Troubleshooting Novell Access Manager 3.1

TroubleshootingNovell® Access Manager™ 3.1

© Novell, Inc. All rights reserved.2

Networking Tools

• netstat -patune –connection and stat info• tcpdump/wireshark• netcat• tcp stats:

– general tcp/udp stats /proc/net/snmp

• Ethtool (-S, -K TSO)• iptables (-t nat -nvL) – make sure firewall not blocking

data; redirecting ports; masquerading


• LDAPSEARCH from SLES9 LDAP utilities– ldapsearch [options] [filter [attributes...]]

> ldapsearch -h 137.56.1.1 -x -D "cn=admin,o=novell" -w novell -b "o=novell" "(&(objectclass=person)(cn=ncashell)(|([email protected])))"

• LDAP performance measuring utilities– http://www.novell.com/communities/node/7063/elapsed-time-416

Generic Novell® Access Manager™ Troubleshooting Tools

mailto:mail%[email protected]


Export options– Complete setup via ambkup.sh– Access Gateway via the device -> Export option

> http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?page=/documentation/novellaccessmanager/adminguide/data/ba9dh2r.html

– Policy information> http://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?

page=/documentation/novellaccessmanager/adminguide/data/b5pm021.html> LDAP browser and browse to following

Generic Novell® Access Manager™ Troubleshooting Tools (cont.)


Certificates and keystores– openssl s_client -connect idpcluster.lab.novell.com:8443

CONNECTED(00000003)depth=1 /OU=Organizational CA/O=linuxlab5_treeverify error:num=19:self signed certificate in certificate chainverify return:0---Certificate chain 0 s:/CN=idpcluster.lab.novell.com i:/OU=Organizational CA/O=linuxlab5_tree 1 s:/OU=Organizational CA/O=linuxlab5_tree i:/OU=Organizational CA/O=linuxlab5_tree

– keytool -list -keystore /var/opt/novell/novlwww/devman.keystore -v

Your keystore contains 1 entryAlias name: tomcatCreation date: 13-Dec-2006Entry type: keyEntryCertificate chain length: 2Certificate[1]:Owner: O=novell, OU=accessManager, CN=linuxlab5Issuer: O=linuxlab5_tree, OU=Organizational CA:Certificate[2]:Owner: O=linuxlab5_tree, OU=Organizational CAIssuer: O=linuxlab5_tree, OU=Organizational CA:



IDP config 'Logging' TAB configuration



AC general logs from 'Auditing' TAB



Network layout informationFirewalls/L4 may pose Connectivity/State problems

LAN analyzer (Wireshark, TCPDump)– Trace traffic between browser, proxy, IDP and authentication

servers

Loopback interface!

Error status code from documentation– http://www.novell.com/documentation/novellaccessmanager/

pdfdoc/errorcodes/errorcodes.pdf



NIDP/NESP Monitor or Statistic logging– /opt/novell/nids(nesp)/lib/webapp/WEB-INF/nidpmonitor.txt

> urn:novell:nidp:monitor:anyaccess



Configuration reader– /opt/novell/devman/bin/amdiagcfg.sh and browser!



Access Gateway Overview

IdentityServer

AccessGateway

Identity Store

Apache or IIS webserver configured

to accept header-basedauthentication

1. User Accesses protected resource2. User is redirected to Identity Server and is presented with an http login form requesting their username and password3. The Identity Server verifies the username and password against the Identity Store4. Once the user's identity is validated, the Access Gateway retrieves the user's common name and password5. The Access Gateway injects the username and password into the authentication header and allows access to the encrypted Web content

3

51

2

4


Access Gateway/ESP Flow

1

2

3

4

5

6

7

8

9

1011

12

13

141516

Client Browser External website AG Service Provider Identity Provider

Respond with requestfor Liberty session

Redirect to login page with Liberty<AuthnRequest

The AGW requests metadata

The IDP requests metadata

IDP creates an authentication EntryRedirect browser toSP with Artifact

The SP sends the artifact to the IDPThe IDP responds withthe list of attributes overthe SOAP backchannelSession information

The IDP sends login page

User has access toProtected resource

User enterscredentials

User tries to accessProtected resource


Liberty Authentication Request

• Make sure the AuthnRequest includes the appropriate information (http://www.projectliberty.org/liberty/content/download/2197/14625/file/draft-liberty-idff-protocols-schema-1.2-errata-v3.0.pdf – section 3.2!)

