31.2.1 Useful Troubleshooting Files

Access Gateway Service consists of two main modules, a Gateway Manager module that runs on top of Tomcat and a Proxy Service module that runs on top of Apache. Figure 31-1 illustrates these modules and the communication paths that Access Gateway Service has with other devices.

Figure 31-1 Access Gateway Service Modules

Proxy Service: This component runs as an instance of Apache and is responsible for controlling access to the configured protected resources on web servers. Low-level errors are reported in the Apache logs. Some higher-level errors are also reported to the files in the amlogging/logs directory.

ESP: The Embedded Service Provider is responsible for handling all communications with Identity Server and is responsible for the communication that verifies the authentication credentials of users. Log entries for this communication process, including errors, are logged in the catalina.out file and the stdout.log file.

ActiveMQ: This module is used for real-time communication between Administration Console and the Proxy Service. Errors generated from the Gateway Manager to the ActiveMQ module are logged to the Tomcat logs. Errors generated from the Proxy Service to the ActiveMQ module are logged to the Apache error logs.

JCC: The Java Communication Controller is the interface to Administration Console. It handles health, statistics, configuration updates, and purge cache requests from Administration Console. It is also responsible for certificate management. Errors generated between the JCC module and the Gateway Manager are logged to the ags_error.log file. Errors generated between Administration Console and the JCC module are logged to the jcc-0.log.x file

Gateway Manager: This module is responsible for handling communication from JCC to the Proxy Service. It also writes the configuration commands to the Apache configuration files and the Proxy Service configuration file on disk. Errors generated while performing these tasks are logged to the ags_error.log file.

For more information about these various log files, see the following:

Apache Logging Options for Gateway Service

The Proxy Service module of Access Gateway Service is built on top of Apache as an Apache application. This module handles the browser requests for access to resources and is responsible for sending authorized requests to the web servers. Entries for these events are logged to the Apache log files.

/var/log/novell-apache2/

For more information, see sections Ignoring Some Standard Messages and Section 22.4.1, Managing Access Gateway Logs.

Ignoring Some Standard Messages

Apache cannot detect the proper use of domain-based multi-homing with wildcard certificates, which allows multiple proxy services to share the same SSL port. If you create reverse proxy services that are configured for domain-based multi-homing with SSL, Apache considers this a possible port conflict and logs it as a warning in the error.log file.

The error messages look similar to the following:

[<time and date stamp>] [warn] Init: SSL server IP/port conflict:
dbmhnsnetid.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/dbmhNS-NetID.conf:18) vs.
magwin1430external.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/magMaster.conf:18)

[<time and date stamp>] [warn] Init: SSL server IP/port conflict:
magdbmheguide.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/dbmhMagEguide.conf:18) vs.
magwin1430external.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/magMaster.conf:18)

You can ignore these errors because Access Gateway Service knows how to handle the traffic and send the packets to the correct proxy service.

For more information about Apache log files, see “Log Files”.

Modifying the Logging Level for the Apache Logs

If the Apache error log file does not contain enough information, you can modify the log level and the types of messages written to the file.

WARNING:If you set the log level to debug, the size of the file can grow quickly, consume all available disk space, and crash the system. If you change the log level, you need to carefully monitor available disk space and the size of the error log file.

To modify what is written to the Apache error log file:

  1. Change to the Apache configuration directory.

    /etc/opt/novell/apache2/conf

  2. Open the httpd.conf file.

  3. Find the LogLevel directive and set it to one of the following:

    debug, info, notice, warn, error, crit, alert, emerg

  4. Save the file.

  5. Restart Apache:

    /etc/init.d/novell-apache2 restart OR rcnovell-apache2 restart

  6. (Optional) If you set the level to debug and the log file still does not supply enough information, see Section 31.2.4, Enabling Debug Mode and Core Dumps.

Access Gateway Service Log Files

See Section 22.5.3, Access Gateway Appliance and Access Gateway Service Logs . You can gather these log files into a single zip file: