Troubleshooting Novell Access Manager 3.1

13,761 views

Published on

In this session Novell technical support engineers will cover best practices guidelines for functionality and performance to proactively avoid problems in Novell Access Manager. They will discuss architecture issues and cover the flow of operation of key Access Manager components. Finally, they will describe key troubleshooting tips and tools to enable you to proactively avoid common issues, and solve them more quickly should they occur.

Speaker: Neil Cashell Technical Support Engineer

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,761
On SlideShare
0
From Embeds
0
Number of Embeds
48
Actions
Shares
0
Downloads
211
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Troubleshooting Novell Access Manager 3.1

  1. 1. Troubleshooting Novell Access Manager 3.1 ® ™
  2. 2. Networking Tools • netstat -patune –connection and stat info • tcpdump/wireshark • netcat • tcp stats: – general tcp/udp stats /proc/net/snmp • Ethtool (-S, -K TSO) • iptables (-t nat -nvL) – make sure firewall not blocking data; redirecting ports; masquerading 2 © Novell, Inc. All rights reserved.
  3. 3. Generic Novell Access Manager ® ™ Troubleshooting Tools • LDAPSEARCH from SLES9 LDAP utilities – ldapsearch [options] [filter [attributes...]] > ldapsearch -h 137.56.1.1 -x -D "cn=admin,o=novell" -w novell -b "o=novell" "(&(objectclass=person) (cn=ncashell)(|(mail=ncashell@novell.com)))" • LDAP performance measuring utilities – http://www.novell.com/communities/node/7063/elapsed-time-416 3 © Novell, Inc. All rights reserved.
  4. 4. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) Export options – Complete setup via ambkup.sh – Access Gateway via the device -> Export option > http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html? page=/documentation/novellaccessmanager/adminguide/data/ba9dh2r.html – Policy information > http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html? page=/documentation/novellaccessmanager/adminguide/data/b5pm021.html > LDAP browser and browse to following 4 © Novell, Inc. All rights reserved.
  5. 5. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) Certificates and keystores – openssl s_client -connect idpcluster.lab.novell.com:8443 CONNECTED(00000003) depth=1 /OU=Organizational CA/O=linuxlab5_tree verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=idpcluster.lab.novell.com i:/OU=Organizational CA/O=linuxlab5_tree 1 s:/OU=Organizational CA/O=linuxlab5_tree i:/OU=Organizational CA/O=linuxlab5_tree – keytool -list -keystore /var/opt/novell/novlwww/devman.keystore -v Your keystore contains 1 entry Alias name: tomcatCreation date: 13-Dec-2006 Entry type: keyEntryCertificate chain length: 2 Certificate[1]:Owner: O=novell, OU=accessManager, CN=linuxlab5 Issuer: O=linuxlab5_tree, OU=Organizational CA :Certificate[2]: Owner: O=linuxlab5_tree, OU=Organizational CA Issuer: O=linuxlab5_tree, OU=Organizational CA : 5 © Novell, Inc. All rights reserved.
  6. 6. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) IDP config 'Logging' TAB configuration 6 © Novell, Inc. All rights reserved.
  7. 7. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) AC general logs from 'Auditing' TAB 7 © Novell, Inc. All rights reserved.
  8. 8. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) Network layout information Firewalls/L4 may pose Connectivity/State problems LAN analyzer (Wireshark, TCPDump) – Trace traffic between browser, proxy, IDP and authentication servers Loopback interface! Error status code from documentation – http://www.novell.com/documentation/novellaccessmanager/ pdfdoc/errorcodes/errorcodes.pdf 8 © Novell, Inc. All rights reserved.
  9. 9. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) NIDP/NESP Monitor or Statistic logging – /opt/novell/nids(nesp)/lib/webapp/WEB-INF/nidpmonitor.txt > urn:novell:nidp:monitor:anyaccess 9 © Novell, Inc. All rights reserved.
