Difference between revisions of "Access Governance Suite"

From MicroFocusInternationalWiki
Jump to: navigation, search
(com.netiq.iac)
Line 56: Line 56:
  
 
This is a parent class and includes tracing all the child classes, so this one gets very verbose, very fast, so take care when enabling this one.  As you will see some of the subclasses are called out as examples in the file (like iac.AuthPermissions and so on).
 
This is a parent class and includes tracing all the child classes, so this one gets very verbose, very fast, so take care when enabling this one.  As you will see some of the subclasses are called out as examples in the file (like iac.AuthPermissions and so on).
 +
 +
====com.netiq.iac.persistence====
 +
 +
Testing a database connection, I ran into a 486 error, which bubbled up as follows:
 +
 +
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection - [IG-SERVER] DaaS Service Test response code: 486
 +
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.service.cum.DataCollectionService testConnection - [IG-SERVER] Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
 +
com.netiq.common.i18n.LocalizedException: Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
 +
        at com.netiq.iac.common.IacException.<init>(IacException.java:105)
 +
 +
followed by a long Java error stack, that ends in a Caused by of:
 +
 +
Caused by: java.lang.Exception: DAAS_ERROR: 486 : Target Connection failure.
 +
        at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:505)
 +
        ... 62 more
 +
 +
Notice that two sub-classes of com.netiq.iac.persistence are in play here, service.cum and dcs.dce.daas which is interesting, but not yet informative, so keep that in the back of your mind.
 +
 +
 +
Thus in this case, it looks like you could enable a specific subclass, not specifically called out in the shipping log configuration files to get the errors you need. Alas, there is not a lot of information in
  
 
===com.netiq.soa===
 
===com.netiq.soa===

Revision as of 14:13, 22 August 2018

Contents

Micro Focus International Wiki  |  Micro Focus Community  |  Knowledge Partner Program  |  KP/Geoffrey Carman  |  Access_Governance_Suite

If you are familiar with Microfocus/NetIQ/Novell Identity Manager then you will be familiar with many of the features in Identity Governance. The focus of Identity Manager is to provision and manage users in multiple systems. Initially this was all automated, via HR data or the like. This expanded greatly with Roles and Resources so that users can both request, but also allow approvals/denials in the flow of those requests.

The main goal of Identity Goverance is to 'govern' that system. That is, just because someone has certain access does not mean they really should. Perhaps they have permissions they got in a previous job role that was never removed. Perhaps there are some historical anomalies that led to this odd set of rights a user has acquired.

The initial versions of this product were called Access Review for just this reason. But there is much more to the product. Once you have collected all the data (users, accounts, permissions, access) from all the relevant systems, you can start to review it. At this point, how do you fix things that need to change? Well there is a whole fullfillment model. Perhaps it is manual and sends an email that stays unresolved until a link is clicked to confirm it is done. Perhaps you write straight to a data source to make the change. Perhaps you kick of an IDM Workflow. Lots of options.

Put all that together, review, fixing things, and then checking again for completion (Just because they said they fixed it does not mean they really did) and you have a cycle you call a Certification Campaign.

Then there are a bunch of fun frills like Business Roles and Role Mining, where you can determine that 90% of your users have the same basic set of permissions. This might consist of 10 different permissions. Reviewing all 10 every campaign can be painful and time consuming, whereas coallesciing that set into a Business Role and approving or revoking just the Role can be much simpler. (One versus ten should be obvious why that is.)

Some of these Roles will be obvious and easy to define, but others will be harder to discover, so the product can Mine for them. That is, look for commonly occuring patterns of permission sets and allow you to examine, tweak, and then create appropriate Roles from them.

All that being said, here we have another product to manage and learn how it works at a level, that allows us to understand it and troubleshoot it.


