6.1 Global Troubleshooting Options

The following options allow you to view the status of multiple devices and identify the devices that are not healthy.

6.1.1 Checking for Potential Configuration Problems

If your Access Manager components are not behaving in the way you have configured them to run, you might want to check the system to see if any of the components have configuration or network problems.

  1. In the Administration Console, click Auditing > Troubleshooting > Configuration.

  2. All of the options should be empty, except the Cached Access Gateway Configurations option (see Step 4) and the Current Access Gateway Configurations option (see Step 5). If an option contains an entry, you need to clear it. Select the appropriate action from the following table:

    Option

    Description and Action

    Device Pending with No Commands

    If you have a device that remains in the pending state, even when all commands have successfully executed, that device appears in this list. Before deleting the device from this list, check its Command Status. If the device has any commands listed, select the commands, then delete them. Wait a few minutes. If the device remains in a pending state, return to this troubleshooting page. Find the device in the list, then click Remove. The Administration Console clears the pending state.

    Other Known Device Manager Servers

    If a secondary Administration Console is in a non-reporting state, perhaps caused by hardware failure, its configuration needs to be removed from the primary Administration Console. As long as it is part of the configuration, other Access Manager devices try to contact it. If you cannot remove it by running the uninstall script on the secondary Administration Console, you can remove it by using this troubleshooting page. Click the Remove button next to the console that is in the non-reporting state. All references to the secondary Administration Console are removed from the configuration database.

    Access Gateways with Corrupt Protected Resource Data

    If you modify the configuration for a protected resource, update the Access Gateway with the changes, then review the configuration for the protected resource and the changes have not been applied, the configuration for the protected resource is corrupted. Click the Repair button next to the protected resource that has a corrupted configuration. You should then be able to modify its configuration, and when you update the Access Gateway, the changes should be applied and saved.

    Access Gateways with Duplicate Protected Resource Data

    After an upgrade, if you get errors related to invalid content for policy enforcement lists, you need to correct them. The invalid elements that do not have an associated resource data element are listed in this section. Click the Repair button to remove them.

    Access Gateways with Protected Resources Referencing Nonexistent Policies

    Protected resources have problems when policies are deleted before their references to the protected resources are removed. If you have protected resources in this condition, they are listed in this section. Click the Repair button to remove these references. Then verify that your protected resources have the correct policies enabled. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources, then change to the Policy View.

    Access Gateways with Invalid Alert Profile References

    You can create XML validation errors on your Access Gateway Appliance if you start to create an alert profile (click Access Gateways > Edit > Alerts > New), but you do not finish the process. The incomplete alert profile does not appear in the configuration for the Access Gateway, so you cannot delete it. If such a profile exists, it appears in the Access Gateways with Invalid Alert Profile References list. Click the Remove button by the invalid profile. You should then be able to modify its configuration, and when you update the Access Gateway, the changes should be applied and saved.

    Devices with Corrupt Data Store Entries

    If an empty value is written to an XML attribute, the device with this invalid configuration appears in this list.

    Click the Repair button to rewrite the invalid attribute values.

  3. When you have finished repairing or deleting invalid Access Gateway configurations, click the Access Gateways link, then click Update > OK.

  4. (Optional) Verify that all members of an Access Gateway cluster have the same configuration in cache:

    1. Click Auditing > Troubleshooting > Configuration.

    2. Scroll to the Cached Access Gateway Configuration option.

    3. Click View next to the cluster configuration or next to an individual Access Gateway.

      This option allows you to view the Access Gateway configuration that is currently residing in browser cache. If the Access Gateway belongs to a cluster, you can view the cached configuration for the cluster as well as the cached configuration for each member. The + and - buttons allow you to expand and collapse individual configurations. The configuration is displayed in XML format

      To search for particular configuration parameters, you need to copy and paste the text into a text editor.

  5. (Conditional) After viewing the Access Gateway configuration (see Step 4) and discovering that an Access Gateway does not have the current configuration, select the Access Gateway in the Current Access Gateway Configurations section, then click Re-push Current Configuration.

6.1.2 Checking for Version Conflicts

The Version page displays all the installed components along with their currently running version. Use this page to verify that you have updated all components to the latest compatible versions. There are two steps to ensuring that your Access Manager components are running compatible versions:

  • All components of the same type should be running the same version. If you have components that display multiple versions, identify the components that need to be upgraded and upgrade them to the newer version.

  • All components need to be running versions that are compatible with each other. For the latest release, view the list in the “Novell Access Manager Readme”.

