Troubleshooting Novell Access Manager 3.1

Troubleshooting
Novell Access Manager 3.1
®
™

Networking Tools

• netstat -patune –connection and stat info
• tcpdump/wireshark
• netcat
• tcp stats:
– general tcp/udp stats /proc/net/snmp
• Ethtool (-S, -K TSO)
• iptables (-t nat -nvL) – make sure firewall not blocking
data; redirecting ports; masquerading

2 © Novell, Inc. All rights reserved.

Generic Novell Access Manager ®
™

Troubleshooting Tools
• LDAPSEARCH from SLES9 LDAP utilities
– ldapsearch [options] [filter [attributes...]]
> ldapsearch -h 137.56.1.1 -x -D "cn=admin,o=novell" -w novell -b "o=novell" "(&(objectclass=person)
(cn=ncashell)(|(mail=ncashell@novell.com)))"

• LDAP performance measuring utilities
– http://www.novell.com/communities/node/7063/elapsed-time-416


™

Troubleshooting Tools (cont.)
Export options
– Complete setup via ambkup.sh
– Access Gateway via the device -> Export option
> http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?
page=/documentation/novellaccessmanager/adminguide/data/ba9dh2r.html
– Policy information
> http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?
page=/documentation/novellaccessmanager/adminguide/data/b5pm021.html
> LDAP browser and browse to following


™

Certificates and keystores
– openssl s_client -connect idpcluster.lab.novell.com:8443
CONNECTED(00000003)
depth=1 /OU=Organizational CA/O=linuxlab5_tree
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=idpcluster.lab.novell.com i:/OU=Organizational CA/O=linuxlab5_tree
1 s:/OU=Organizational CA/O=linuxlab5_tree i:/OU=Organizational CA/O=linuxlab5_tree

– keytool -list -keystore /var/opt/novell/novlwww/devman.keystore -v

Your keystore contains 1 entry
Alias name: tomcatCreation date: 13-Dec-2006
Entry type: keyEntryCertificate chain length: 2
Certificate[1]:Owner: O=novell, OU=accessManager, CN=linuxlab5
Issuer: O=linuxlab5_tree, OU=Organizational CA
:Certificate[2]:
Owner: O=linuxlab5_tree, OU=Organizational CA
Issuer: O=linuxlab5_tree, OU=Organizational CA
:

™

IDP config 'Logging' TAB configuration


™

AC general logs from 'Auditing' TAB


™

Network layout information
Firewalls/L4 may pose Connectivity/State problems

LAN analyzer (Wireshark, TCPDump)
– Trace traffic between browser, proxy, IDP and authentication
servers

Loopback interface!
Error status code from documentation
– http://www.novell.com/documentation/novellaccessmanager/
pdfdoc/errorcodes/errorcodes.pdf


™

NIDP/NESP Monitor or Statistic logging
– /opt/novell/nids(nesp)/lib/webapp/WEB-INF/nidpmonitor.txt
> urn:novell:nidp:monitor:anyaccess


™

Configuration reader
– /opt/novell/devman/bin/amdiagcfg.sh and browser!


Access Gateway Overview
Identity
Server Identity Store

1. User Accesses protected
3 resource
2. User is redirected to Identity
Server and is presented with an
http login form requesting their
username and password
3. The Identity Server verifies the
2 username and password
against the Identity Store
4 4. Once the user's identity is
validated, the Access Gateway
retrieves the user's common
name and password
5. The Access Gateway injects the
username and password into
the authentication header and
allows access to the encrypted
1 5 Web content

Access
Gateway Apache or IIS web
server configured
to accept header-based
authentication

Access Gateway/ESP Flow

Client Browser External website AG Service Provider Identity Provider
User tries to access 1
Protected resource
2
Respond with request
3 for Liberty session
4
5 Redirect to login page with
Liberty<AuthnRequest
6
The AGW requests
7 metadata

The IDP requests
8 metadata

9

The IDP sends login page
User enters 10 IDP creates an
credentials authentication Entry
11 Redirect browser to
12 SP with Artifact

The SP sends the
13 artifact to the IDP
14 The IDP responds with
User has access to
16 the list of attributes over
Protected resource 15 Session information the SOAP backchannel

Liberty Authentication Request

• Make sure the AuthnRequest includes the
appropriate information
(http://www.projectliberty.org/liberty/content/download/2197/14625/file/draf
t-liberty-idff-protocols-schema-1.2-errata-v3.0.pdf – section 3.2!)

