Identity Governance Troubleshooting

Transcription

1 Identity Governance Troubleshooting Chris Weber Level 2 support, IBM Security May 16, 2017

2 Identity Governance Troubleshooting Support Files contents Accessing different logs and other files though the IGI appliance interface Changing logging levels Logging statements in rule code Miscellaneous issues 2 IBM Security

3 Support Files contents

4 Support files contents Generate Support Files package from IGI appliance to include with PMR open for errors or other unexpected IGI application or appliance issues. Manage -> System Settings -> Support Files -> New 4 IBM Security

5 Support files contents IGI support files package contents tmp - liberty_dump.zip, logs/data for appliance server itself var/logs/messages - OS log, relevant for patching/appliance issues and file upload issues var/ibm/tivoli/common/ctgim/logs ID broker trace/msg logs ( isim code logs) opt/isig/ideasplatformenv/log/ IGI application logs opt/ibm/wlp/usr/servers contains three subdirectories of the Liberty/WebSphere profile servers broker Liberty/WebSphere server logs running ID broker default Liberty/WebSphere appliance server logs igi Liberty/Websphere server logs running IGI application 5 IBM Security

6 Support files contents Logs to check for issues uploading files to IGI appliance, appliance configuration issues, or fixpack install/upgrade issues. LMI or Liberty/WebSphere server logs that run the appliance interface <support file zip file>\tmp\liberty_dump.zip <support file zip file>\tmp\liberty_dump\logs\ - message and trace logs The appliance OS logs themselves <support file zip file>\var\log\messages 6 IBM Security Mar 3 10:06:47 mesa_control[17433]: Installing fixpack from file /tmp/ iss-igi-if0001.fixpack Mar 3 10:06:48 kernel: EXT4-fs (loop0): mounted filesystem without journal. Opts: Mar 3 10:06:50 mesa_install_fixpack: ISS-IGI-IF0001 install successful Mar 3 10:06:50 mesa_control[17433]: Fixpack /tmp/ iss-igi-if0001.fixpack: install successful

7 Accessing different logs and other files though the IGI appliance interface

8 Accessing different logs and other files though the IGI appliance interface IGI application logs IGI Liberty/WebSphere server logs IGI sdk.zip file 8 IBM Security

9 Accessing different logs and other files though the IGI appliance interface IGI application logs Configure -> Manage Server Settings -> Custom File Management 9 IBM Security

10 Accessing different logs and other files though the IGI appliance interface log -> console. Logs related to the different UI interfaces of IGI. 10 IBM Security

11 Accessing different logs and other files though the IGI appliance interface log -> iga_core. Main set of the logs for different operations/activities in IGI. The logs for the event queues and schedulers. 11 IBM Security

12 Accessing different logs and other files though the IGI appliance interface log -> system. For some database related issues we might check the hibernate.log. 12 IBM Security

13 Accessing different logs and other files though the IGI appliance interface IGI Liberty/WebSphere server logs Manage -> Maintenance -> Log Retrieval and Configuration Appliance tab logs are the IGI appliance server itself. 13 IBM Security

14 Accessing different logs and other files though the IGI appliance interface Identity tab contains IGI and Broker application server logs and SDI logs *note that the interface only shows the latest log file. To get to previous or older log files need to generate support files package. 14 IBM Security

15 Accessing different logs and other files though the IGI appliance interface IGI SDK package download from IGI appliance Contains client jar files, for example used with ISIGADI Javadoc for API Some API examples Usually gets updated when IGI fixpacks are applied to the IGI server 15 IBM Security

16 Changing logging levels

17 Changing logging levels Manage -> Maintenance -> Log Retrieval and Configuration -> Configure Identity tab for changing logging levels for IGI application itself Restart of Security Identity Governance and Intelligence server from appliance home page required after Identity or Application Server logging changes to take effect. 17 IBM Security

18 Changing logging levels Application Server tab to change logging for Liberty/WebSphere servers for IGI and Broker servers Example setting com.ibm.iga.idbrokerage.* to All level for debugging brokerage issues. 18 IBM Security

19 Changing logging levels Example of logging settings for debugging OpenID issues from IGI server side. com.ibm.ws.security.*=all com.ibm.ws.webcontainer.security.*=all com.ibm.oauth.*=all com.ibm.wsspi.security.oauth20.*=all com.ibm.ws.transport.http.*=all org.apache.http.client.*=all 19 IBM Security

20 Changing logging levels SDI tab for changing logging levels of SDI/dispatcher running on IGI appliance 20 IBM Security

