WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Logging Tivoli Access Manager security

Why and when to perform this task

The Java Authorization Contract for Containers (JACC) for Tivoli Access Manager provider messages are logged to the configured trace output location, and messages are written to standard out SystemOut.log file. When trace is enabled, all logging, both trace and messaging, is sent to the trace.log file.

The JACC provider for Tivoli Access Manager uses the JLog logging framework as does the Java runtime environment for Tivoli Access Manager. You can enable tracing and messaging selectively for specific JACC provider for Tivoli Access Manager components.

Tracing and message logging for the JACC provider for Tivoli Access Manager are configured in the amwas.node_server.pdjlog.properties properties file, which is located in the /etc directory. This file contains logging properties from the amwas.pdjlog.template.properties template file for the specific node and server combination at the time of JACC provider for Tivoli Access Manager configuration.

The contents of this file let the user control:
  • Whether tracing is enabled or disabled for the JACC provider of Tivoli Access Manager components.
  • Whether message logging is enabled or disabled for the JACC provider of Tivoli Access Manager components.
The amwas.node_server.pdjlog.properties file defines several loggers, each of which is associated with one JACC provider of Tivoli Access Manager component. These loggers include:
Logger Name Description
AmasRBPFTraceLogger AmasRBPFMessageLogger Logs messages and trace for the role-based policy framework. This underlying framework is used by embedded Tivoli Access Manager to make access decisions.
AmasCacheTraceLogger AmasCacheMessageLogger Logs messages and trace for the policy caches that are used by the role-based policy framework.
AMWASWebTraceLogger AMWASWebMessageLogger Logs messages and trace for the WebSphere Application Server authorization plug-in.
AMWASConfigTraceLogger AMWASConfigMessageLogger Logs messages and trace for the configuration actions of the JACC provider for Tivoli Access Manager .
JACCTraceLogger JACCMessageLogger Logs messages and trace for the JACC provider activity of Tivoli Access Manager .
Note: Tracing can have a significant impact on system performance. Enable tracing only when diagnosing the cause of a problem.

The implementation of these loggers routes messages to the WebSphere Application Server logging sub-system. All messages are written to the WebSphere Application Server trace.log file.

For each logger, the amwas.node_server.pdjlog.properties file defines an isLogging attribute which, when set to true, enables logging for the specific component. A value of false disables logging for that component.

The amwas.node_server.pdjlog.properties file defines the parent loggers MessageLogger and TraceLogger that also have an isLogging attribute. If the child loggers do not specify this isLogging attribute, they inherit the value of their respective parent. When the JACC provider for Tivoli Access Manager is enabled, the isLogging attribute is set to true for the MessageLogger and set tofalse for the TraceLogger logger. Message logging is enabled for all components and tracing is disabled for all components, by default.

To turn on tracing for a JACC provider component, two operations must occur:

Steps for this task

  1. The amwas.node_server.pdjlog.properties file must be updated and the isLogging attribute set to true for the required component. For example, to enable tracing for the JACC provider for Tivoli Access Manager, set the following line to true: amwas.node_server.pdjlog.properties:baseGroup.AMWASWebTraceLogger.isLogging=true
  2. Enable tracing for the JACC provider of Tivoli Access Manager components in the WebSphere Application Server administrative console by completing the following steps:
    1. Click Troubleshooting > Logs and Trace > server_name.
    2. Under Logs and Trace tasks, click Diagnostic trace.
    3. Select the Enable Log option.
    4. Click Apply.
    5. Click Troubleshooting > Logs and Trace > server_name.
    6. Under Logs and Trace tasks, click Change Log Detail Levels.
    7. Click Components. Tracing for all components can be enabled using the com.tivoli.pd.as.* command. Tracing for separate components can be enabled using the following commands:
      • com.tivoli.pd.as.rbpf.* for role-based policy framework tracing
      • com.tivoli.pd.as.jacc.* for JACC provider tracing
      • com.tivoli.pd.as.pdwas.* for the authorization table
      • com.tivoli.pd.as.cfg.* for configuration
      • com.tivoli.pd.as.cache.* for caching
    8. Click Apply.

What to do next

The trace specification now indicates that tracing is enabled at the required level. Save the configuration and restart the server for the changes to take effect.



Related tasks
Enabling an external JACC provider

Task topic    

Terms of Use | Feedback

Last updated: Dec 11, 2005 4:07:15 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_logging.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)