8.1 How Logging Services Help

A Tomcat server instance uses logging services to communicate its status and respond to specific events, including server startup and shutdown information, failures of one or more subsystems, errors, warning messages, access information on HTTP requests, and additional information. For example, you can use Tomcat’s logging services to report error conditions or listen for log messages from a specific subsystem.

All administrative and end-user actions and events are logged to the server console and to Tomcat server’s log file. This allows easy access to this information for security and operational purposes. Additionally, the audit log system provides the ability to monitor ongoing activities such as authentication activity, up time of the system, and so on. File logging is enabled by default.

The identity applications features are implemented in a layered architecture. Each feature uses one or more packages. Each package handles a specific area of a feature and has its own independent log level that obtains event messages from different parts of the application. The logs contain information about processing and interactions among identity applications components that occur while satisfying users and administrative requests and during general system processing. By enabling the correct log levels for various packages, an administrator can monitor how identity applications processes users and administrative requests. The package names are based on log4j conventions. The event messages include these package names indicating the context of the message output. The logs include tags and values that allow the administrator to identify and correlate which package log entries pertain to a given transaction and user. Table 8-1 describes some of the features and the packages they use.

Table 8-1 Identity Applications Packages

Feature

Description

Packages

Notes

Roles

Roles are permanently stored in the Identity Vault. For fast access to roles information, Identity Manager stores roles in a local cache called permission index. When a role is requested, the identity applications queries the permission index for that role. When a role is modified through the User Application driver, the change is reflected in the permission index. For more information about roles, see Understanding Roles.

  • com.novell.idm.nrf.service

  • com.novell.idm.nrf.persist

  • com.novell.srvprv.impl.vdata.model

  • com.netiq.idm.rest.catalog

For troubleshooting any issues when a role is assigned, revoked, or expired, monitor the Roles and Resource driver log.

com.novell.srvprv.impl.vdata.model is a verbose package when set to Debug log level. It generates messages for each object class and attributes present in Virtual Data Access (DAL). For example, it shows all DAL lookups. This can result in a large amount of logs. To limit the number of messages, you can set the log level to Warn. For more information about the messages generated by com.novell.srvprv.impl.vdata.model, see Virtual Data Access Logging.

For troubleshooting issues related to managing roles, see When a Role Is Requested.

Resources

Resources are permanently stored in the Identity Vault. For fast access to resources information, Identity Manager stores resources in a local cache called permission index. When a resource is requested, the identity applications queries the permission index for that resource. When a resource is modified, the change is reflected in the permission index is updated. For more information about resources, see Understanding Resources.

  • com.novell.idm.nrf.service

  • com.novell.idm.nrf.persist

  • com.novell.srvprv.impl.vdata.model

For troubleshooting any issues when a resource is assigned or revoked, monitor the Roles and Resource driver log.

Code Map Refresh

Code map is a local cache used by the identity applications to store entitlements values for all connected systems from the Identity Vault. The identity applications queries the Identity Vault for the drivers that are in running state and have entitlements. The identity applications updates the identity applications database at configurable intervals with entitlement changes. For more information about code map refresh, see Configuring Default Resource Settings.

  • com.novell.idm.nrf.service

  • com.novell.idm.nrf.persist

  • com.novell.srvprv.impl.vdata.model

For troubleshooting any connected system issue, enable DSTrace on the driver.

For viewing sample log messages related to code map refresh, see When a Code Map Refresh Is Triggered.

Proxy

Enables you to manage proxy configuration. Identity Manager stores proxy definition in the ProxyDefs container in the User Application driver. For more information about configuring proxy, see Acting on Behalf of Someone Else in NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.novell.srvprv.impl.security.service

  • com.netiq.idm.rest.access

  • com.novell.soa.af.impl.persist

  • com.novell.srvprv.apwa.actions

When a user is designated as a proxy, check the audit events for any suspicious activity.

Delegation

Enables you to manage delegation configuration based on a user`s availability. A delegate is another user that you can temporarily grant permission to view and resolve your workflow work items. A delegate can view his delegator tasks in the task page and act on them. Identity Manager stores delegate definitions in the DelegateeDefs container in the User Application driver. For more information about configuring delegation, see Section 17.0, Creating and Managing Delegations.

  • com.novell.srvprv.impl.security.service

  • com.novell.srvprv.apwa.actions

When a user is made a delegate for another user, check the audit events for any suspicious activity that can occur through delegation.

Email-based Approvals

E-mail notifications inform Identity Manager users of tasks and events in the system. For example, Identity Manager can send an e-mail to approvers when an event or task requires an approval. For more information, see Understanding Email-based Approval.

com.novell.soa.notification.impl

For troubleshooting e-mail approval issues, see Troubleshooting E-Mail Based Approval Issues.

For viewing sample log messages related to E-Mail notifications, see Virtual Data Access Logging.

Database connectivity/updates

Any schema changes made in the identity applications are updated in the database when the identity applications server is started and com.netiq.idm.create-db-on-startup flag is set to true in the ism-configuration.properties file.

When this flag is set, the database compares the existing schema with target schema and then updates the database schema.

To update the database with any application configuration changes, you must set com.netiq.idm.rbpm.updateConfig-On-StartUp flag to true in the ism-configuration.properties file.

com.novell.soa.persist

Manage Featured Items (Landing page)

Allows you to manage application items on the landing page. You can quickly navigate to internal and external pages of the application. For more information, see Exploring the Dashboard in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

com.netiq.idm.icfg

 

Client Settings

Allows you to manage client settings to control the behavior of the application. You can also modify the access rights and branding of the application for different set of users. For more information, see Changing Identity Applications Client Settings.

