%20137147447
2. Troubleshooting 100101043 and 100101044 Errors in Access Manager https://www.novell.com/coolsolutions/appnote/19456.html
==========================
Functionality: To guard against unauthorized access, Access Manager supports a number of ways for users to authenticate.
You configure authentication at the Identity Server by creating authentication contracts that the components of Access Manager (such as an Access Gateway) can use to protect a resource.
Authentication log settings required to capture all relevant traffic:
1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.
- echo to console enabled
- Application, Liberty, Web Service Consumer and Web Service Provider components set to DEBUG
2. LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.
LOG_LEVEL=7
DEBUG_SOAP_MESSAGES=0
Authentication touch files:
1. lagDisableAuthIPCheck Located in the /etc directory.
Enabling this touch file switches off the proxy authentication cookie binding to client IP. Use this in a setup where two L4 switches are configured in parallel and the browser requests get bounced between the these L4 switches.
Info to request:
0. Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/opt/novell/tomcat5/logs/catalina.out
1. Admin Console Server
- output of amdiagcfg.sh script (from /opt/novell/devman/bin directory). This will allow us to view the class, method and contract configuration.
2. Identity (IDP) Server
- /var/opt/novell/tomcat5/logs/catalina.out. (If on Linux) Will allow us to view the initialization of the authentication classes.
- /Program Files/Novell/Tomcat/logs/stdout.log (If on Windows)
3. Dependend on what type of authentication is done you can request for User store log files to confirm if request have arrived or errors are shown.
- Use ndstrace with flags +nmas +pki +time +ldap on Linux (flags are dependend on what type of authentication you are troubleshooting)
- Use dstrace with flags +nmas +pki +time +ldap on Netware (flags are dependend on what type of authentication you are troubleshooting)
- Verify if user authentication works independent of Access Manager
4. Linux Access Gateway (LAG) Server
- /var/opt/novell/tomcat5/logs/catalina.out
- /var/log/ics_dyn.log
What to look for in log files:
- Look at the catallina.out output of the Identity Server.
- Locate username and scan for errors
For example in case of successfull login you see entries like this:
<amLogEntry> 2010-04-07T10:19:54Z INFO NIDS Application: AM#500105009: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Executing contract Name/Password - Form. </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z VERBOSE NIDS Application: Authentication method Name/Password - Form succeeded </amLogEntry>
<amLogEntry> 2010-04-07T10:19:54Z VERBOSE NIDS Application: Performing LDAP search (&(cn=admin)(objectClass=User)) in context <nidsc:SearchContext(novell:nids:config:1:0:0)>: Context: o=connect Order: 0, Scope: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:20:00Z VERBOSE NIDS Application: LDAP search objects found: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:20:00Z INFO NIDS Application: AM#500105014: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Attempting to authenticate user cn=admin,o=connect with provided credentials. </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z INFO NIDS Application: AM#500105012: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Authenticated user cn=admin,o=connect in User Store oesnw with no roles. </amLogEntry>
<amLogEntry> 2010-04-07T10:20:05Z INFO NIDS Application: AM#500105017: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: nLogin succeeded, redirecting to https://idpa.example.com:8443/nidp/app. </amLogEntry>
In case of failed login you would see entries like this:
<amLogEntry> 2010-04-07T10:19:38Z INFO NIDS Application: AM#500105009: AMDEVICEID#177E0DE2A395AA63: AMAUTHID#9380DA71EC0CD02FA00722B5D561EF69: Executing contract Name/Password - Form. </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>
<amLogEntry> 2010-04-07T10:19:38Z VERBOSE NIDS Application: Performing LDAP search (&(cn=administrator)(objectClass=User)) in context<nidsc:SearchContext(novell:nids:config:1:0:0)>: Context: o=connect Order: 0, Scope: 1 </amLogEntry>
<amLogEntry> 2010-04-07T10:19:43Z VERBOSE nIDS Application: LDAP search objects found: 0 </amLogEntry>
<amLogEntry> 2010-04-07T10:19:43Z VERBOSE NIDS Application: Authentication contract 'Name/Password - Form' failed in method 'Name/Password - Form' for session 9380DA71EC0CD02FA00722B5D561EF69. NIDPMAIN.1528administrator </amLogEntry>
In this case dstrace or ndstrace on the defined userstore will be needed to see why LDAP search did not return a search result.
Useful TIDs/Coolsolutions:
1.Cannot access Identity Server login page when hitting protected resource after upgrading from Access Manager 3.1 to 3.1 Support Pack 1 https://support.microfocus.com/kb/doc.php?id=7004079&sliceId=1&docTypeID=DT_TID_1_1&dialogID=137151233&stateId=0%200%20137147447
2. Troubleshooting 100101043 and 100101044 Errors in Access Manager https://www.novell.com/coolsolutions/appnote/19456.html