Can Access Gateway log the SSL/TLS version of incoming client requests

  • 7016352
  • 26-Mar-2015
  • 26-Mar-2015


NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager Access Gateway


Admin wants to log the SSL/TLS protocol versions of all HTTP requests coming into their Access Gateway servers. The HTTP logs provide a lot of flexibility in terms of what can be logged, yet do not mention any details on SSL/TLS versions.


Common or Extended HTTP logs are for HTTP level information; SSL/TLS falls into a layer below this, and therefor cannot be logged. There are however two workarounds which one could try:

1) edit  /etc/opt/novell/apache2/conf/httpd.conf

uncomment following lines add the bolded text SSL_PROTCOL
    LogFormat "%h %l %u %t \"%r\" %>s %b %{SSL_PROTOCOL}x" common
    CustomLog "/var/log/novell-apache2/access_log" common

More details are available from (under CustomLog format section)

2) add an advanced option in the PR where you want this additional log

           Include /etc/opt/novell/apache2/conf/mypr1.conf

    Create this file with the following content before applying

  LogFormat "%{%Y-%m-%d %H:%M:%S}t  %a \"%{Cache-Control}o\" %L %B %X \"%{X-Forwarded-For}i\" %I \"%{ETag}o\" \"%{If-Range}o\" \"%{Range}o\" \"%{Content-Range}o\" \"%{Pragma}i\" \"%{Pragma}o\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" mypr1
  CustomLog "|\"/opt/novell/apache2/sbin/rotatelogs\" \"/var/log/novell/reverse/rp1/ps1-ps1.extended.log.%Y-%m-%d-%H_%M_%S\" 10M 7files" mypr1 env=ps1

In both the above options, you cannot have "extended logging" enabled for the PR. However, with the above changes, the statements will do what you do in extended logging with the exception of losing the ability to add/modify logging options from the Admin console.