Guidelines for Specific Components

This section explains issues related to many components and provides hints on how to analyze and solve these issues.It is divided into three parts:

You can avoid problems if you try to follow these guidelines:

An Identity management system is a dynamic system. Even if you have well-designed processes and check procedures, data quality is never 100%. One problem is broken links.

Use the link checker regularly to analyze the situation and to optimize your system. Read more about the link checker and its operation in the DirX Identity User Interface Guide.

Be aware that the link checker comes with a default configuration file. Keep this file up to date with the configured links in your Identity system.

If you run into performance problems, try to identify the component and the problem cause and then try to solve it.The following hints can help to manage performance:

This section explains where to find information to analyze installation and configuration-related problems and provides hints on how to analyze and solve these issues.

These two files in the folder install_path are relevant for installation and configuration:

install_history.txt - this file contains global information about installed versions, service packs and hot-fixes.It is written and maintained by the product installer, the service pack installer and the hot-fix installer.

configuration.ini - this file is instantiated by the installer (see the Installed.Components.component lines). It is the interface to the configuration tool that extends the file according to the user input (see the *Configured.Components.*component lines as well as the related parameters). The silent installation uses the *option.*component lines.

basic.input.tcl - this file is used as a parameter source for various scripts (for example, schema extensions). Parameters are set via the configurator.

component.input.tcl - this file is used as a parameter source for extension of C++-based Server objects regarding agent information. Parameters are set via the configurator.

For more information about installation and configuration, see the DirX Identity Installation Guide.

The install_path directory contains this set of log files that is relevant for the installer:

Atos_DirX_Identity_V*x.x_Install_timestamp.log* - this file contains the installer logging and timestamp represents date and time of the related installation launch. Check this file for error messages if you run into problems.

The install_path*\logs* directory contains this set of log files that is relevant for the installer:

dirxidty_debug.txt - contains additional information together with the following file.

dirxidty-installer_debug.txt - contains additional information.

The install_path*\logs* directory contains this set of log files that is relevant for the configurator:

configurator.log - contains the input parameters and other valuable information of the last configuration run.

silent.log - contains the complete log information of the last run of the configurator.

InitialConfiguration.date.log - in contrast to the previous file, this file is written for each configuration run (it contains the date and time in the file name).

There are no specific switches available for debugging the installation or configuration.

Be aware that you cannot install the directory schema remotely.Perform this step for Connectivity and Provisioning directly on the corresponding machine.

This section explains where to find information to analyze DirX Identity Manager-related problems and provides hints on how to analyze and solve these issues.

Find the relevant log files in the folder install_path\GUI\logs

system.nnn.log - this file contains all messages the DirX Identity Manager produces.Standard behavior is that the file is deleted during start of the Manager.

dximanager.nnn.log - this file is normally empty. It contains only messages if errors and warning occur.

ldap.DirXmetaRole.nnn.log - this file contains all LDAP requests and responses for the Provisioning view.

ldap.DirXmetahub.nnn.log - this file contains all LDAP requests and responses for the Connectivity view.

The following switches are helpful for problem analysis and logging. For a complete description of the switches see the chapter "Customizing the Property File (dxi.cfg)" in the DirX Identity User Interface Guide.

assign.InitialSearch
ldap.trace
trace.level
trace.maxline
trace.timestamp.format

The following switches influence performance:

aclmgr.refresh.interval
assign.InitialSearch
ldap.switch2offline
monitorview.refresh
processtable.refresh
report.sizelimit
resolution.mode

Use the log files to check correct operation of the DirX Identity Manager:

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze object description related problems and provides hints how to analyze and solve these issues.

Find the relevant log files in the folder install_path\GUI\logs

system.nnn.log - contains all messages the DirX Identity Manager produces.Problems in object or component descriptions are visible in these log files (startup phase of the Manager).

No specific switches are necessary

Perform this basic procedure

This section explains where to find information to analyze Web Center related problems and provides hints on how to analyze and solve these issues.

Web Center runs on Tomcat, which means that you can find all relevant log information in the Tomcat installation area.

