The following are the locations of log files:
Identity Server:
You must select Echo to Console (Devices > Identity Servers > Edit > Auditing and Logging) to enable logging to these files.
/var/opt/novell/nam/logs/idp/tomcat/catalina.out
Access Gateway ESP:
/var/opt/novell/nam/logs/mag/tomcat/catalina.out
Access Gateway:
/var/log/novell-apache2/error_log
For basic troubleshooting, enable the severe log level for Identity Server and Access Gateway ESP and the crit log level for Access Gateway.
Access Gateway:
Click Devices > Access Gateways > Edit > Advanced Options.
Add the following:
LogLevel crit
Identity Server:
Click Devices > Identity Servers > Edit > Auditing and Logging.
Select File Logging and Echo to Console.
Under Component File Logger Levels > Application, select severe.
If you want advanced troubleshooting, enable the debug level. See Using debug Logs.
These log snippets provide the following information:
User DN
Correlation ID (session ID)
Currently fetched device information
Device Fingerprint (Device fingerprint stored in the session)
Result
Failure cause
Offending Mandatory Attribute (information about the parameter that did not match)
Identity Server
<amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: *************Device Fingerprint Evaluation Trace************* Evaluating device fingerprint for user: cn=admin,o=novell Correlation ID: d2ee43e3fbb2ca0487c9088fbc14c64cae552ecf6233412aa73fe6758a329598 Currently fetched device info: {"headerSet":{"user-agent":"Microsoft Office Protocol Discovery"}} Total number of known devices to compare against: 1 Overall Result: Mismatch *************Summary of comparison against known device************* Evaluation Result: Mismatch Device Fingerprint: {"user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"} Failure Cause: At least one individual attribute failed match/is unavailable. Offending individual attribute: user-agent ***************End of comparison against known device*************** ***************************Trace End************************* </amLogEntry> <amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: The session might have been hijacked. Logging out </amLogEntry>
Access Gateway
The following is a snippet of the log when the crit level is enabled. This log records the session assurance failure message:
Sep 28 20:27:07 namiso httpd[9797]: [crit] AM#104600404 AMDEVICEID#ag-8B62635F46CD2776: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: AMEVENTID#23: logging out user with DN=cn=admin,o=novell and session ID =965dce7b7f4963730fed0bebf93d4ef70e062fb90e590569729f2b9b9dfd because of session assurance mismatch
Debug logs include detailed information such as reason of failure, list of parameters and session interval value.
Perform the following steps to enable logging at the debug level:
Access Gateway:
Click Devices > Access Gateways > Edit > Advanced Options.
Add the following line:
LogLevel debug
Identity Server:
Click Devices > Identity Servers > Edit > Auditing and Logging.
Select File Logging and Echo to Console.
Under Component File Logger Levels > Application, select debug.
Device Fingerprint Evaluation Trace for Identity Server
This log snippet provides the following information:
User DN
Correlation ID (session ID)
Currently fetched device information
Device Fingerprint (Device fingerprint stored in the session)
Result
Failure cause
Offending Mandatory Attribute (information about the parameter that did not match)
List of parameters being considered in the fingerprinting
*************Device Fingerprint Evaluation Trace************* Evaluating device fingerprint for user: cn=admin,o=novell Correlation ID: CF0E200CA9FB92A3F29D79560140526E Currently fetched device info: {"availFontSet":{},"cpuArchitecture":{"cpuArchitecture_cpuArchitecture":"amd64"},"deviceLanguage":{"deviceLanguage_deviceLanguageSet":"en-US,en","deviceLanguage_deviceDefaultLanguage":"en-US"},"html5DataSet":{},"navigatorPlatform":{},"operatingSystem":{"operatingSystem_osName":"Windows","operatingSystem_osVersion":"7"},"screenResolution":{},"userAgent":{},"webglData":{},"nonce":"1470635556957","deviceType":"NA$NA$NA","deviceTouchPoints":0,"colorDepth":24,"headerSet":{},"userDN":{},"clientIP":{}} Total number of known devices to compare against: 1 Overall Result: Mismatch *************Summary of comparison against known device************* Evaluation Result: Mismatch Device Fingerprint: {"deviceType":"NA$NA$NA","deviceLanguage_deviceLanguageSet":"en-US,en,af","deviceLanguage_deviceDefaultLanguage":"en-US","deviceTouchPoints":"0","cpuArchitecture_cpuArchitecture":"amd64","colorDepth":"24","nonce":"1470635480882","operatingSystem_osName":"Windows","operatingSystem_osVersion":"7"} Failure Cause: Atleast one mandatory attribute failed match/is unavailable. Offending Mandatory Attribute: deviceLanguage_deviceLanguageSet ***************End of comparison against known device*************** ***************************Trace End************************* </amLogEntry> <amLogEntry> 2016-08-08T05:52:39Z SEVERE NIDS Application: Session seems to have got hijacked so logout! Trying to forcefully log out session CF0E200CA9FB92A3F29D79560140526E. Root cause: error during evaluating fingerprint. Evaluated nonce is null
Device Fingerprint Evaluation Trace for Access Gateway
Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: configuring session assurance policy Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: session assurance is enabled Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: trigger time =1 Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: list of attributes enabled for session assurance... Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: server side finger print=clientip Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = colorDepth Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = cpuArchitecture_cpuArchitecture Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceTouchPoints Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceTouchSupport Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceType Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceLanguage_deviceLanguageSet Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceLanguage_deviceDefaultLanguage Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = operatingSystem_osName Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = operatingSystem_osVersion Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: server side finger print=user-agent Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = timezoneOffset Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = dnt Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = navigatorConcurrency Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = navigatorPlatform_navigatorPlatform Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = userAgent_uaName Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = userAgent_uaVersion Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = html5DataSet_html5AVData Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = availFontSet_availableFonts Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = webglData Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: session assurance policy configured successfully