Tivoli Access Manager Tracing

Tivoli Access Manager Tracing

By Siva Praturi

IBM Tivoli Access Manager provides configurable tracing capabilities that can aid in problem determination. Tracing can be activated either through a routing file, or through pdadmin server task trace command.  Trace files are required to assist support personnel in diagnosing problems occurring with the functioning of the Tivoli Access Manager software.

Using routing files

A routing file can be used for enabling and disabling trace. The routing file is a file that can be used to define the name, location, and logging behaviour of certain message log and trace log files. The Tivoli Access Manager Base and WebSEAL components each have their own routing (or routing.template) files defined within their respective etc directories.

The contents of a routing file are fairly self-descriptive. When using a routing file to affect trace logging or message logging, you must stop and restart Tivoli Access Manager Component for the routing file change to take effect.

Using pdadmin trace utility

The pdadmin server task trace command can be used to dynamically control trace operations for the Tivoli Access Manager authorization server, WebSEAL, and the Tivoli Access Manager Plug-in for Web Servers. Trace utility allows you to capture information about error conditions and program control flow in Tivoli Access Manager Components. This information is stored in a file and used for debugging purposes.

Tracing for the Tivoli Access Manager policy server cannot be controlled dynamically with the pdadmin server task trace command. You must use the routing file to enable tracing for the policy server. The policy server must be restarted for any routing file modifications to take effect.

Let’s take a look at the tracing system in Tivoli Access Manager and some of the less complex WebSEAL and WebPI trace points in detail.

Trace elements

There are two elements within the trace system used to control the activation of trace statements. These are the trace component and the trace level.

Trace component: The trace within Tivoli Access Manager is organized into trace components. It is important to select the appropriate trace component to troubleshoot the problem area. The trace components themselves are organized in a hierarchical fashion. If trace is activated for a parent trace component, it will automatically be activated for all children trace components.

Trace level: The amount of detail that is produced for a particular trace component is governed by the trace level that is selected. The trace level is a single integer within the range of 1-9, with 9 reporting the most amount of detail and 1 reporting the least amount of detail.

Trace output generally consists of A time stamp for the trace entry, ID of the thread, Name of the trace component, Name of the product source file and

Trace text

Below figure illustrates the process flow for pdadmin server task trace command

Listing trace components

To list all of the trace components offered by a server, issue the trace list command:

server task <server-name> trace list

Adjusting the trace level of a component

To change the level and destination for a specific trace point, use the following command:

server task <server-name> trace set <component> <level> [file path=file|other-log-agent-config]

Where component is the name of trace component as shown by the list command. The level will control the amount of detail to be gathered, in the range of 1 to 9. The optional file path parameter specifies the location for trace output. If this parameter is not supplied the trace output will be sent to the stdout stream of the server.

Retrieving the current trace level of a component

To show the names and levels for all enabled trace components use the following command:

server task <server-name> trace show [component]

If the component parameter is omitted the output will list the name and level of all of the enabled trace components.

Generally used Trace Components with WebSEAL & WebPI

pd.ivc.ira	The pd.ivc.ira component is used to trace the Tivoli Access Manager interaction with the LDAP server. As such, it is a trace component that can be used with WebSEAL or PDWebPI. The trace is useful in determining problems that occur during authentication.
pdweb.debug	The pdweb.debug component is used to trace the HTTP headers sent between the client and WebSEAL. This includes the headers contained within the request, as well as the response.
pdweb.snoop.client	The pdweb.snoop.client component is used trace the HTTP packets which are transmitted between WebSEAL and the client.
pdweb.snoop.jct	The pdweb.snoop.jct component is used trace the HTTP packets that are transmitted between WebSEAL and the junctioned back-end Web server.
pdweb.wan.azn	The pdweb.wan.azn component is used to trace the authorization decision for all transactions. This includes details related to the credential upon which the authorization decision is made, the resource that is being accessed, as well as the result of the authorization decision.
pdweb.wns.authn	The pdweb.wns.authn component is used to trace details concerning the authentication process applied by WebSEAL. This includes information such as the authentication mechanism, the details used during the authentication process, and the result of the authentication.
pdwebpi.azn	The pdwebpi.azn component is used to trace the authorization decision for all transactions.
pdwebpi.proxy-cmd	The pdwebpi.proxy-cmd trace component can be used to examine these commands, and from this an administrator can derive what the proxy component is instructing the Web server to do with each request.
pdwebpi.request	The pdwebpi.request component is used to trace the HTTP requests that are received by the system.
pdwebpi.session	The pdwebpi.session component is used to trace details pertaining to a user's session. In particular, it will trace the contents of the user's session along with session expiration details and any changes that might be made to a user's session.

Note: Use trace with caution. It is intended as a tool to use under the direction of technical support personnel. Messages from trace are sometimes cryptic, are not translated, and can severely degrade system performance.