Find all log files in the Tomcat log folder (for example: tomcat_install_path\Apache Software Foundation\Tomcat 6.0\logs).Check these files in case of problems:

localhost.date.log - Tomcat and Web Center startup log information

stdout_date.log - log files with relevant runtime information

Find Web Center configuration files in the DirX Identity installation in the folder install_path\web\webCenter-domain\WEB-INF

web.xml - general Web Center properties

config\webCenter.properties - application specific properties for Web Center

Use the Web Center logViewer to analyze Web Center log files. Perform these steps:

The tool displays all requests (struts actions) in a list (use the tool tips to understand the columns and items).

Clicking a row opens a separate window that displays the complete logging part for this specific request.

For a detailed description of the logViewer, see the DirX Identity User Interface Guide.

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze policy-related problems and provides hints on how to analyze and solve these issues.

In this section we concentrate on access policy problems.The typical question is: "Why does a user have this access right?"

The next paragraphs provide hints on how to answer this question.

You set up all access policies in the DirX Identity Manager in Provisioning → Policies → Access Policies folder.

View the result of the access policies in Web Center: Delegation → Show access rights. For each operation and object type you can find a row in the table. Click the button at the end of the line to view the details; that is, the objects on which the user is allowed to perform the named operation.

If you have problems in a test environment, use these switches at the Domain object (tab Policies) to check whether the problem comes from access policies:

Enable menu policies - disable this switch to find out whether menu policies influence the accessibility of a specific function.

Disable access policies - enable this switch to switch off access policies completely. This helps to decide if a problem comes from access policies or not.

To analyze the influence of access policies on the actions a specific user can perform on a specific set of objects, you need to understand that the access rights of a specific user are the combined result of all relevant access policies. This is the reason why it is difficult to identify the causing access policies in a complex project.

Try to follow these guidelines to solve access policy problems:

A general approach is:

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze services related problems and provides hints on how to analyze and solve these issues.

The DirX Identity service layer runs either standalone as a Java-based job as part of a Tcl-based workflow or it runs in any component that uses the service layer (Manager, Web Center, event-based workflows in the Java-based Server).

Find information about a problem in the relevant log files.

If the problem is not yet obvious from the error message, enhance the trace or log levels to get more information. Repeat the test.

Privilege resolution is a complex process that is not easy to manage if problems occur in a complex environment where thousands of identities are resolved via the service agent.

Try to reduce the problem while using this procedure in the DirX Identity Manager:

Check the log file carefully (see the section "Analyzing Manager Problems" for more information). This should show the error cause in detail; for example, incorrect object descriptions.

If you encounter "Unwilling to perform" from the LDAP server during Privilege Resolution, check that the Paging Policy Timeout and the Session Timeouts of the LDAP server are configured correctly.

If you don’t want to increase these values, change the configuration as described in the Application Development Guide: Using the Maintenance Workflows → Understanding the Tcl-based Maintenance Workflows → Privilege Resolution Workflow → Privilege Resolution Workflow Optimization.

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze C++-based Server-related problems and provides hints on how to analyze and solve these issues.

Find the log files in the folder

install_path\server\log

The startup of the server is controlled by the file

install_path\server\conf\dxmmsssvr.ini

You can configure the logging levels and the logging behavior in the folder

install_path\server\conf\

Use the dirxlog.cfg file to adjust the logging (see the DirX Identity Meta Controller Reference for details).

Note that the startup phase is controlled by the dxmmsssvr.ini file parameters). The server registers only if file and LDAP parameters are consistent (dnServerName and host). Correct these parameters if they are not correctly configured.

Due to the fact that the LDAP server can be installed on another machine, the server repeats LDAP binds. See the parameters repeat and timeout in the dxmmsssvr.ini file. Adjust these parameters if not sufficient!

Additionally, the watchdog repeats server starts. Configure the parameter server_restart accordingly.

Use the log files as described above and configure logging in the dirxlog.cfg file as needed. (see the DirX Identity Meta Controller Reference for details).

Use the command metahubdump to convert the binary log files to readable format (see the DirX Identity Meta Controller Reference for details).

Analyzing errors and warnings:

On Windows platforms, you can use the Windows Event Viewer alternatively or additionally.View the log entries in the Windows Event Viewer and use the filter function of the Event Viewer.See the Microsoft documentation for more information.

You can use the DirX Identity Manager Get Server State command to request the state of each C++-based Identity Server.See the "Get Server State" topic in the DirX Identity User Interface Guide for more information.