– ProviderID matches SP metadata entry

– Contract matches

– Time matches

> https://idpcluster.lab.novell.com:8443/nidp/idff/sso?RequestID=idNTXycnsP7cfmrq5o.k8za-yuIus&MajorVersion=1&MinorVersion=2&IssueInstant=2007-09-24T11%3A41%3A29Z&ProviderID=https%3A%2F%2Fwww.aleris.net%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=https%3A%2F%2Fwww.aleris.net%3A443%2FLAGBroker%3F%2522http%3A%2F%2Fwww.mylag.com%2Fservlets-examples%2F%2522&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=secure%2Fname%2Fpassword%2Furi


Liberty Authentication Request (cont.)

• Confirm that contract can be executed

– Local Contract com.novell.nidp.authentication.AuthenticationContract@ded4ba https://idpcluster.lab.novell.com:8443/nidp/idff/sso com.novell.nidp.authentication.ContractExecutionState@13805c9<amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method Introductions </amLogEntry><amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Authentication method Introductions failed. </amLogEntry><amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Session has consumedauthentications: false </amLogEntry><amLogEntry> 2007-09-24T14:13:37Z VERBOSE NIDS Application: Executing authentication method Secure Name/Password - Form </amLogEntry>

• Confirm that artifact sent back– <amLogEntry> 2007-09-24T14:13:42Z INFO NIDS Application: AM#500105018:

AMDEVICEID#D5AF8CA5FBDB5813: AMAUTHID#BA7213D5E240018DD2F5FB38A4C37C1A: Responding to AuthnRequest with artifact AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J </amLogEntry>


Liberty Authentication Response (cont.)

• Confirm that assertion request received from SP– <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-

ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:lib="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2007-09-24T14:13:21Z" MajorVersion="1" MinorVersion="1"RequestID="idQCXo90QeOxtVF7Re1tSfK-F5o4"><samlp:AssertionArtifact>AAOCkf3sRbgL1kSiTxccEVUvvBGYJO30dM1xkwe8y4gwRXYV9UfDf52J</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>

• Confirm assertion response sent to SP (with assertion)– <amLogEntry> 2007-09-24T14:13:42Z NIDS Trace: Method: BaseHandler.sendSOAPResponse() Thread: http-

0%2F0.0.0.0-8443-Processor4SOAP EndpointResponse: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <samlp:Response InResponseTo="idQCXo90QeOxtVF7Re1tSfK-jF5o4" IssueInstant="2007-09-24T14:13:42Z" MajorVersion="1" MinorVersion="1" Recipient="https://www.aleris.net:443/nesp/idff/metadata" ResponseID="idtz8AISJfSnxQX60j0-cESUbdMrY" xmlns:lib="urn:liberty:iff:2003-08" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion AssertionID="id7-m97u9xYZGWWzTZpqdoc7A.NSc" InResponseTo="idbiFOuDVt9UPHvfa9QLZ8puR7uuk" IssueInstant="2007-09-24T14:13:42Z" Issuer="https://idpcluster.lab.novell.com:8443/nidp/idff/metadata" MajorVersion="1" MinorVersion="2"


LAG Troubleshooting Tools

• netcat localhost 2300– view proxy console

• OS tools TOP/Netstat/'PS -eLf'– check process utilisation, memory and conn usage

• HTTP header and data viewer– STRACE on IE or Firefox httpfox plugin

• viewinfo.* files from unsupported directory– Decode HTTP headers on back end

• Diff tools e.g. Beyond Compare (rewriting issues)

• Curl (view IDP metadata, simulate HTTP req)


LAG Troubleshooting Tools (cont.)

• TCPDUMP output (incl. loopback)


Troubleshooting Files (cont.)