To view the current version of all Access Manager devices:

  1. In the Administration Console, click Auditing > Troubleshooting.

  2. Click Versions.

    A list of the devices with their version information is displayed. If a device also has an embedded service provider, the version of the Embedded Service Provider is also displayed.

6.1.3 Checking for Invalid Policies

The Policies page displays the policies that are in an unusable state because of configuration errors.

  1. In the Administration Console, click Auditing > Troubleshooting > Policies.

    If you have configured a policy without defining a valid rule for it, the policy appears in this list.

  2. Select the policy, then click Remove.

6.1.4 Viewing Device Health

You can monitor all of the devices hosted by a server and quickly isolate and correct server issues. The system displays a status (green, yellow, white, or red) for the server.

  1. In the Administration Console, click Auditing > Device Health.

    The Device Health page shows the health status by IP address of the server and lists all the devices installed on the server. The health of the least healthy device is used for the status of the server.

  2. To view more information about the health of each device, click the IP address of the machine.

Health information can also be viewed at the following locations:

  • Access Manager > Dashboard

    The Dashboard page shows the heath status at the device level. The status displayed is the status of the least healthy device.

  • Devices > [Component] > Servers

    The Servers page for each component provides a health status for each device.

6.1.5 Viewing Health by Using the Hardware IP Address

The Hardware IP Address page allows you to view the devices and agents managed through the selected IP address. You can monitor all of the devices hosted by a server and quickly isolate and correct server issues. The system displays statuses (green, yellow, white, or red) for the Access Manager devices.

  1. In the Administration Console, click Access Manager > Auditing > Device Health.

  2. To view information about the health of each installed device, click an IP address.

  3. Select one of the following actions:

    • To return to the Device Health page, click Close.

    • To edit the details of a device, click the server name.

    • To view health details, click the Health icon.

    • To view the alerts, click the alerts link.

    • To view device statistics, click the statistics link.

    • To view or configure audit events for the device, click the Edit Events link.

6.1.6 Using the Dashboard

The Dashboard page is the starting point and central place to monitor and manage all product components and policies. The status of each device is available, with colored warnings or alert conditions.

  1. In the Administration Console, click Access Manager > Dashboard.

  2. Click a box to view a component or click the link to view the alerts:

For conventions that apply to all pages in the interface, see Section 1.2.4, Understanding Administration Console Conventions.

Identity Servers

The Identity Server is the central authentication and identity access point for all Access Manager devices. The Identity Server is responsible for authenticating users and distributing role information to facilitate authorization decisions. It also provides the Liberty Alliance Web Service Framework to distribute identity information.

An Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), using either Liberty, SAML 1.1, or SAML 2.0 protocols. As an identity provider, the Identity Server is the central store for a user’s identity information and is the heart of the user’s identity federations or account linkage information. As an authentication authority, the identity provider is viewed by internal and external service providers as a trusted identity store.

In an Access Manager configuration, the Identity Server is responsible for managing the following:

  • Authentication: Verifies user identities through various forms of authentication, both local (user supplied) and indirect (supplied by external providers). The identity information can be some characteristic attribute of the user, such as a role, e-mail address, name, or job description.

  • Identity Stores: Stores user identities in eDirectory, Microsoft Active Directory, and Sun ONE Directory Server.

  • Identity Federation: Enables user identity federation and provides access to Liberty-enabled services.

  • Account Provisioning: Enables service provider account provisioning when federating, which automatically creates user accounts.

  • Custom Attribute Mapping: Allows you to define custom attributes by mapping Liberty Alliance keywords to LDAP-accessible data, in addition to the available Liberty Alliance Employee and Person profiles.

  • SAML Assertions: Processes and generates SAML assertions. Using SAML assertions in each Access Manager component protects confidential information by removing the need to pass user credentials between the components to handle session management.

  • Single Sign-on and Log-out: Enables users to log in only once to gain access to multiple applications and platforms. Single sign-on and single log-out are primary features of Access Manager and are achieved after the federation and trust model is configured among trusted providers and the components of Access Manager.

  • Embedded Service Providers: Provides authentication and identity services for the other Access Manager components. The Access Gateways, J2EE Agents, and the SSL VPN server include an Embedded Service Provider that sets up a trusted relationship with the Identity Server.

  • Roles: Provides RBAC (role-based access control) management. RBAC is used to provide a convenient way to assign a user to a particular job function or set of permissions within an enterprise, in order to control access. The Identity Server establishes the active set of roles for a user session each time the user is authenticated. Roles can be assigned to subsets of users based on constraints outlined in a role policy. The established role can then be used in authorization policies and J2EE permissions, to form the basis for granting and restricting access to particular Web resources.