– ProviderID matches SP metadata entry

– Contract matches

– Time matches
> https://idpcluster.lab.novell.com:8443/nidp/idff/sso?RequestID=idNTXycnsP7cfmrq5o.k8za-
yuIus&MajorVersion=1&MinorVersion=2&IssueInstant=2007-09-
24T11%3A41%3A29Z&ProviderID=https%3A%2F%2Fwww.aleris.net%3A443%2Fnesp%2Fidff
%2Fmetadata&RelayState=https%3A%2F%2Fwww.aleris.net%3A443%2FLAGBroker%3F%2522http
%3A%2F%2Fwww.mylag.com%2Fservlets-examples%2F%2522&consent=urn%3Aliberty%3Aconsent
%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http
%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=secure%2Fname
%2Fpassword%2Furi


Liberty Authentication Request (cont.)

• Confirm that contract can be executed
– Local Contract com.novell.nidp.authentication.AuthenticationContract@ded4ba
https://idpcluster.lab.novell.com:8443/nidp/idff/sso
com.novell.nidp.authentication.ContractExecutionState@13805c9
<amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method
Introductions </amLogEntry>
<amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Authentication method Introductions
failed. </amLogEntry>
<amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Session has
consumedauthentications: false </amLogEntry>
<amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method
Secure Name/Password - Form </amLogEntry>

• Confirm that artifact sent back
– <amLogEntry> 2007-09-24T14:13:42Z INFO NIDS Application: AM#500105018:
AMDEVICEID#D5AF8CA5FBDB5813: AMAUTHID#BA7213D5E240018DD2F5FB38A4C37C1A:
Responding to AuthnRequest with artifact
AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J </amLogEntry>


Liberty Authentication Response (cont.)

• Confirm that assertion request received from SP
– <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-
ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:lib="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2007-09-24T14:13:21Z" MajorVersion="1"
MinorVersion="1"RequestID="idQCXo90QeOxtVF7Re1tSfK-
F5o4"><samlp:AssertionArtifact>AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J</saml
p:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>

• Confirm assertion response sent to SP (with assertion)
– <amLogEntry> 2007-09-24T14:13:42Z NIDS Trace: Method: BaseHandler.sendSOAPResponse() Thread: http-
0%2F0.0.0.0-8443-Processor4SOAP EndpointResponse: <SOAP-ENV:Envelope xmlns:SOAP-
ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<samlp:Response InResponseTo="idQCXo90QeOxtVF7Re1tSfK-jF5o4" IssueInstant="2007-09-24T14:13:42Z"
MajorVersion="1" MinorVersion="1" Recipient="https://www.aleris.net:443/nesp/idff/metadata"
ResponseID="idtz8AISJfSnxQX60j0-cESUbdMrY" xmlns:lib="urn:liberty:iff:2003-08"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion AssertionID="id7-m97u9xYZGWWzTZpqdoc7A.NSc"
InResponseTo="idbiFOuDVt9UPHvfa9QLZ8puR7uuk" IssueInstant="2007-09-24T14:13:42Z"
Issuer="https://idpcluster.lab.novell.com:8443/nidp/idff/metadata" MajorVersion="1" MinorVersion="2"


LAG Troubleshooting Tools

• netcat localhost 2300
– view proxy console
• OS tools TOP/Netstat/'PS -eLf'
– check process utilisation, memory and conn usage
• HTTP header and data viewer
– STRACE on IE or Firefox httpfox plugin
• viewinfo.* files from unsupported directory
– Decode HTTP headers on back end
• Diff tools e.g. Beyond Compare (rewriting issues)
• Curl (view IDP metadata, simulate HTTP req)

LAG Troubleshooting Tools (cont.)

• TCPDUMP output (incl. loopback)


Troubleshooting Files (cont.)