  10. 10. Generic Novell Access Manager ® ™ Troubleshooting Tools (cont.) Configuration reader – /opt/novell/devman/bin/amdiagcfg.sh and browser! 10 © Novell, Inc. All rights reserved.
  11. 11. Access Gateway Overview Identity Server Identity Store 1. User Accesses protected 3 resource 2. User is redirected to Identity Server and is presented with an http login form requesting their username and password 3. The Identity Server verifies the 2 username and password against the Identity Store 4 4. Once the user's identity is validated, the Access Gateway retrieves the user's common name and password 5. The Access Gateway injects the username and password into the authentication header and allows access to the encrypted 1 5 Web content Access Gateway Apache or IIS web server configured to accept header-based authentication 11 © Novell, Inc. All rights reserved.
  12. 12. Access Gateway/ESP Flow Client Browser External website AG Service Provider Identity Provider User tries to access 1 Protected resource 2 Respond with request 3 for Liberty session 4 5 Redirect to login page with Liberty<AuthnRequest 6 The AGW requests 7 metadata The IDP requests 8 metadata 9 The IDP sends login page User enters 10 IDP creates an credentials authentication Entry 11 Redirect browser to 12 SP with Artifact The SP sends the 13 artifact to the IDP 14 The IDP responds with User has access to 16 the list of attributes over Protected resource 15 Session information the SOAP backchannel 12 © Novell, Inc. All rights reserved.
  13. 13. Liberty Authentication Request • Make sure the AuthnRequest includes the appropriate information (http://www.projectliberty.org/liberty/content/download/2197/14625/file/draf t-liberty-idff-protocols-schema-1.2-errata-v3.0.pdf – section 3.2!) – ProviderID matches SP metadata entry – Contract matches – Time matches > https://idpcluster.lab.novell.com:8443/nidp/idff/sso?RequestID=idNTXycnsP7cfmrq5o.k8za- yuIus&MajorVersion=1&MinorVersion=2&IssueInstant=2007-09- 24T11%3A41%3A29Z&ProviderID=https%3A%2F%2Fwww.aleris.net%3A443%2Fnesp%2Fidff %2Fmetadata&RelayState=https%3A%2F%2Fwww.aleris.net%3A443%2FLAGBroker%3F%2522http %3A%2F%2Fwww.mylag.com%2Fservlets-examples%2F%2522&consent=urn%3Aliberty%3Aconsent %3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http %3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=secure%2Fname %2Fpassword%2Furi 13 © Novell, Inc. All rights reserved.
  14. 14. Liberty Authentication Request (cont.) • Confirm that contract can be executed – Local Contract com.novell.nidp.authentication.AuthenticationContract@ded4ba https://idpcluster.lab.novell.com:8443/nidp/idff/sso com.novell.nidp.authentication.ContractExecutionState@13805c9 <amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method Introductions </amLogEntry> <amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Authentication method Introductions failed. </amLogEntry> <amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Session has consumedauthentications: false </amLogEntry> <amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method Secure Name/Password - Form </amLogEntry> • Confirm that artifact sent back – <amLogEntry> 2007-09-24T14:13:42Z INFO NIDS Application: AM#500105018: AMDEVICEID#D5AF8CA5FBDB5813: AMAUTHID#BA7213D5E240018DD2F5FB38A4C37C1A: Responding to AuthnRequest with artifact AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J </amLogEntry> 14 © Novell, Inc. All rights reserved.
