A Tomcat server instance uses logging services to communicate its status and respond to specific events, including server startup and shutdown information, failures of one or more subsystems, errors, warning messages, access information on HTTP requests, and additional information. For example, you can use Tomcat’s logging services to report error conditions or listen for log messages from a specific subsystem.
All administrative and end-user actions and events are logged to the server console and to Tomcat server’s log file. This allows easy access to this information for security and operational purposes. Additionally, the audit log system provides the ability to monitor ongoing activities such as authentication activity, up time of the system, and so on. File logging is enabled by default.
The identity applications features are implemented in a layered architecture. Each feature uses one or more packages. Each package handles a specific area of a feature and has its own independent log level that obtains event messages from different parts of the application. The logs contain information about processing and interactions among identity applications components that occur while satisfying users and administrative requests and during general system processing. By enabling the correct log levels for various packages, an administrator can monitor how identity applications processes users and administrative requests. The package names are based on log4j conventions. The event messages include these package names indicating the context of the message output. The logs include tags and values that allow the administrator to identify and correlate which package log entries pertain to a given transaction and user. Table 7-1 describes some of the features and the packages they use.
Table 7-1 Identity Manager User Application Packages
|
Feature |
Description |
Packages |
Notes |
|---|---|---|---|
|
Roles |
Roles are permanently stored in the Identity Vault. For fast access to roles information, Identity Manager stores roles in a local cache called permission index. When a role is requested, the User Application queries the permission index for that role. When a role is modified through the User Application driver, the change is reflected in the permission index. For more information about roles, see Understanding Role Assignments. |
|
For troubleshooting any issues when a role is assigned, revoked, or expired, monitor the Roles and Resource driver log. com.novell.srvprv.impl.vdata.model is a verbose package when set to Debug log level. It generates messages for each object class and attributes present in Virtual Data Access (DAL). For example, it shows all DAL lookups. This can result in a large amount of logs. To limit the number of messages, you can set the log level to Warn. For more information about the messages generated by com.novell.srvprv.impl.vdata.model, see Virtual Data Access Logging. For troubleshooting issues related to managing roles, see When a Role Is Requested. |
|
Resources |
Resources are permanently stored in the Identity Vault. For fast access to resources information, Identity Manager stores resources in a local cache called permission index. When a resource is requested, the User Application queries the permission index for that resource. When a resource is modified, the change is reflected in the permission index is updated. For more information about resources, see Section 12.6, Understanding Resource Assignments. |
|
For troubleshooting any issues when a resource is assigned or revoked, monitor the Roles and Resource driver log. |
|
Code Map Refresh |
Code map is a local cache used by the User Application to store entitlements values for all connected systems from the Identity Vault. The User Application queries the Identity Vault for the drivers that are in running state and have entitlements. The User Application updates the User Application database at configurable intervals with entitlement changes. |
|
For troubleshooting any connected system issue, enable DSTrace on the driver. For viewing sample log messages related to code map refresh, see When a Code Map Refresh Is Triggered. |
|
Proxy |
Enables you to manage proxy configuration. Identity Manager stores proxy definition in the ProxyDefs container in the User Application driver. For more information about configuring proxy, see Section 16.2.1, Configuring Delegation and Proxy Settings. |
|
When a user is designated as a proxy, check the audit events for any suspicious activity. |
|
Delegation |
Enables you to manage delegation configuration based on a user`s availability. A delegate is another user that you can temporarily grant permission to view and resolve your workflow work items. A delegate can view his delegator tasks in the task page and act on them. Identity Manager stores delegate definitions in the DelegateeDefs container in the User Application driver. For more information about configuring delegation, see Section 16.2.1, Configuring Delegation and Proxy Settings. |
|
When a user is made a delegate for another user, check the audit events for any suspicious activity that can occur through delegation. |
|
Outgoing e-mails |
E-mail notifications inform Identity Manager users of tasks and events in the system. For example, Identity Manager can send an e-mail to approvers when an event or task requires an approval. For more information, see Working with Email Templates. |
com.novell.soa.notification.impl |
For troubleshooting e-mail approval issues, see Troubleshooting E-Mail Based Approval Issues. For viewing sample log messages related to E-Mail notifications, see Virtual Data Access Logging. |
|
Database connectivity/updates |
Any schema changes made in the User Application are updated in the database when the User Application server is started and com.netiq.idm.create-db-on-startup flag is set to true in the ism-configuration properties file. When this flag is set, the database compares the existing schema with target schema and then updates the database schema. To update the database with any application configuration changes, you must set com.netiq.idm.rbpm.updateConfig-On-StartUp flag to true in the ism-configuration properties file. |
com.novell.soa.persist |
|
|
Configuration Item (Landing page) |
Allows you to manage application items on the landing page. You can quickly navigate to internal and external pages of the application. For more information, see Configuring Identity Manager Home Items in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide. |
com.netiq.idm.icfg |
|
|
Client Settings |
Allows you to manage client settings to control the behavior of the application. You can also modify the access rights and branding of the application for different set of users. For more information, see Section 8.0, Customizing the Identity Applications for Your Enterprise. |
|
|
|
Workflow Tasks |
A task can be controlled by a workflow process. A workflow process can include one or more steps that must be performed before Identity Manager can complete a task that is under workflow control. A job is a runtime instance of a workflow process. The Workflow Engine is responsible for managing and executing steps in a workflow and for keeping track of state information which is persisted in a database. For more information, see Section V, Configuring and Managing Provisioning Workflows. |
|
|
|
Separation of Duties |
Allows you to prevent users from being assigned to conflicting roles unless someone in your organization makes an exception for the conflict. To eliminate conflicts in role assignments, you perform certain management tasks such modify role definition and set up a proper approval process. For more information, see Understanding Role Assignments. |
|
|
|
My Permission |
A user can view a list of role and resource permissions assigned to him or for other users. For more information, see Viewing Your Permissions in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide. |
|
|
|
History |
A user can review the status and history of the permission requests (role, resource, PRD) for himself or for other users. For more information, see Viewing Your History in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide. |
|
|
|
Teams |
You can perform team management tasks such as create, modify, and delete a team based on access privileges. Identity Manager stores team configuration in the TeamDefs container in the User Application driver. For more information about configuring Teams, see Section 16.3, Team Configuration. |
|
|
|
Group |
Allows you to manage groups. For example, you can create, modify and delete a group based on access privileges. For more information, see Managing Users and Groups in the NetIQ Identity Manager - User’s Guide to the Identity Applications. |
|
|
|
Organization Chart |
The Organization Chart page shows the hierarchy of users in your organization. A user can view the organization chart and quick information about the users based on the access rights set by the administrator. For more information, see Viewing Other Users in Your Organization in the NetIQ Identity Manager - User’s Guide to the Identity Applications. |
|
|
|
User Catalog |
You can create, modify, and delete users. A new user is created under the base container configured for the user. Based on the access control list rights, the user information can be edited. The user attributes can be configured to view, edit, and search by using the client settings. For more information, see Managing Users and Groups in the NetIQ Identity Manager - User’s Guide to the Identity Applications. |
|
|
|
Make a request |
A user can request a permission for himself or for another user. The Request page directly fetches the permission from the Permission index. The requested permission is directly assigned or through an approval process. For more information, see Requesting Permissions in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide. |
|
|
|
Permission Index |
Roles, resources, and PRDs are permanently stored in the Identity Vault. For fast access, Identity Manager stores this information on the User Application server in a set of cache files called Permission Index. When you install the identity applications, the process creates a permission index for the application server hosting the identity applications. For more information, see Preparing Your Environment for the Identity Applications in the NetIQ Identity Manager Setup Guide. When a request is issued, the identity applications query the permission index for the requested information. |
|
Only applicable to NetIQ Identity Manager Dashboard and the new Dashboard. |
|
Directory Abstraction Layer |
The directory abstraction layer provides a virtual access to the Identity Vault data. You define a set of entities and their related attributes (virtual data) based on the Identity Vault objects that you want users to view, modify, or delete in the User Application. For more information, see Preparing Your Environment for the Identity Applications in the NetIQ Identity Manager Setup Guide. |
|
For viewing sample log messages related to Virtual Data Access, see Virtual Data Access Logging. |
The logs generated by the packages are primarily intended for debugging the software, although they can be used to detect any other software that is not behaving properly. System administrators and support personnel can identify and isolate problems caused by configuration errors, invalid user data, or network problems such as broken connections. However, component file logging is typically the first step in identifying software bugs.
Package logging is more verbose than audit logging. It increases the processing load. On a day-to-day basis, you are recommended to enable only log levels of error conditions and system warnings. If a specific problem occurs, logging can be set to Info or Debug to gather extra information needed to isolate and resolve the detected problem. When the problem is resolved, logging should be reconfigured to log only error conditions and system warnings.