• /var/log/ics_dyn.log - verbosity of message depends on
– /etc/laglogs.conf file settings

LOG_LEVEL=7 (default 5)
DEBUG_SOAP_MESSAGE=1 (default 0)
DEBUG_HTTP_HEADERS=1 (default 0)
DEBUG_HTTP_RESPONSE=1 (default 0)

• /var/novell/.~newInstall
– remove file => Clears cache



/var/log/laghttpheaders
● decodes http headers of requests/responses on all channels
Sending request to webserver for browser request '98'
-------------------------------------------------------------------------
GET /images/classifieds/quicksearch/poweredByLoadzaJobs.png HTTP/1.1
Host: www.unison.ie
Referer: http://www.unison.ie/
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Cookie: Unison_User=83.141.112.214.109131171028663164;
Via: 1.1 www.mylag.com (Access Gateway 3.0.0-83)

Headers received from webserver for request '98'
------------------------------------------------------------------
Date: Fri, 26 Jan 2008 14:54:15 GMT
Server: Apache/1.3.34 (Debian) PHP/4.4.2-1.1 mod_perl/1.29
Last-Modified: Mon, 22 Jan 2007 11:23:29 GMT
ETag: "848730a-78c-45b49eb1"
Accept-Ranges: bytes
Content-Length: 1932
Content-Type: image/png



/var/log/lagsoapmessages
– log-level setting available /etc/laglogs.conf

– Decodes all SOAP backchannel messages for auth and policy
interaction

– Get user, roles, contract and timeout details during auth

– Get personal policy info for formfill, II and authorization
– <SOAP-ENV:Envelope xmlns:SOAP-
ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession
XLibid="00000200930224c625b125a639540dda7192bb24fbfcd794" hardExpire="899"
id="552382333C8BE989D7F39E1993D30B33"
softExpire="584"><storetype="ldap"><dn>cn=ncashell,o=novell</dn></store><authenticatio
ns><contracts><contract>name/password/uri</contract></contracts></authentications><rol
es/></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope>



/var/log/ics_dyn.log
– proxy specific logs
– Unique format
> <time>:<host>:<component>:<DeviceID>:<AuthID>:<EventID><mesg>
> Component determined by string 5045xxxx
» where '5' is the log level (never changes!)
» '045' represents the LAG component ID
» 'xxxx' represents the LAG subgroup ... for example
~ '0100' -> multihoming
~ '0400' -> Authentication
~ '0600' -> Identity Injection
~ '1100' -> Rewriting
~ '1200' -> SOAP backchannel


/var/log/ics_dyn.log
Feb 18 13:39:46 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Process request 1
'lag129.lab.novell.com:/formfill/sybase.html' [147.2.36.148:2134 -> 147.2.16.129:443]
Feb 18 13:39:46 lag129 : AM#504517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Search success for
/formfill/sybase.html (0xa5cf96e4:0xa598b7a4:64)
Feb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: protected-resource
Feb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Got valid
Cookie[1984350736 196608 3530491756 1573825269 147.2.36.148 0.3 CIP:147.2.36.148] COOKIE_VALIDATION
Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F:
AMEVENTID#681:Scheduling Formfill, policies matched 1
Feb 18 13:39:47 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Sending request to origin
server 147.2.16.154:80 (c24cb1a1.c24cb1a1)
Feb 18 13:39:47 lag129 : AM#504509000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Received response from
origin server, status = 200 (147.2.16.154:80)
AMEVENTID#681:Content-Type () Formfill is interested in this response.
AMEVENTID#681:FFResDS:0xa59ff824 Processing response
AMEVENTID#681:FF Sending GetAttribute soaprequest:5987 to eSP.(1F45C624E8EF324AC9A92FA39E20B22F)
Feb 18 13:39:49 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#5987: backchannel receivedResp
(app a5fe24a4 FF ) (5987)[seg:0xa4b87de0:0xa58c4a00:1125]
AMEVENTID#681:ffCacheDataEvent:: data:0xa5a46824 start Formfill
Feb 18 13:39:49 lag129 : AM#404517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: FF Adjusting content length
by 314, original entitySize 8440 (0)
AMEVENTID#681:Completed Formfill processing.(hit)
Feb 18 13:39:49 lag129 : AM#504520000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Browser req/resp[1185635,
1185637, 1185639] [timeToResp:2 respDuration:2] curTime:1185639 FinishTransmit [auth:0 acl:0 II:0] [rewrite 0 :1185637 11856371185637]
[origin: 1185637, 1185637, 1185637,1185637 retry:0 0]


Troubleshooting Files

• /var/opt/novell/tomcat/logs/catalina.out
– eSP logs for communication with proxy and IDP
> eSP inherits IDP logging settings ('Application' and 'Liberty')
> Used to troubleshoot import, authentication and policy issues
> Can search for JSESSIONID or Policy ID
– Display IDP/ESP statistics
> Performance issues running out of threads
> http://www.novell.com/communities/node/9321/how-configure-access-
gateway-embedded-service-provider-reduce-access-gateway-load-and-impr