  • Clustering: Adds capacity and failover management. An Identity Server can be a member of a cluster of Identity Servers that is configured to act as a single server.

Access Gateways

An Access Gateway provides secure access to HTTP-based Web servers by hiding the IP addresses and DNS names of the Web servers. It provides the typical security services (authorization, single sign-on, and data encryption) previously provided by Novell iChain, and is integrated with the new identity and policy services of Access Manager.

An Access Gateway works with the Identity Server to enable existing Web services for the Liberty and SAML protocols. It provides single sign-on to Web servers through Identity Injection policies that supply required user information and Form Fill policies that automatically fill in requested form information. If your Web servers have not been configured to enforce authentication and authorization, you can configure an Access Gateway to provide these services. Authentication contracts and authorization policies can be assigned so that they protect the entire Web server, a single page, or somewhere in between.

An Access Gateway can also be configured so that it caches requested pages. When the user meets the authentication and authorization requirements, the user is sent the page from cache rather than requesting it from the Web server.

An Access Gateway can be installed as a soft appliance (includes both the operating system and the Access Gateway software) and as a service (includes just the Access Gateway software).

SSL VPNs

You install and configure the SSL VPN components when you need to protect non-HTTP and Java applications. The SSL VPN component provides secure access to such applications as an e-mail server, an FTP client, or Telnet service. SSL VPN is a Linux-based service, which can be installed in one of two ways:

  • As a protected resource of an Access Gateway, which allows it to share session information with the Access Gateway.

  • With an Embedded Service Provider, which allows it to set up a trusted relationship with the Identity Server.

The requests are delivered in the form of a servlet. An ActiveX plug-in or Java applet is delivered to the client on successful authentication. Roles and policies determine authorization decisions for back-end applications. Client integrity checking is available to ensure the existence of approved firewall and virus scanning software, before the SSL VPN session is established.

J2EE Agents

You install and configure the J2EE Agent components when you need to protect applications running on J2EE servers. Access Manager provides JBoss, WebLogic, and IBM WebSphere server agents for Java 2 Enterprise Edition (J2EE) application servers. These agents allow J2EE applications to leverage the product’s authentication and authorization functionality without any code changes, as long as the applications rely on the J2EE application servers for authentication and authorization.

These agents leverage the Java Authentication and Authorization Service (JAAS) and Java Authorization Contract for Containers (JACC) standards for Access Manager-controlled authentication and authorization to Java Web applications and Enterprise JavaBeans. For more information about these Java authentication and authorization standards, see the JAAS Authentication Tutorial and the Java Authorization Contract for Containers.

Like the Access Gateway, J2EE Agents are enabled for the Liberty Alliance and therefore operate as service provider agents. As such, they redirect all authentication requests to the Identity Server, which returns a SAML assertion to the component. This process has the added security benefit of removing the need to pass user credentials between the components to handle session management.

Policies

Policies provide the authorization component of Access Manager. The administrator of the Identity Server uses policies to define how properties of a user’s authenticated identity map to the set of active roles for the user. This role definition serves as the starting point for role-based authorization policies of the Access Gateway and J2EE components. Additionally, authorization policies can be defined for the Access Gateway and J2EE components that control access to protected resources based on user and system attributes other than assigned roles.

The flexibility built into the policy component is nearly unlimited. You can, for example:

  • Set up a URL-based policy that permits or denies users access to a protected Web site, depending on their roles, such as employee or manager.

  • Specify whether an administrator has access to the policy management component of the Access Manager administration console. The administrator could create, edit, and manage policies that are assigned to specific components.

Each Access Gateway and J2EE component includes an Embedded Service Provider agent that interacts with the Identity Server to provide authentication, policy decision, and enforcement. For the Java application servers, the agent also provides role pass-through to allow integration with the Java Application server’s authorization processes.

6.1.7 Viewing System Alerts

The System Alerts page displays how many unacknowledged alerts have been generated for all the devices imported into this Administration Console.

  1. In the Administration Console, click Access Manager > Dashboard > Alerts.

  2. To acknowledge and clear the alerts for a device, select the name of the server, then click Acknowledge Alerts.

The following columns display information about the alerts for each server.

Column

Description

Server Name

Specifies the name of the server receiving alerts. Click the server name to view more information about an alert before acknowledging it.

Severe

Indicates how many severe alerts have been sent to the server.

Warning

Indicates how many warning alerts have been sent to the server.

Informational

Indicates how many informational alerts have been sent to the server.