• /var/log/ics_dyn.log - verbosity of message depends on – /etc/laglogs.conf file settings

LOG_LEVEL=7 (default 5)DEBUG_SOAP_MESSAGE=1 (default 0)DEBUG_HTTP_HEADERS=1 (default 0)DEBUG_HTTP_RESPONSE=1 (default 0)

• /var/novell/.~newInstall

– remove file => Clears cache



/var/log/laghttpheaders● decodes http headers of requests/responses on all channels

Sending request to webserver for browser request '98'-------------------------------------------------------------------------GET /images/classifieds/quicksearch/poweredByLoadzaJobs.png HTTP/1.1Host: www.unison.ieReferer: http://www.unison.ie/Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Cookie: Unison_User=83.141.112.214.109131171028663164; Via: 1.1 www.mylag.com (Access Gateway 3.0.0-83)

Headers received from webserver for request '98'------------------------------------------------------------------Date: Fri, 26 Jan 2008 14:54:15 GMTServer: Apache/1.3.34 (Debian) PHP/4.4.2-1.1 mod_perl/1.29Last-Modified: Mon, 22 Jan 2007 11:23:29 GMTETag: "848730a-78c-45b49eb1"Accept-Ranges: bytesContent-Length: 1932Content-Type: image/png



/var/log/lagsoapmessages– log-level setting available /etc/laglogs.conf

– Decodes all SOAP backchannel messages for auth and policy interaction

– Get user, roles, contract and timeout details during auth

– Get personal policy info for formfill, II and authorization

– <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession XLibid="00000200930224c625b125a639540dda7192bb24fbfcd794" hardExpire="899" id="552382333C8BE989D7F39E1993D30B33" softExpire="584"><storetype="ldap"><dn>cn=ncashell,o=novell</dn></store><authentications><contracts><contract>name/password/uri</contract></contracts></authentications><roles/></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope>



/var/log/ics_dyn.log– proxy specific logs– Unique format

> <time>:<host>:<component>:<DeviceID>:<AuthID>:<EventID><mesg>

> Component determined by string 5045xxxx» where '5' is the log level (never changes!)» '045' represents the LAG component ID» 'xxxx' represents the LAG subgroup ... for example

~ '0100' -> multihoming~ '0400' -> Authentication~ '0600' -> Identity Injection~ '1100' -> Rewriting~ '1200' -> SOAP backchannel



/var/log/ics_dyn.logFeb 18 13:39:46 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Process request 1 'lag129.lab.novell.com:/formfill/sybase.html' [147.2.36.148:2134 -> 147.2.16.129:443]Feb 18 13:39:46 lag129 : AM#504517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Search success for /formfill/sybase.html (0xa5cf96e4:0xa598b7a4:64)Feb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: protected-resourceFeb 18 13:39:46 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Got valid Cookie[1984350736 196608 3530491756 1573825269 147.2.36.148 0.3 CIP:147.2.36.148] COOKIE_VALIDATIONFeb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Scheduling Formfill, policies matched 1Feb 18 13:39:47 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Sending request to origin server 147.2.16.154:80 (c24cb1a1.c24cb1a1)Feb 18 13:39:47 lag129 : AM#504509000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Received response from origin server, status = 200 (147.2.16.154:80)Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Content-Type () Formfill is interested in this response.Feb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:FFResDS:0xa59ff824 Processing responseFeb 18 13:39:47 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:FF Sending GetAttribute soaprequest:5987 to eSP.(1F45C624E8EF324AC9A92FA39E20B22F)Feb 18 13:39:49 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#5987: backchannel receivedResp (app a5fe24a4 FF ) (5987)[seg:0xa4b87de0:0xa58c4a00:1125]Feb 18 13:39:49 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:ffCacheDataEvent:: data:0xa5a46824 start FormfillFeb 18 13:39:49 lag129 : AM#404517000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: FF Adjusting content length by 314, original entitySize 8440 (0)Feb 18 13:39:49 lag129 : AM#504507000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#1F45C624E8EF324AC9A92FA39E20B22F: AMEVENTID#681:Completed Formfill processing.(hit)Feb 18 13:39:49 lag129 : AM#504520000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#681: Browser req/resp[1185635, 1185637, 1185639] [timeToResp:2 respDuration:2] curTime:1185639 FinishTransmit [auth:0 acl:0 II:0] [rewrite 0 :1185637 11856371185637] [origin: 1185637, 1185637, 1185637,1185637 retry:0 0]