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze Java-based Server-related problems and provides hints on how to analyze and solve these issues.

The Java-based server provides a comprehensive set of log files in the folder

install_path\ids-j-domain-Sn\logs

You can open the log files from this directory or from the Web Admin application in the section Logging → View Log Files.

These files are available:

start.log - provides information about the server start-up phase.

classloader.txt - helps to analyze class loading problems.

stderr.*nnn.log* - delivers messages that otherwise cannot be logged (logging not yet initialized).

server-*timestamp-counter.txt* - contains all log messages ordered per timestamp. Set logging levels in Web Admin to influence the logging depth.

warnings-*timestamp-counter.txt* - contains a collection of all errors and warnings that occurred (find full information is in server-*timestamp-counter.txt* files)

serverstate.txt - provides the complete state of server is written every hour.

server.xml - contains the complete loaded server XML configuration. This is the resolved content of the corresponding Java-based Server entry in the Connectivity view (Content tab).

Set up logging levels for the Java-based Identity Server Web Admin application in the section Logging → Set Log Levels.

For more information about the Web Admin application, see "Using Web Admin" in the DirX Identity User Interface Guide.

Use the logANT tool to produce log files for individual workflows. For more information see the DirX Identity User Interfaces Guide.

Analyze errors and warning by searching the string

'*** WARNING' for warnings

'*** SEVERE' for errors

You can analyze class loading problems in the Java-based Server in two ways.

Checking whether a specific JAR-file is loaded

Checking whether a specific class is loaded

Use the Web Admin application to verify the status of each Java-based Identity Server.For more information about the Web Admin application, see "Using Web Admin" in the DirX Identity User Interfaces Guide.

Check the server.xml file in the folder install_path\ids-j-domain-Sn\logs to find out what the actual configuration of this server is (all references are resolved in this file).

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze Java-based workflow related problems and provides hints on how to analyze and solve these issues.

You can view the complete logging information for these workflows in each Java-based Server instance in the folder

install_path\ids-j-domain-Snumber\logs

The files of interest are:

server-timestamp-counter.txt - all log messages ordered per timestamp. Set logging levels in Web Admin to influence the logging depth.

warnings-timestamp-counter.txt - a collection of all errors and warnings that occurred (find full information is in server-timestamp-counter.txt files)

Set up logging levels for the Java-based Identity Server Web Admin application in the section Logging → Set Log Levels.

For more information about the Web Admin application, see "Using Web Admin" in the DirX Identity User Interface Guide.

These hints can help to isolate and reduce problems in complex environments:

Analyze problems in real-time workflows while you set the Join logging (class com.siemens.dxm.join) via Web Admin to 'Finest' or 'All'. This action reveals a lot of details and helps to understand what is really going on.

To isolate complex problems, perform stand-alone real-time workflow tests that run outside the Java-based Server. Use this method also during creation of new workflows and connectors.

The Monitor View presents a lot of information about running or completed provisioning workflow runs. See the "Monitor View" and "Using the Monitor View" topics in the DirX Identity User Interfaces Guide for basic information.

There are several ways to use the Monitor View:

To analyze a status entry:

Note that for real-time workflows including password changes, no files are stored in the status area.All available information is present in the status entries.If this is not enough information, you need to check the Java-based Server log files.

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze Tcl-based workflow related problems and provides hints on how to analyze and solve these issues.

The central point at which to find information is the Connectivity → Monitor area.Here you can find status entries that contain all information about a specific workflow run.

These status entries can relate to files stored in the status area of the C++-based Server.

Note also that in some cases the log files of the C++-based Server can reveal additional problems. See the corresponding section.

You can control the log levels for the meta controller (metacp) in the subdirectory

install_path\client\conf

See the description of the dirxdumplog command in the DirX Identity Meta Controller Reference for further details.

The Monitor View presents a lot of information about running or completed provisioning workflow runs. See the "Monitor View" and "Using the Monitor View" topics in the DirX Identity Manager help for basic information.

There are several ways to use the Monitor View:

To analyze a status entry:

The information provided for C++-based status entries in the Remark field is usually not very detailed.Consequently, you should look at the activity or the activities that failed:

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

This section explains where to find information to analyze request workflow-related problems and provides hints on how to analyze and solve these issues.