Troubleshooting Case Study:
Single sign-on to back-end app
fails with Identity Injection

Policy Case Study – Background

• Customer enabled an Identity Injection policy to
apply to a protected resource policy added the:
– username and password to the basic auth header
– user's e-mail address to the X-Mail HTTP header
– user's certificate to the X-userCertificate HTTP header

• After applying the policy and logging in to the
Linux Access gateway protected resource, the
user could not SSO to the back-end Web server
– authentication failed, error messages were returned from the
back-end application
– No valid user certificate sent


Policy Case Study – Troubleshooting

Get policy and where policy applied (get screenshot
of protected resources and export of policy)


Policy Case Study – Troubleshooting

• View protected resources with amdiagcfg.sh output
– Policies enabled and configured correctly
• Enable logs for policies
– Must understand where in the policy flow the request is
failing (Web server, Proxy server, eSP, IDP, user store)?


Policy Case Study – Log Analysis
• Check browser HTTP headers for cookies (LAG/ESP)
• Locate event ID from LAGHTTPHeaders ouput
• Search ICS_DYN log for eventID and policy activation
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: IdInjection
enabled for the protected resource
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31:
IIRdata:a9d35704 cnt:2 processSearchMatch (ds:a99ecd44)
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: id
Cache miss. (key<43KO7M0O-9719-280O-200M-
5772M447KL4IPCZQX03a36c6c0a=00000000930223500d7f35546deb348a87c859e198514F39F4D2A2D5A8638C25560765A5>)
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: II:a9d35704
Sending EVAL Request 5715 policyId 43KO7M0O-9719-280O-200M-N5772M447KL4
Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#15: processSoapRequests - size 6 processed 1, deleted 3
(3, conFail 0 conTimeout 0) 0 (0)
Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99bd624:56 connectInProgress [0.0.0.0:0
0.0.0.0:8080] defaultNagle
Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer 127.0.0.1:8080 (src
127.0.0.1:0)
Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#5715: sent soapRequest 5715 app a99ecd88 II
SCacheCreateWrked for pool Xerc 20000 (6)nFeb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0:
AMEVENTID#5715: backchannel receivedResp (app a99ecd88 II ) (5715)[seg:0xa8b87de0:0x586aa048:16131]
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Received
response for IdInjection EVAL request
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting
AUTH_HEADER
CUSTOM_HEADER
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X-
mail)
CUSTOM_HEADER
Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X-
ClientCert)
Feb 5 10:49:31 www : AM#504503000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#31: connecting to webserver 147.2.16.154:80 c24cb1a1
noPersist . (policy:1:2)
Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99cda24:56 connectInProgress
[147.2.16.159:0 147.2.16.159:80]
Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer (147.2.16.154:80)



Check AG Catalina.out log for policy evaluate
<amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501101050: AMDEVICEID#esp-7AA324FFCBA4D4ED:
PolicyID#43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715: Evaluating policy </amLogEntry>
<amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501103050: AMDEVICEID#esp-7AA324FFCBA4D4ED:
AMAUTHID#98514F39F4D2A2D5A8638C25560765A: 43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715:
AGIdentityInjection Policy Trace: ~~RL~1~~~~Rule Count: 1~~Success(67)
~~RU~RuleID_1239275044815~IdentityInjection~DNF~~0:3~~Success(67)
~~PA~ActionID_1265966514254~~InjectAuthHeader~uid~uid(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialprofile~3
ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D:~Ok:ttl
-1~Success(0)
~~PA~ActionID_1265966514254~~InjectAuthHeader~password~pwd(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialpr
ofile~3A2005ret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D:~
Ok~Success(0)
~~PC~ActionID_1265966514254~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=Partiti
onsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rul
e=(1::RuleID_1239275044815),Action=(InjectAuthHeader::ActionID_1265966514254)~~~~Success(0)
~~PA~ActionID_1254471149303~~Inject Custom
Header~Xmail~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A200602~2Fldap~3AUserAttribute~40~40~40~40WSC
QLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D:~Ok:ttl -1~Success(0)
e=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1254471149303)~~~~Success(0)
~~PA~ActionID_1261572496536~~InjectCustomHeader~XClientCert~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A
200602~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~
3D~22userCertificate~22~5D:~Ok:ttl -1~Success(0)
e=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1261572496536)~~~~Success(0) </amLogEntry>