21 Logging statements in rule code

22 Logging statements in rule code Can use logger.debug() and logger.info() level statements to help in debugging rule code. logger.debug( ### DEBUG *** Sync level: " + eventout.getcodiceoperazione()); logger.info( ### INFO *** Sync level: " + eventout.getcodiceoperazione()); Example accessgovernancecore_event_out.log file output from above logger statements Jan 26, 2017, 9:21:36 AM DEBUG AGC:? - ### DEBUG *** Sync level: PM_ _admin Jan 26, 2017, 9:21:36 AM INFO AGC:? - ### INFO *** Sync level: PM_ _admin Can also use System.out.println() to write to IGI application server message log file. 22 IBM Security

23 Logging statements in rule code Which level of the log statements show IGI application log files is controlled by the Log Level setting under Access Governance Core -> Settings -> Core Configurations -> General. Debug level will show both logger.debug() and logger.info() lines. 23 IBM Security

24 Logging statements in rule code Different rule class log file locations Live and Deferred (In only) logs\iga_core\accessgovernancecore_event_in.log logs\iga_core\accessgovernancecore_event_out.log logs\iga_core\accessgovernancecore_event_target.log Authorization Digest The logger() statements don't write to any IGI appliance log file in these rules. Instead use System.out.println() to write to the IGI server message log file. Advanced logs\iga_core\scheduler_job.log Account logs\iga_core\accessgovernancecore.log Attestation logs\iga_core\scheduler_job.log Hierarchy logs\iga_core\scheduler_job.log 24 IBM Security

25 Logging statements in rule code During development and testing of new rule code, change the cachetime of the jobs on the RuleEngine task in Task Planner to value smaller than default 120 minutes. This allows for the updated/modified rule contents to take effect without server restart or waiting 120 minutes. 25 IBM Security

26 Logging statements in rule code The cachetime updated to 0 minutes. The rule code will get recompiled every time it is run, no caching or delay for changes to take effect. The RuleEngine task has to be stopped to modify the settings on the Jobs of the task. 26 IBM Security

27 Miscellaneous issues

28 Miscellaneous issues Task planner tasks in inconsistent state Launching Target Administration issues 28 IBM Security

29 Miscellaneous issues Task Planner tasks in inconsistent state Inconsistent state of Tasks (orange exclamation marks) Good state of Tasks 29 IBM Security

30 Miscellaneous issues Select each of the Schedulers and perform Actions -> Synchronize 30 IBM Security

31 Miscellaneous issues Launching Target Administration issues Launching Target Administration and seeing following page displayed with error about session timed out. This is often result of some communication or data issue with the IGI/broker LDAP. 31 IBM Security

32 Miscellaneous issues Checking the IBM Security Identity Governance and Intelligence trace log 32 IBM Security

33 Miscellaneous issues Example log output from the IBM Security Identity Governance and Intelligence trace log <Trace Level="MIN"> <Time Millis=" "> :54: :00</Time> <Server Format="IP">igiva.ibm.com</Server> <ProductId>CTGIM</ProductId> <Component>com.ibm.itim.apps.ejb.home</Component> <ProductInstance>server1</ProductInstance> <LogText><![CDATA[]]></LogText> <Source FileName="com.ibm.itim.apps.ejb.home.HomeBean" Method="getAuthenticationObject"/> <Thread>LargeThreadPool-thread-69</Thread> <Exception><![CDATA[com.ibm.itim.apps.exception.AppProcessingException: Communication Failure. The directory server is not available. Error: :389 at com.ibm.itim.apps.ejb.home.homebean.getdirectorysystementity(homebean.java:1965) at com.ibm.itim.apps.ejb.home.homebean.getauthenticationobject(homebean.java:869) at com.ibm.itim.apps.ejb.home.homebean.getauthenticationobject(homebean.java:853) < > <Trace Level="MIN"> <Time Millis=" "> :55: :00</Time> <Server Format="IP">igiva.ibm.com</Server> <ProductId>CTGIM</ProductId> <Component>com.ibm.itim.ui</Component> <ProductInstance>server1</ProductInstance> <LogText><![CDATA[An application error occurred.]]></logtext> <Source FileName="com.ibm.itim.ui.controller.ITIMControlServlet" Method="doGet"/> <Thread>LargeThreadPool-thread-84</Thread> <Exception><![CDATA[com.ibm.itim.apps.ApplicationException: Your session timed out. Enter your user ID and password to re-establish your session. at com.ibm.itim.ui.controller.itimcontrolservletfilter.dofilter(itimcontrolservletfilter.java:179) at com.ibm.ws.webcontainer.filter.filterinstancewrapper.dofilter(filterinstancewrapper.java:207) < > 33 IBM Security

34 Miscellaneous reference documentation IGI tuning guide IGI Knowledge Center Cookbook for ISAM 9.0 and IGI 5.2.x IBM Security

35 THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com youtube/user/ibmsecuritysolutions Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.