You can view the complete logging information for these workflows in each Java-based Server instance in the folder

install_path\ids-j-domain-Sn\logs

The files of interest are:

server-timestamp-counter.txt - all log messages ordered per timestamp. Set logging levels in Web Admin to influence the logging depth.

warnings-timestamp-counter.txt - a collection of all errors and warnings that occurred (find full information is in server-timestamp-counter.txt files)

Set up logging levels for the Java-based Identity Server Web Admin application in the section Logging → Set Log Levels.

For more information about the Web Admin application, see "Using Web Admin" in the DirX Identity User Interfaces Guide.

These hints can help to isolate and reduce problems in complex environments:

To isolate complex problems, perform stand-alone real-time workflow tests that run outside the Java-based Server. Use this method also during creation of new workflows and connectors.

Open Provisioning → Request Workflows → Workflows → Monitor to view the instances of request workflows. Here you can find all information about running or completed workflows.

To analyze the status entries:

If these procedures aren’t sufficient to identify the problem and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional method to identify the problem.See the section "Using LDAP Session Tracking to Analyze Component Problems" for details.

If you find that the component-specific logging described in the previous sections does not provide you with a clear picture of the problem you are experiencing and your DirX Identity installation uses the DirX Directory server, you can use LDAP session tracking as an additional way to identify the problem.

This section describes where to find LDAP session tracking information and provides hints on how to use it to analyze and solve component problems.

If your DirX LDAP server’s audit configuration enables LDAP session tracking, all DirX Identity components that access LDAP - DirX Identity Manager, Web Center, Policy Agent, Provisioning and Request workflows and other Connectivity and Provisioning components - augment the DirX LDAP server’s audit records with session-tracking related information that allows you to identify, for an LDAP operation:

You use the DirX Directory commands dirxauddecode and dirxaudstatistics to evaluate the LDAP audit records and obtain this information.

If LDAP auditing is not yet enabled in your DirX Directory server environment, use the dirxcp command to run the script ldap_auditcfg.cp, as described in the DirX Administration Guide → "Using LDAP Auditing" → "Enabling LDAP Auditing". This script creates a default LDAP audit configuration subentry for the DirX LDAP server that enables session tracking for LDAP audit records, among other default values. See the section "Attributes for LDAP Server Audit Configuration" in the chapter "DirX Attributes" in the DirX Administration Reference for a description of the attributes related to LDAP server audit configuration. See the description of the dirxcp command in the DirX Administration Reference for usage information on the command.

Use the DirX Directory commands dirxauddecode and dirxaudstatistics to evaluate the DirX Identity component session tracking information in the LDAP audit records to analyze DirX Identity component operations. The most important items in the evaluated LDAP audit records are:

These items are analogous to the sessionSourceName, sessionTrackingIdentifier and sessionSourceIP items described in the section "Using Session Tracking" in the DirX Administration Guide and the Internet draft "LDAP Session Tracking Control" (draft-wahl-ldap-session-03.txt).

DirX Identity prefixes every SID-Name with DXI. The next part of the SID-Name identifies the component. When possible, the "Application Name" of the LDAP audit record is used. If available, an identifier like the workflow instance ID is appended. The following table describes the SID-Names for DirX Identity components and provides examples of their use:

Use the -C option to the dirxauddecode and dirxaudstatistics commands to specify a SID-Name as a string. For example, specifying the string DXI WfStatusLogHandler-S1 to the -C option directs the commands to generate an output file that contains only those operations issued by an LDAP client whose session-tracking control has the SID-Name WfStatusLogHandler-S1. See the descriptions of these commands in the DirX Administration Reference for detailed information about their use.

You can use DirX Identity tools to obtain the desired SID-Name string input depending on the component you’re trying to track. For example, you can use the Monitor View to obtain a real-time workflow’s name and instance ID for input to dirxauddecode/dirxaudstatistics. You can also use the Monitor View to obtain the name of the Java-based Server on which a real-time workflow ran (for example, My-Company-S1-MyHostName); this information is contained in the entry for the real-time workflow in the Monitor View. For other components, you can examine the logs described in "Analyzing Java-based Server Problems" to determine on which Java-based server they’re running. You can obtain the session ID for a component by examining the informal messages provided in the component logs for the component; for example, Web Services, REST Approval Service, and so on.