  15. 15. Liberty Authentication Response (cont.) • Confirm that assertion request received from SP – <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP- ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:lib="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2007-09-24T14:13:21Z" MajorVersion="1" MinorVersion="1"RequestID="idQCXo90QeOxtVF7Re1tSfK- F5o4"><samlp:AssertionArtifact>AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J</saml p:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope> • Confirm assertion response sent to SP (with assertion) – <amLogEntry> 2007-09-24T14:13:42Z NIDS Trace: Method: BaseHandler.sendSOAPResponse() Thread: http- 0%2F0.0.0.0-8443-Processor4SOAP EndpointResponse: <SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <samlp:Response InResponseTo="idQCXo90QeOxtVF7Re1tSfK-jF5o4" IssueInstant="2007-09-24T14:13:42Z" MajorVersion="1" MinorVersion="1" Recipient="https://www.aleris.net:443/nesp/idff/metadata" ResponseID="idtz8AISJfSnxQX60j0-cESUbdMrY" xmlns:lib="urn:liberty:iff:2003-08" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion AssertionID="id7-m97u9xYZGWWzTZpqdoc7A.NSc" InResponseTo="idbiFOuDVt9UPHvfa9QLZ8puR7uuk" IssueInstant="2007-09-24T14:13:42Z" Issuer="https://idpcluster.lab.novell.com:8443/nidp/idff/metadata" MajorVersion="1" MinorVersion="2" 15 © Novell, Inc. All rights reserved.
  16. 16. LAG Troubleshooting Tools • netcat localhost 2300 – view proxy console • OS tools TOP/Netstat/'PS -eLf' – check process utilisation, memory and conn usage • HTTP header and data viewer – STRACE on IE or Firefox httpfox plugin • viewinfo.* files from unsupported directory – Decode HTTP headers on back end • Diff tools e.g. Beyond Compare (rewriting issues) • Curl (view IDP metadata, simulate HTTP req) 16 © Novell, Inc. All rights reserved.
  17. 17. LAG Troubleshooting Tools (cont.) • TCPDUMP output (incl. loopback) 17 © Novell, Inc. All rights reserved.
  18. 18. Troubleshooting Files (cont.) • /var/log/ics_dyn.log - verbosity of message depends on – /etc/laglogs.conf file settings LOG_LEVEL=7 (default 5) DEBUG_SOAP_MESSAGE=1 (default 0) DEBUG_HTTP_HEADERS=1 (default 0) DEBUG_HTTP_RESPONSE=1 (default 0) • /var/novell/.~newInstall – remove file => Clears cache 18 © Novell, Inc. All rights reserved.
  19. 19. Troubleshooting Files (cont.) /var/log/laghttpheaders ● decodes http headers of requests/responses on all channels Sending request to webserver for browser request '98' ------------------------------------------------------------------------- GET /images/classifieds/quicksearch/poweredByLoadzaJobs.png HTTP/1.1 Host: www.unison.ie Referer: http://www.unison.ie/ Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Cookie: Unison_User=83.141.112.214.109131171028663164; Via: 1.1 www.mylag.com (Access Gateway 3.0.0-83) Headers received from webserver for request '98' ------------------------------------------------------------------ Date: Fri, 26 Jan 2008 14:54:15 GMT Server: Apache/1.3.34 (Debian) PHP/4.4.2-1.1 mod_perl/1.29 Last-Modified: Mon, 22 Jan 2007 11:23:29 GMT ETag: "848730a-78c-45b49eb1" Accept-Ranges: bytes Content-Length: 1932 Content-Type: image/png 19 © Novell, Inc. All rights reserved.
  20. 20. Troubleshooting Files (cont.) /var/log/lagsoapmessages – log-level setting available /etc/laglogs.conf – Decodes all SOAP backchannel messages for auth and policy interaction – Get user, roles, contract and timeout details during auth – Get personal policy info for formfill, II and authorization – <SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession XLibid="00000200930224c625b125a639540dda7192bb24fbfcd794" hardExpire="899" id="552382333C8BE989D7F39E1993D30B33" softExpire="584"><storetype="ldap"><dn>cn=ncashell,o=novell</dn></store><authenticatio ns><contracts><contract>name/password/uri</contract></contracts></authentications><rol es/></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope> 20 © Novell, Inc. All rights reserved.
  21. 21. Troubleshooting Files (cont.) /var/log/ics_dyn.log – proxy specific logs – Unique format > <time>:<host>:<component>:<DeviceID>:<AuthID>:<EventID><mesg> > Component determined by string 5045xxxx » where '5' is the log level (never changes!) » '045' represents the LAG component ID » 'xxxx' represents the LAG subgroup ... for example ~ '0100' -> multihoming ~ '0400' -> Authentication ~ '0600' -> Identity Injection ~ '1100' -> Rewriting ~ '1200' -> SOAP backchannel 21 © Novell, Inc. All rights reserved.