Check AG catalina.out log for parameter values and return codes
Query Response:
<ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap
itemIdRef=exss80bmcyk3x timeStamp=2007-02-05T10:49:30Z
<ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK
<ldap:Data(urn:novell:ldap:2006-02)>:
itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~
40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D

<ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80521py4a
Target Attribute: mail

<ldap:Value(urn:novell:ldap:2006-02)>: Value: *****

Method: com.novell.nidp.liberty.wsc.WSC.getDataWithoutInteraction()
(Thread: http-8080-Processor3): Completed Request. Response: WSCResponse:
Status: All Success
WSCQResponseEntry:
WSCQLDAPToken:
Model Entry: UserAttribute
Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~
40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D
Select String: /UserAttribute[@ldap:targetAttribute="userCertificate"]

Status: OK
Location Cookie: com.novell.nidp.liberty.wsc.WSCResourceOffering
Value:
<ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i
Target Attribute: userCertificate // missing "Value: *****" field



• Catalina.out file shows values returned but masked (!)

• Check AG Loopback interface for values returned

– Tcpdump -i any -s 0 -w IIValues.cap port 8080

– See values for all requested attributes BUT ldap
UserCertificate is blank



Check IDP log for userCertificate parameter values
<ldap:Query(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap id=exss814edf549
itemId=exss814f5d44a
<ldap:ResourceID(urn:novell:ldap:2006-02)>:
Text: http://idpcluster.lab.novell.com:8080/nidp/?rsid%3D147.2.16.109%26sess%
3D9C1CD281A9B0B6B68D8F65EE10B09A0F%26ugid%3D810de4119743d711a8d400c04fb1d4e2%26tpid%3Dhttp%3A%2F%
2Fwww.mylag.com%3A80%2Fnesp%2Fidff%2Fmetadata%26auth%3DLDAPLDAPV.1.0%26svc%3Durn%3Anovell%3Aldap%
3A2006-02%26ulid%3DnbYvdXIvClJdw7bimcu%2B55jOvOqVxr3jPVwIAA%3D%3D%26OB%3Dfalse
<ldap:QueryItem(urn:novell:ldap:2006-02)>:id=exss814f1jf4b itemId=NEPXurn~3Anovell~3Aldap~3A2006-02
~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~
3AtargetAttribute~3D~22userCertificate~22~5D includeCommonAttributes=false
<ldap:Select(urn:novell:ldap:2006-02)>:Select String: /UserAttribute
[@ldap:targetAttribute="userCertificate"]

<ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap
itemIdRef=exss814f5d44a timeStamp=2007-02-05T10:49:31Z
<ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK
<ldap:Data(urn:novell:ldap:2006-02)>:
itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~
40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D

<ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i
Target Attribute: userCertificate <Neil> No value returned!



Check LDAP traffic with User store for userCertificate request/response


Policy Case Study – Solution

• Confirmed that LDAP sent requested info to IDP
• Confirmed that IDP sent the AG a resulting NULL for
the requested attribute
• Concluded that IDP did not handle response from
LDAP correctly
– No values displayed

• Identified issue with IDP server's inability to handle
base64 encoded format of data returned
– Bug in Novell Access Manager ®
™


Additional Reading
• Troubleshooting 100101044/43 errors
– http://www.intl.novell.com/communities/node/2297/troubleshooting-100101043-
and-100101044-errors-access-manager
• Troubleshooting SAML
– http://www.intl.novell.com/communities/node/2303/configuring-and-
troubleshooting-saml-11-novell-access-manager
• Troubleshooting SSLVPN
– http://www.intl.novell.com/communities/node/3071/troubleshooting-sslvpn
• SSLVPN Architecture
– http://www.intl.novell.com/communities/node/2974/ssl-vpn-architecture
• Troubleshooting formfill issues
– http://www.novell.com/support/php/search.do?
cmd=displayKC&docType=kc&externalId=7002780&sliceId=1&docTypeID=DT_
TID_1_1&dialogID=39679063&stateId=0%200%2039677453
• SAML cool solutions on Concur (1.1), GoogleApps (2.0 IDP), Shibboleth (2.0 SP)

Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Troubleshooting Novell Access Manager 3.1

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Troubleshooting Novell Access Manager 3.1

Semelhante a Troubleshooting Novell Access Manager 3.1 (20)

Mais de Novell

Mais de Novell (20)

Último

Último (20)

Troubleshooting Novell Access Manager 3.1