WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Logging Tivoli Access Manager security

Why and when to perform this task

Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider messages are logged to the configured trace output location, and messages are written to standard out (SystemOut.log). When trace is enabled, all logging, both trace and messaging, is sent to trace.log.

The Tivoli Access Manager JACC provider uses the JLog logging framework as does the Tivoli Access Manager Java runtime environment. Tracing and messaging can be enabled selectively for specific Tivoli Access Manager JACC provider components.

Tracing and message logging for the Tivoli Access Manager JACC provider is configured in the properties file, amwas.node_server.pdjlog.properties, located on the etc directory. This file contains logging properties taken from the template file, amwas.pdjlog.template.properties, for the specific node and server combination at the time of Tivoli Access Manager JACC provider configuration.

The contents of this file lets the user control:
  • Whether tracing is enabled or disabled for Tivoli Access Manager JACC provider components.
  • Whether message logging is enabled or disabled for Tivoli Access Manager JACC provider components.
The amwas.node_server.pdjlog.properties file defines several loggers, each of which is associated with one Tivoli Access Manager JACC provider component. These loggers include:
AmasRBPFTraceLogger AmasRBPFMessageLogger Used to log messages and trace for the role-based policy framework. This is an underlying framework used by embedded Tivoli Access Manager to make access decisions.
AmasCacheTraceLogger AmasCacheMessageLogger Used to log messages and trace for the policy caches used by the role-based policy framework.
AMWASWebTraceLogger AMWASWebMessageLogger Used to log messages and trace for the WebSphere Application Server authorization plug-in.
AMWASConfigTraceLogger AMWASConfigMessageLogger Used to log messages and trace for the configuration actions for the Tivoli Access Manager JACC provider.
JACCTraceLogger JACCMessageLogger Used to log messages and trace for Tivoli Access Manager JACC provider activity.
Note: Tracing can have a significant impact on system performance and should only be enabled when diagnosing the cause of a problem.

The implementation of these loggers routes messages to the WebSphere Application Server logging sub-system. All messages are written to the WebSphere Application Server's trace.log file.

For each logger, the amwas.node_server.pdjlog.properties file defines an isLogging attribute which, when set to true, enables logging for the specific component. A value of false disables logging for that component.

amwas.node_server.pdjlog.properties defines parent loggers called MessageLogger and TraceLogger that also have an isLogging attribute. If the child loggers do not specify this isLogging attribute, they inherit the value of their respective parent. When the Tivoli Access Manager JACC provider is enabled, the isLogging attribute is set to true for the MessageLogger and false for the TraceLogger. Message logging is therefore enabled for all components and tracing is disabled for all components by default.

To turn on tracing for a Tivoli Access Manager JACC provider component, two operations must occur:

Steps for this task

  1. The amwas.node_server.pdjlog.properties file must be updated and the isLogging attribute set to true for the required component. For example, to enable tracing for the Tivoli Access Manager JACC provider, the following line must be set to true in the amwas.node_server.pdjlog.properties:baseGroup.AMWASWebTraceLogger.isLogging=true
  2. Enable tracing for the Tivoli Access Manager JACC provider components in the WebSphere Application Server administrative console by completing the following steps:
    1. Click Troubleshooting > Logs and Trace > server_name.
    2. Under Logs and Trace tasks, click Diagnostic trace.
    3. Select the Enable Log option.
    4. Click Apply.
    5. Click Troubleshooting > Logs and Trace > server name.
    6. Under Logs and Trace tasks, click Change Log Detail Levels.
    7. Click Components. Tracing for all components can be enabled using com.tivoli.pd.as.* or tracing for separate components can be enabled using:
      • com.tivoli.pd.as.rbpf.* for role-based policy framework tracing
      • com.tivoli.pd.as.jacc.* for JACC provider tracing
      • com.tivoli.pd.as.pdwas.* for the authorization table
      • com.tivoli.pd.as.cfg.* for configuration
      • com.tivoli.pd.as.cache.* for caching
    8. Click Apply.

What to do next

The trace specification should now indicate that tracing is enabled at the required level. Save the configuration, and restart the server for the changes to take effect.
Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_logging.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)