  22. 22. Troubleshooting Files (cont.) /var/log/ics_dyn.log Feb 18 13:39:46 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Process request 1 'lag129.lab.novell.com:/formfill/sybase.html' [147.2.36.148:2134 -> 147.2.16.129:443] Feb 18 13:39:46 lag129 : AM#504517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Search success for /formfill/sybase.html (0xa5cf96e4:0xa598b7a4:64) Feb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: protected-resource Feb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Got valid Cookie[1984350736 196608 3530491756 1573825269 147.2.36.148 0.3 CIP:147.2.36.148] COOKIE_VALIDATION Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Scheduling Formfill, policies matched 1 Feb 18 13:39:47 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Sending request to origin server 147.2.16.154:80 (c24cb1a1.c24cb1a1) Feb 18 13:39:47 lag129 : AM#504509000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Received response from origin server, status = 200 (147.2.16.154:80) Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Content-Type () Formfill is interested in this response. Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:FFResDS:0xa59ff824 Processing response Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:FF Sending GetAttribute soaprequest:5987 to eSP.(1F45C624E8EF324AC9A92FA39E20B22F) Feb 18 13:39:49 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#5987: backchannel receivedResp (app a5fe24a4 FF ) (5987)[seg:0xa4b87de0:0xa58c4a00:1125] Feb 18 13:39:49 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:ffCacheDataEvent:: data:0xa5a46824 start Formfill Feb 18 13:39:49 lag129 : AM#404517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: FF Adjusting content length by 314, original entitySize 8440 (0) Feb 18 13:39:49 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Completed Formfill processing.(hit) Feb 18 13:39:49 lag129 : AM#504520000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Browser req/resp[1185635, 1185637, 1185639] [timeToResp:2 respDuration:2] curTime:1185639 FinishTransmit [auth:0 acl:0 II:0] [rewrite 0 :1185637 11856371185637] [origin: 1185637, 1185637, 1185637,1185637 retry:0 0] 22 © Novell, Inc. All rights reserved.
  23. 23. Troubleshooting Files • /var/opt/novell/tomcat/logs/catalina.out – eSP logs for communication with proxy and IDP > eSP inherits IDP logging settings ('Application' and 'Liberty') > Used to troubleshoot import, authentication and policy issues > Can search for JSESSIONID or Policy ID – Display IDP/ESP statistics > Performance issues running out of threads > http://www.novell.com/communities/node/9321/how-configure-access- gateway-embedded-service-provider-reduce-access-gateway-load-and-impr 23 © Novell, Inc. All rights reserved.
  24. 24. Troubleshooting Case Study: Single sign-on to back-end app fails with Identity Injection
  25. 25. Policy Case Study – Background • Customer enabled an Identity Injection policy to apply to a protected resource policy added the: – username and password to the basic auth header – user's e-mail address to the X-Mail HTTP header – user's certificate to the X-userCertificate HTTP header • After applying the policy and logging in to the Linux Access gateway protected resource, the user could not SSO to the back-end Web server – authentication failed, error messages were returned from the back-end application – No valid user certificate sent 25 © Novell, Inc. All rights reserved.
  26. 26. Policy Case Study – Troubleshooting Get policy and where policy applied (get screenshot of protected resources and export of policy) 26 © Novell, Inc. All rights reserved.
  27. 27. Policy Case Study – Troubleshooting • View protected resources with amdiagcfg.sh output – Policies enabled and configured correctly • Enable logs for policies – Must understand where in the policy flow the request is failing (Web server, Proxy server, eSP, IDP, user store)? 27 © Novell, Inc. All rights reserved.