Enabling logging

The logging configuration is not in the GUI, like it was in User Application (login as a User App Administrator, Administration tab, and then Logging side tab), nor in the setenv.sh file in tomcat/bin as for OSP. Rather it is in the tomcat/conf directory in the file: /opt/netiq/idm/apps/tomcat/conf/ig-server-logging.xml

Some examples of entries in that file are:

<logger additivity="true" level="DEBUG" name="com.netiq.iac"/>

       <logger additivity="true" level="DEBUG" name="com.novell.soa"/>
       <logger additivity="true" level="INFO" name="com.netiq.iac.AuthPermissions"/>
       <logger additivity="true" level="INFO" name="com.netiq.iac.server.admin"/>
       <logger additivity="true" level="INFO" name="com.netiq.iac.server.rest"/>
       <logger additivity="true" level="INFO" name="com.netiq.iac.server.security"/>
       <logger additivity="true" level="INFO" name="com.netiq.iac.server.spi"/>
       <logger additivity="true" level="DEBUG" name="com.netiq.persist"/>

You can see there is name XML attribute for the name of the class to log. There is a level XML attribute that can be one of these values:

  • INFO
  • DEBUG
  • TRACE
  • ALL
  • FINE
  • OFF

Now lets list off each logging class and see if we can get people to add in examples of where they used each log level to troubleshoot a specific issue. If you could include trace examples as well that would be great.

Excluding a log level

Sometimes you will find that enabling a higher level class, generates a ton of traffic you are not interested in, coming from a specific class. An example would be enabling the com.netiq.iac level which is most of the core Identity Governance classes. However there is a class com.netiq.iac.server.dtp.ManageOrphanedTask that runs every 15 seconds and dumps a lot of content into the log. I wanted the parent class enabled, but I did not want this class. Initially I was trying to find a way to filter out events, but it was pointed out, I could simply change the log level for that class to OFF and be done with it.

So one way to exclude an error message you are not interested in seeing, would be to define that lower level as OFF. The higher level ALL or DEBUG level will apply, down to this level and then stop.

Main Logging classes

Here is a list of the classes defined in the various log files. In principle there are as many log classes as there are actual classes, but lets start with these. If you find a log level of interest be sure to add it as a new level.

com.netiq.iac

This is a parent class and includes tracing all the child classes, so this one gets very verbose, very fast, so take care when enabling this one. As you will see some of the subclasses are called out as examples in the file (like iac.AuthPermissions and so on).

com.netiq.iac.persistence

Testing a database connection, I ran into a 486 error, which bubbled up as follows:

[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection - [IG-SERVER] DaaS Service Test response code: 486
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.service.cum.DataCollectionService testConnection - [IG-SERVER] Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
com.netiq.common.i18n.LocalizedException: Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
       at com.netiq.iac.common.IacException.<init>(IacException.java:105)

followed by a long Java error stack, that ends in a Caused by of:

Caused by: java.lang.Exception: DAAS_ERROR: 486 : Target Connection failure.
       at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:505)
       ... 62 more

Notice that two sub-classes of com.netiq.iac.persistence are in play here, service.cum and dcs.dce.daas which is interesting, but not yet informative, so keep that in the back of your mind.


Thus in this case, it looks like you could enable a specific subclass, not specifically called out in the shipping log configuration files to get the errors you need. Alas, there is not a lot of information in

com.netiq.soa

com.netiq.iac.AuthPermissions

com.netiq.iac.server.admin

com.netiq.iac.server.rest

This setting is quite useful as it shows the REST requests and responses made. This makes it clear that the IG-Client, the user interface, is talking REST to the IG-Server for all display data.

I ran into an issue, where I broke how displayName works, so my displays were all empty lines. I thought it was broken. But in fact, I could see from the REST response in this trace level, that names were coming back but the data had a lot of blanks in it. Which was useful to understand what the actual issue was.

com.netiq.iac.server.security

com.netiq.iac.server.spi

com.netiq.persist

This seems to include database operations, usually through Hibernate and generates tons of trace as this product makes many database calls throughout. I would not enable this one unless you have a specific database problem as it clogs the log and is pretty hard to read.

