31.2.1 Useful Troubleshooting Files

Access Gateway Service consists of two main modules, a Gateway Manager module that runs on top of Tomcat and a Proxy Service module that runs on top of Apache. Figure 31-1 illustrates these modules and the communication paths that Access Gateway Service has with other devices.

Figure 31-1 Access Gateway Service Modules

Proxy Service: This component runs as an instance of Apache and is responsible for controlling access to the configured protected resources on web servers. Low-level errors are reported in the Apache logs. Some higher-level errors are also reported to the files in the amlogging/logs directory.

ESP: The Embedded Service Provider is responsible for handling all communications with Identity Server and is responsible for the communication that verifies the authentication credentials of users. Log entries for this communication process, including errors, are logged in the catalina.out file and the stdout.log file.

ActiveMQ: This module is used for real-time communication between Administration Console and the Proxy Service. Errors generated from the Gateway Manager to the ActiveMQ module are logged to the Tomcat logs. Errors generated from the Proxy Service to the ActiveMQ module are logged to the Apache error logs.

JCC: The Java Communication Controller is the interface to Administration Console. It handles health, statistics, configuration updates, and purge cache requests from Administration Console. It is also responsible for certificate management. Errors generated between the JCC module and the Gateway Manager are logged to the ags_error.log file. Errors generated between Administration Console and the JCC module are logged to the jcc-0.log.x file

Gateway Manager: This module is responsible for handling communication from JCC to the Proxy Service. It also writes the configuration commands to the Apache configuration files and the Proxy Service configuration file on disk. Errors generated while performing these tasks are logged to the ags_error.log file.

User Session Cache: Access Gateway Service has one additional module, a User Session Cache module. This module is responsible for managing user information across all Proxy Service processes. Any errors generated by this module are logged to the Apache error logs.

For more information about these various log files, see the following:

Apache Logging Options for Gateway Service

The Proxy Service module of Access Gateway Service is built on top of Apache as an Apache application. This module handles the browser requests for access to resources and is responsible for sending authorized requests to the web servers. Entries for these events are logged to the Apache log files.

If Access Gateway Service log files do not contain enough information to solve a problem (see Section 22.4.1, Managing Access Gateway Logs), you might want to view the contents of the Apache log files. These files are located in the following directory:

Linux: /var/log/novell-apache2/

Windows: C:\Program Files\Novell\apache\logs\

For more information, see sections Ignoring Some Standard Messages and Section 22.4.1, Managing Access Gateway Logs.

Ignoring Some Standard Messages

Apache cannot detect the proper use of domain-based multi-homing with wildcard certificates, which allows multiple proxy services to share the same SSL port. If you create reverse proxy services that are configured for domain-based multi-homing with SSL, Apache considers this a possible port conflict and logs it as a warning in the error.log file.

The error messages look similar to the following:

[<time and date stamp>] [warn] Init: SSL server IP/port conflict:
dbmhnsnetid.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/dbmhNS-NetID.conf:18) vs.
magwin1430external.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/magMaster.conf:18)

[<time and date stamp>] [warn] Init: SSL server IP/port conflict:
magdbmheguide.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/dbmhMagEguide.conf:18) vs.
magwin1430external.dsm.cit.novell.com:443 (C:/Program
Files/Novell/apache/conf/vhosts.d/magMaster.conf:18)

You can ignore these errors because Access Gateway Service knows how to handle the traffic and send the packets to the correct proxy service.

For more information about Apache log files, see “Log Files”.

Modifying the Logging Level for the Apache Logs

If the Apache error log file does not contain enough information, you can modify the log level and the types of messages written to the file.

WARNING:If you set the log level to debug, the size of the file can grow quickly, consume all available disk space, and crash the system. If you change the log level, you need to carefully monitor available disk space and the size of the error log file.

To modify what is written to the Apache error log file:

  1. Change to the Apache configuration directory.

    Linux: /etc/opt/novell/apache2/conf

    Windows: C:\Program Files\Novell\apache\conf

  2. Open the httpd.conf file.

  3. Find the LogLevel directive and set it to one of the following:

    debug, info, notice, warn, error, crit, alert, emerg

  4. Save the file.

  5. Restart Apache:

    Linux: /etc/init.d/novell-apache2 restart OR rcnovell-apache2 restart

    Windows: Use the following commands:

    net stop apache2.4

    net start apache2.4

  6. (Optional) If you set the level to debug and the log file still does not supply enough information, see Section 31.2.5, Enabling Debug Mode and Core Dumps.

Access Gateway Service Log Files

See Section 22.5.5, Linux Access Gateway Appliance and Access Gateway Service Logs and Section 22.5.6, Windows Access Gateway Service Logs. You can gather these log files into a single zip file:

Zipping the Files on Windows Access Gateway Service

On Windows, you can use the getlogs.bat file to gather all of these log files into a zip file. You need to have 7-Zip (a free download) installed in order to run the batch file. The batch file is located in the \programfiles\Novell\unsupported directory. To run the file

  1. Copy getlogs.bat to the C:\programfiles\Novell\unsupported directory.

  2. Copy the 7-Zip file (7za.exe) to the C:\programfiles\Novell\unsupported directory.

  3. Enter the following command:

    getlogs <filename>

    You can specify a filename. If one is not specified, the file is called out. You can modify the batch file to use a different default name.

    The file is created in the current working directory.

The batch file includes only files that are not currently in use. If you need to include the most recent version of a log file, you need to stop Access Gateway Service.