  28. 28. Policy Case Study – Log Analysis • Check browser HTTP headers for cookies (LAG/ESP) • Locate event ID from LAGHTTPHeaders ouput • Search ICS_DYN log for eventID and policy activation Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: IdInjection enabled for the protected resource Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: IIRdata:a9d35704 cnt:2 processSearchMatch (ds:a99ecd44) Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: id Cache miss. (key<43KO7M0O-9719-280O-200M- 5772M447KL4IPCZQX03a36c6c0a=00000000930223500d7f35546deb348a87c859e198514F39F4D2A2D5A8638C25560765A5>) Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: II:a9d35704 Sending EVAL Request 5715 policyId 43KO7M0O-9719-280O-200M-N5772M447KL4 Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#15: processSoapRequests - size 6 processed 1, deleted 3 (3, conFail 0 conTimeout 0) 0 (0) Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99bd624:56 connectInProgress [0.0.0.0:0 0.0.0.0:8080] defaultNagle Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer 127.0.0.1:8080 (src 127.0.0.1:0) Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#5715: sent soapRequest 5715 app a99ecd88 II SCacheCreateWrked for pool Xerc 20000 (6)nFeb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#5715: backchannel receivedResp (app a99ecd88 II ) (5715)[seg:0xa8b87de0:0x586aa048:16131] Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Received response for IdInjection EVAL request Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting AUTH_HEADER Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting CUSTOM_HEADER Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X- mail) Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting CUSTOM_HEADER Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X- ClientCert) Feb 5 10:49:31 www : AM#504503000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#31: connecting to webserver 147.2.16.154:80 c24cb1a1 noPersist . (policy:1:2) Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99cda24:56 connectInProgress [147.2.16.159:0 147.2.16.159:80] Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer (147.2.16.154:80) 28 © Novell, Inc. All rights reserved.
  29. 29. Policy Case Study – Log Analysis Check AG Catalina.out log for policy evaluate <amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501101050: AMDEVICEID#esp-7AA324FFCBA4D4ED: PolicyID#43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715: Evaluating policy </amLogEntry> <amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501103050: AMDEVICEID#esp-7AA324FFCBA4D4ED: AMAUTHID#98514F39F4D2A2D5A8638C25560765A: 43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715: AGIdentityInjection Policy Trace: ~~RL~1~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1239275044815~IdentityInjection~DNF~~0:3~~Success(67) ~~PA~ActionID_1265966514254~~InjectAuthHeader~uid~uid(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialprofile~3 ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D:~Ok:ttl -1~Success(0) ~~PA~ActionID_1265966514254~~InjectAuthHeader~password~pwd(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialpr ofile~3A2005ret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D:~ Ok~Success(0) ~~PC~ActionID_1265966514254~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=Partiti onsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rul e=(1::RuleID_1239275044815),Action=(InjectAuthHeader::ActionID_1265966514254)~~~~Success(0) ~~PA~ActionID_1254471149303~~Inject Custom Header~Xmail~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A200602~2Fldap~3AUserAttribute~40~40~40~40WSC QLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D:~Ok:ttl -1~Success(0) ~~PC~ActionID_1254471149303~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=Partiti onsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rul e=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1254471149303)~~~~Success(0) ~~PA~ActionID_1261572496536~~InjectCustomHeader~XClientCert~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A 200602~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~ 3D~22userCertificate~22~5D:~Ok:ttl -1~Success(0) ~~PC~ActionID_1261572496536~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=Partiti onsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rul e=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1261572496536)~~~~Success(0) </amLogEntry> 29 © Novell, Inc. All rights reserved.
  30. 30. Policy Case Study – Log Analysis Check AG catalina.out log for parameter values and return codes Query Response: <ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap itemIdRef=exss80bmcyk3x timeStamp=2007-02-05T10:49:30Z <ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK <ldap:Data(urn:novell:ldap:2006-02)>: itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~ 40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D <ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80521py4a Target Attribute: mail <ldap:Value(urn:novell:ldap:2006-02)>: Value: ***** Method: com.novell.nidp.liberty.wsc.WSC.getDataWithoutInteraction() (Thread: http-8080-Processor3): Completed Request. Response: WSCResponse: Status: All Success WSCQResponseEntry: WSCQLDAPToken: Model Entry: UserAttribute Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~ 40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D Select String: /UserAttribute[@ldap:targetAttribute="userCertificate"] Status: OK Location Cookie: com.novell.nidp.liberty.wsc.WSCResourceOffering Value: <ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i Target Attribute: userCertificate // missing "Value: *****" field 30 © Novell, Inc. All rights reserved.
  31. 31. Policy Case Study – Log Analysis • Catalina.out file shows values returned but masked (!) • Check AG Loopback interface for values returned – Tcpdump -i any -s 0 -w IIValues.cap port 8080 – See values for all requested attributes BUT ldap UserCertificate is blank 31 © Novell, Inc. All rights reserved.
  32. 32. Policy Case Study – Log Analysis Check IDP log for userCertificate parameter values <ldap:Query(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap id=exss814edf549 itemId=exss814f5d44a <ldap:ResourceID(urn:novell:ldap:2006-02)>: Text: http://idpcluster.lab.novell.com:8080/nidp/?rsid%3D147.2.16.109%26sess% 3D9C1CD281A9B0B6B68D8F65EE10B09A0F%26ugid%3D810de4119743d711a8d400c04fb1d4e2%26tpid%3Dhttp%3A%2F% 2Fwww.mylag.com%3A80%2Fnesp%2Fidff%2Fmetadata%26auth%3DLDAPLDAPV.1.0%26svc%3Durn%3Anovell%3Aldap% 3A2006-02%26ulid%3DnbYvdXIvClJdw7bimcu%2B55jOvOqVxr3jPVwIAA%3D%3D%26OB%3Dfalse <ldap:QueryItem(urn:novell:ldap:2006-02)>:id=exss814f1jf4b itemId=NEPXurn~3Anovell~3Aldap~3A2006-02 ~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~ 3AtargetAttribute~3D~22userCertificate~22~5D includeCommonAttributes=false <ldap:Select(urn:novell:ldap:2006-02)>:Select String: /UserAttribute [@ldap:targetAttribute="userCertificate"] <ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap itemIdRef=exss814f5d44a timeStamp=2007-02-05T10:49:31Z <ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK <ldap:Data(urn:novell:ldap:2006-02)>: itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~ 40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D <ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i Target Attribute: userCertificate <Neil> No value returned! 32 © Novell, Inc. All rights reserved.
  33. 33. Policy Case Study – Log Analysis Check LDAP traffic with User store for userCertificate request/response 33 © Novell, Inc. All rights reserved.
  34. 34. Policy Case Study – Solution • Confirmed that LDAP sent requested info to IDP • Confirmed that IDP sent the AG a resulting NULL for the requested attribute • Concluded that IDP did not handle response from LDAP correctly – No values displayed • Identified issue with IDP server's inability to handle base64 encoded format of data returned – Bug in Novell Access Manager ® ™ 34 © Novell, Inc. All rights reserved.
  35. 35. Additional Reading • Troubleshooting 100101044/43 errors – http://www.intl.novell.com/communities/node/2297/troubleshooting-100101043- and-100101044-errors-access-manager • Troubleshooting SAML – http://www.intl.novell.com/communities/node/2303/configuring-and- troubleshooting-saml-11-novell-access-manager • Troubleshooting SSLVPN – http://www.intl.novell.com/communities/node/3071/troubleshooting-sslvpn • SSLVPN Architecture – http://www.intl.novell.com/communities/node/2974/ssl-vpn-architecture • Troubleshooting formfill issues – http://www.novell.com/support/php/search.do? cmd=displayKC&docType=kc&externalId=7002780&sliceId=1&docTypeID=DT_ TID_1_1&dialogID=39679063&stateId=0%200%2039677453 • SAML cool solutions on Concur (1.1), GoogleApps (2.0 IDP), Shibboleth (2.0 SP) 35 © Novell, Inc. All rights reserved.
  36. 36. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

×