Or put another way, I had a database issue, and I enabled this, but it was also the very first thing I turned off once I figured out my issue.

You will see thousands of entries like this:

[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil begin - [IG-SERVER] SESS[341495980] BEGIN TXN[475058365] (com.netiq.iac.server.dtp.DPMediatorService$ClaimableMediatorTask:315)
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil commit - [IG-SERVER] SESS[1279062097] COMMIT_CONT TXN[574727396] (com.netiq.iac.server.dtp.PendingProductionTask:237)
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil closeSession - [IG-SERVER] SESS[1279062097] CONTINUE TXN[] (com.netiq.iac.server.dtp.PendingProductionTask:237)
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil flushSession - [IG-SERVER] SESS[1279062097] FLUSH TXN[] (com.netiq.iac.server.dtp.PendingProductionTask$2:178)

This is a bit much, and not helpful unless there is a specific error.

Audit Loggers

audit Loggers ("audit." + class name). Set to INFO to see all audit messages from the specified service (DEBUG, TRACE, ALL will also work).


audit.com.netiq.iac.server.rest.AccessRequestApprovalPolicyRestService

audit.com.netiq.iac.server.rest.AccessRequestPolicyRestService

audit.com.netiq.iac.server.rest.AccountsService

audit.com.netiq.iac.server.rest.AdvisorFeedService

audit.com.netiq.iac.server.rest.ApplicationService

audit.com.netiq.iac.server.rest.ApprovalPolicyService

audit.com.netiq.iac.server.rest.AuthService

audit.com.netiq.iac.server.rest.AutoCurationService

audit.com.netiq.iac.server.rest.BURoleAnalyticsService

audit.com.netiq.iac.server.rest.BURoleService

audit.com.netiq.iac.server.rest.CertificationPolicyService

audit.com.netiq.iac.server.rest.CollectionService

audit.com.netiq.iac.server.rest.CollectorService

audit.com.netiq.iac.server.rest.ConfigurationService

audit.com.netiq.iac.server.rest.CoverageMapService

audit.com.netiq.iac.server.rest.FulfillmentService

audit.com.netiq.iac.server.rest.IdentitySourceService

audit.com.netiq.iac.server.rest.LocalizationService

audit.com.netiq.iac.server.rest.ProvisioningRestService

audit.com.netiq.iac.server.rest.RequestService

audit.com.netiq.iac.server.rest.ReviewDefinitionService

audit.com.netiq.iac.server.rest.ReviewInstanceService

audit.com.netiq.iac.server.rest.ReviewItemInfoService

audit.com.netiq.iac.server.rest.ReviewMonitorService

audit.com.netiq.iac.server.rest.ReviewReviewerService

audit.com.netiq.iac.server.rest.ReviewTargetSpecService

audit.com.netiq.iac.server.rest.RoleService

audit.com.netiq.iac.server.rest.SchemaService

audit.com.netiq.iac.server.rest.SoDService

REST Services Filters

audit Loggers for REST services can be filtered by HTTP method, by adding the method to the end of the logger name. This enables more finely-grained auditing of updates for example (PUT and POST methods), or deletes (DELETE method).

audit.com.netiq.iac.server.rest.CollectionService.GET

audit.com.netiq.iac.server.rest.CollectionService.PUT

audit.com.netiq.iac.server.rest.CollectionService.POST

audit.com.netiq.iac.server.rest.CollectionService.DELETE

DaaS Logging Levels

Daas, Directory as a Service, seems like an abstraction layer to read the directory. Very little info is available on this topic.

This is configured in the file /opt/netiq/idm/apps/tomcat/conf/daas-logging.xml

com.microfocus.daas

com.netiq.daas

The database connectivity in Collectors is managed through this class, so when seeing errors try enabling some logging on this level.

Error 486

Testing a Database connector, all that bubbled up was a Error 486, which is not documented anywhere I can find.

[FINE] 2018-08-22 08:31:00 com.netiq.daas.daaservice.ServiceProviderMap clean - [DAAS] Collection cleaner running...
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.ConnectorFactory createConnector - [DAAS] Creating Microsoft SQLServer Specific Connector
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setDriverClassName - [DAAS] Driver Class Name com.microsoft.sqlserver.jdbc.SQLServerDriver
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] setting connectionProperties
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :databaseName value 'Test' added to connectionProperties
[FINE] 2018-08-22 08:31:00 com.netiq.daas.common.SrvInstance <init> - [DAAS] New service instance.  TTL: 60
[FINE] 2018-08-22 08:31:00 com.netiq.daas.common.SrvInstance resetTimeout - [DAAS] Reset timeout for service instance to TTL: 60
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] setting connectionProperties
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :password value '<suppressed>' added to connectionProperties
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :user value 'domain\username' added to connectionProperties
[FINEST] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector getConnectionProperties - [DAAS] accessor call to connectionProperties
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector establishDBConnection - [DAAS] Caught SQLException: Login failed for user 'domain\username'. ClientConnectionId:00d9acdf-139d-4a9f-b8b0-baf0a0ad7d27

This was helpful since it showed that it read the values of DB Name, username as I expected. Alas, cannot see the password which is good and bad. It is good, since it protects the password. It is bad, since sometimes a special character is not properly escaping and this might have shown that error case.

Also note that the database connect string is missing which would have been helpful to validate that again, no special characters are being missed or incorrectly passed through.

For completeness, if you did not enable this log level, you might see the error otherwise as:

[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection - [IG-SERVER] DaaS Service Test response code: 486
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.service.cum.DataCollectionService testConnection - [IG-SERVER] Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
com.netiq.common.i18n.LocalizedException: Encountered unexpected error: DAAS_ERROR: 486 : Target  Connection failure.
       at com.netiq.iac.common.IacException.<init>(IacException.java:105)

followed by a very long Java error stack which does not need including, but ends with a Caused by of:

Caused by: java.lang.Exception: DAAS_ERROR: 486 : Target Connection failure.
       at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:505)



IG Client Logging Levels

This is configured in the file /opt/netiq/idm/apps/tomcat/conf/ig-client-logging.xml

com.netiq.iac

This seems like the same as the server level, so not sure how to use this properly yet. It seems like it would be overly broad. Would probably be helpful to track this down to a more specific sub-class of iac to make it more effective.

Workflow Logging Levels

This is configured in the file /opt/netiq/idm/apps/tomcat/conf/ig-wf-logging.xml

com.netiq.iac.af

com.netiq.iac.notification

com.netiq.iac.workflow

com.netiq.workflow

com.novell.soa.af

IDM Reporting Client Logging Levels

This is configured in the file /opt/netiq/idm/apps/tomcat/conf/idmrptclient_logging.xml

To be honest, it looks like these are basically not really useful for logging, since it does not isolate it down to anything specific to the Reporting engine. Very interesting that these are the choices. Sort of the log everything to find an error approach. It would be interesting to figure out some better, more specific classes.

com.novell

This level is very odd, since it enables logging for all the children of the com.novell class, which one would imagine is much of the legacy Java code.

com.netiq

This level is very odd, since it enables logging for all the children of the com.netiq class, which one would imagine is much of the current Java code.

IDM Reporting Core Logging Levels

This is configured in the file /opt/netiq/idm/apps/tomcat/conf/idmrptcore_logging.xml

To be honest, it looks like these are basically not really useful for logging, since it does not isolate it down to anything specific to the Reporting engine. Very interesting that these are the choices. Sort of the log everything to find an error approach. It would be interesting to figure out some better, more specific classes.

com.novell

This level is very odd, since it enables logging for all the children of the com.novell class, which one would imagine is much of the legacy Java code.

com.netiq

This level is very odd, since it enables logging for all the children of the com.netiq class, which one would imagine is much of the current Java code.