6.1 Turning on Logging for Policy Evaluation

Policy evaluation for roles occurs at the Identity Server. For Authorization and Identity Injection policies, policy evaluation occurs on the Embedded Service Provider where the policy is enabled.

For Form Fill policies, the evaluation and logging is done by the Embedded Service Provider and the proxy service. To set the logging level on the Access Gateway for the proxy service, see the following:

Logging for the policy evaluation done by Embedded Service Providers is controlled by the log settings of the Identity Server configuration. To enable this type of logging:

  1. Click Devices > Identity Servers > Edit > Logging.

    If you have set up more than one Identity Server configuration, make sure you select the configuration to which the other Access Manager components have been assigned.

  2. Select Enabled for File Logging.

  3. Select to echo the trace messages to the console.

    • For the Linux Access Gateway Appliance, Linux Access Gateway Service, or Linux Identity Server, this sends the messages to the catalina.out file.

    • For the Linux Access Gateway Service or Windows Identity Server, this sends the messages to the stdout.log file.

  4. (Optional) Specify a path for the Identity Server log files.

    If you have a mixed platform environment (for example, the Identity Server is installed on Windows and the Access Gateway is on Linux), do not specify a path.

  5. For policy evaluation tracing, set the Application level to info in the Component File Logger Levels section.

    If you are only troubleshooting policies at this time, do not select any other options. This reduces the amount of information recorded in the log files.

    To see the policy SOAP messages, you need to set the Application level to config.

  6. Update the Identity Server.

  7. Click Auditing > General Logging.

    • For role evaluation traces, view the Identity Server catalina.out file (Linux) or the stdout.log file (Windows).

      If your Identity Servers are clustered, you need to look at the file from each Identity Server.

    • For Authorization, Form Fill, and Identity Injection evaluation traces, view the log file of the Embedded Service Provider of the device that is protecting the resource.

      • Linux Access Gateway Appliance or Service: This is the catalina.out file of the Access Gateway where the protected resource is defined. If the Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.

        To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/logs directory (or the directory you specified in Step 4). Depending upon how you have configured File Wrap, the * portion of the filename contains the month, the week, the day, and the hour.

      • Windows Access Gateway Service: This is the stdout.log file of the Access Gateway where the protected resource is defined. If the Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.

        To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the \Program Files\Novell\tomcat\webapps\nesp\WEB-INF\logs directory (or the directory you specified in Step 4). Depending upon how you have configured File Wrap, the * portion of the filename contains the month, the week, the day, and the hour.

  8. To understand what you are looking for in the log file, continue with one of the following: