Log Tivoli Access Manager security

 

+

Search Tips   |   Advanced Search

 

 

Overview

Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider messages are logged to the configured trace output location, and messages are written to standard out (SystemOut.log). When trace is enabled, all logging, both trace and messaging, is sent to trace.log.

The TAM JACC provider uses the JLog logging framework as does the TAM Java runtime environment. Tracing and messaging can be enabled selectively for specific Tivoli Access ManagerJACC provider components.

Tracing and message logging for the TAM JACC provider is configured in the properties file...

../etc/amwas.node_server.pdjlog.properties

This file contains logging properties taken from the template file,...

amwas.pdjlog.template.properties

...for the specific node and server combination at the time of TAM JACC provider configuration.

The contents of this file lets the user control:

  • Whether tracing is enabled or disabled for TAM JACC provider components.

  • Whether message logging is enabled or disabled for TAM JACC provider components.

The amwas.node_server.pdjlog.properties file defines several loggers, each of which is associated with one TAM JACC provider component. These loggers include:

AmasRBPFTraceLogger AmasRBPFMessageLogger Log messages and trace for the role-based policy framework. This is an underlying framework used by embedded TAM to make access decisions.
AmasCacheTraceLogger AmasCacheMessageLogger Log messages and trace for the policy caches used by the role-based policy framework.
AMWASWebTraceLogger AMWASWebMessageLogger Log messages and trace for the WAS authorization plug-in.
AMWASConfigTraceLogger AMWASConfigMessageLogger Log messages and trace for the configuration actions for the TAM JACC provider.
JACCTraceLogger JACCMessageLogger Log messages and trace for TAM JACC provider activity.

Note: Tracing can have a significant impact on system performance and should only be enabled when diagnosing the cause of a problem.

The implementation of these loggers routes messages to the WAS logging sub-system. All messages are written to the WebSphere Application Server's trace.log file.

For each logger, the amwas.node_server.pdjlog.properties file defines an isLogging attribute which, when set to true, enables logging for the specific component. A value of false disables logging for that component.

amwas.node_server.pdjlog.properties defines parent loggers called MessageLogger and TraceLogger that also have an isLogging attribute. If the child loggers do not specify this isLogging attribute, they inherit the value of their respective parent. When the TAM JACC provider is enabled, the isLogging attribute is set to true for the MessageLogger and false for the TraceLogger. Message logging is therefore enabled for all components and tracing is disabled for all components by default.

To turn on tracing for a TAM JACC provider component, two operations must occur:

 

Procedure

  1. The amwas.node_server.pdjlog.properties file must be updated and the isLogging attribute set to true for the required component. For example, to enable tracing for the TAM JACC provider, the following line must be set to true...

    amwas.node_server.pdjlog.properties:baseGroup.AMWASWebTraceLogger.isLogging=true

  2. Enable tracing for the TAM JACC provider components in the WAS administrative console by completing the following steps:

    1. Click...

      Troubleshooting | Logs and Trace | servername | Diagnostic trace | Enable Log | Apply

    2. Click...

      Troubleshooting | Logs and Trace | server name | Change Log Detail Levels | Components
      Tracing for all components can be enabled using...

      com.tivoli.pd.as.*

      ...or tracing for separate components can be enabled using:

      com.tivoli.pd.as.rbpf.* role-based policy framework tracing
      com.tivoli.pd.as.jacc.* JACC provider tracing
      com.tivoli.pd.as.pdwas.* authorization table
      com.tivoli.pd.as.cfg.* configuration
      com.tivoli.pd.as.cache.* caching

    3. Click Apply.

 

What to do next

The trace specification should now indicate that tracing is enabled at the required level. Save the configuration, and restart the server for the changes to take effect.