  • com.netiq.idm.rest.access

  • com.netiq.idm.settings

Workflow Tasks

A task can be controlled by a workflow process. A workflow process can include one or more steps that must be performed before Identity Manager can complete a task that is under workflow control. A job is a runtime instance of a workflow process.

The Workflow Engine is responsible for managing and executing steps in a workflow and for keeping track of state information which is persisted in a database. For more information, see Section IV, Configuring and Managing Provisioning Workflows.

  • com.novell.soa.af.impl.core

  • com.novell.soa.af.impl.activity

  • com.netiq.idm.rest.access

 

Separation of Duties

Allows you to prevent users from being assigned to conflicting roles unless someone in your organization makes an exception for the conflict. To eliminate conflicts in role assignments, you perform certain management tasks such modify role definition and set up a proper approval process. For more information, see Section 18.0, Separation of Duties Constraints.

  • com.novell.idm.nrf.service

  • com.novell.idm.nrf.persist

  • com.novell.srvprv.impl.vdata.model

 

My Permission

A user can view a list of role and resource permissions assigned to him or for other users. For more information, see Viewing Your Permissions in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.access

  • com.netiq.idm.rest.access.util

 

History

A user can review the status and history of the permission requests (role, resource, PRD) for himself or for other users. For more information, see Viewing Requests in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.access

  • com.novell.idm.nrf.persist

  • com.netiq.idm.rest.access.util

 

Teams

You can perform team management tasks such as create, modify, and delete a team based on access privileges. Identity Manager stores team configuration in the TeamDefs container in the User Application driver. For more information about configuring Teams, see Managing Users in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.access

  • com.novell.idm.security.authorization.ldap

  • com.novell.srvprv.spi.vdata.model

  • com.netiq.idm.rest.access.util

  • com.novell.idm.security.authorization.service

Group

Allows you to manage groups. For example, you can create, modify and delete a group based on access privileges. For more information, see Managing Users, Groups, and Teams in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.catalog

  • com.novell.srvprv.spi.vdata.model

User Catalog

You can create, modify, and delete users. A new user is created under the base container configured for the user. Based on the access control list rights, the user information can be edited.

The user attributes can be configured to view, edit, and search by using the client settings. For more information, see Managing Users in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.access

  • com.netiq.idm.infosrv

  • com.novell.srvprv.impl.vdata.model

  • com.netiq.idm.settings

  • com.novell.idm.nrf.service

  • com.novell.idm.security.authorization.service

  • com.novell.idm.nrf.persist

  • com.novell.idm.security.authorization.ldap

  • com.netiq.idm.rest.access.util

Make a request

A user can request a permission for himself or for another user. The Request page directly fetches the permission from the Permission index. The requested permission is directly assigned or through an approval process. For more information, see Requesting Permissions in the NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.netiq.idm.rest.access

  • com.netiq.idm.infosrv

  • com.novell.srvprv.spi.vdata.model

  • com.novell.idm.nrf.ajaxservice

  • com.novell.idm.nrf.service

  • com.novell.idm.nrf.persist

  • com.novell.idm.security.authorization

  • com.novell.soa.af.impl.core

  • com.novell.soa.af

  • com.novell.idm.nrf.assignment

 

Permission Index

Roles, resources, and PRDs are permanently stored in the Identity Vault. For fast access, Identity Manager stores this information on the identity applications server in a set of cache files called Permission Index. When you install the identity applications, the process creates a permission index for the application server hosting the identity applications.

When a request is issued, the identity applications query the permission index for the requested information.

  • com.netiq.idm.cis

  • com.netiq.cis.permindex

  • com.netiq.idm.cis.permfilter

  • com.sssw.fw.core

  • com.netiq.uaconfig

Only applicable to NetIQ Identity Manager Dashboard and the new Dashboard.

Directory Abstraction Layer

The directory abstraction layer provides a virtual access to the Identity Vault data. You define a set of entities and their related attributes (virtual data) based on the Identity Vault objects that you want users to view, modify, or delete in the identity applications. For more information, see Using the Directory Search in the User Application in NetIQ Identity Manager - User’s Guide to the Identity Applications.

  • com.novell.srvprv.impl.vdata.model

For viewing sample log messages related to Virtual Data Access, see Virtual Data Access Logging.

Configuration

The Configuration tab on the Identity Manager Dashboard allows you to change the Identity Applications settings. Using this tab you can set the logging, caching, and clustering settings. You can also use this tab to assign administrators in Identity Applications. For more information, see Section 20.0, Configuring Identity Applications Default Settings.

  • com.netiq.idm.rest.admin

  • com.novell.soa.afcom.novell.soa.af.impl.corecom.netiq.idm.settings.displaycom.netiq.loggingcom.sssw.fw.cachemgr.api

  • com.novell.idm.nrf.api

 

The logs generated by the packages are primarily intended for debugging the software, although they can be used to detect any other software that is not behaving properly. System administrators and support personnel can identify and isolate problems caused by configuration errors, invalid user data, or network problems such as broken connections. However, component file logging is typically the first step in identifying software bugs.

Package logging is more verbose than audit logging. It increases the processing load. On a day-to-day basis, you are recommended to enable only log levels of error conditions and system warnings. If a specific problem occurs, logging can be set to Info or Debug to gather extra information needed to isolate and resolve the detected problem. When the problem is resolved, logging should be reconfigured to log only error conditions and system warnings.