Troubleshooting Files

• /var/opt/novell/tomcat/logs/catalina.out

– eSP logs for communication with proxy and IDP

> eSP inherits IDP logging settings ('Application' and 'Liberty')

> Used to troubleshoot import, authentication and policy issues> Can search for JSESSIONID or Policy ID

– Display IDP/ESP statistics> Performance issues running out of threads> http://www.novell.com/communities/node/9321/how-configure-access-

gateway-embedded-service-provider-reduce-access-gateway-load-and-impr

Troubleshooting Case Study:Single sign-on to back-end app

fails with Identity Injection


Policy Case Study – Background

• Customer enabled an Identity Injection policy to apply to a protected resource policy added the:

– username and password to the basic auth header

– user's e-mail address to the X-Mail HTTP header

– user's certificate to the X-userCertificate HTTP header

• After applying the policy and logging in to the Linux Access gateway protected resource, the user could not SSO to the back-end Web server

– authentication failed, error messages were returned from theback-end application

– No valid user certificate sent


Policy Case Study – Troubleshooting

Get policy and where policy applied (get screenshot of protected resources and export of policy)


Policy Case Study – Troubleshooting

• View protected resources with amdiagcfg.sh output– Policies enabled and configured correctly

• Enable logs for policies – Must understand where in the policy flow the request is

failing (Web server, Proxy server, eSP, IDP, user store)?


Policy Case Study – Log Analysis

• Check browser HTTP headers for cookies (LAG/ESP)

• Locate event ID from LAGHTTPHeaders ouput

• Search ICS_DYN log for eventID and policy activationFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: IdInjection enabled for the protected resourceFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: IIRdata:a9d35704 cnt:2 processSearchMatch (ds:a99ecd44)Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: idCache miss. (key<43KO7M0O-9719-280O-200M-5772M447KL4IPCZQX03a36c6c0a=00000000930223500d7f35546deb348a87c859e198514F39F4D2A2D5A8638C25560765A5>)Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: II:a9d35704 Sending EVAL Request 5715 policyId 43KO7M0O-9719-280O-200M-N5772M447KL4Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#15: processSoapRequests - size 6 processed 1, deleted 3 (3, conFail 0 conTimeout 0) 0 (0)Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99bd624:56 connectInProgress [0.0.0.0:0 0.0.0.0:8080] defaultNagleFeb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer 127.0.0.1:8080 (src 127.0.0.1:0)Feb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#5715: sent soapRequest 5715 app a99ecd88 IISCacheCreateWrked for pool Xerc 20000 (6)nFeb 5 10:49:31 www : AM#504512000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0:AMEVENTID#5715: backchannel receivedResp (app a99ecd88 II ) (5715)[seg:0xa8b87de0:0x586aa048:16131]Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Received response for IdInjection EVAL requestFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting AUTH_HEADERFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting CUSTOM_HEADERFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X-mail)Feb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting CUSTOM_HEADERFeb 5 10:49:31 www : AM#504506000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#98514F39F4D2A2D5A8638C25560765A5: AMEVENTID#31: Injecting (X-ClientCert)Feb 5 10:49:31 www : AM#504503000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#31: connecting to webserver 147.2.16.154:80 c24cb1a1 noPersist . (policy:1:2)Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#56: CSocket 0xa99cda24:56 connectInProgress [147.2.16.159:0 147.2.16.159:80] Feb 5 10:49:31 www : AM#504515000: AMDEVICEID#ag-BC7465BE319FA86: AMAUTHID#0: AMEVENTID#0: Connection Established with peer (147.2.16.154:80)



Check AG Catalina.out log for policy evaluate

<amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501101050: AMDEVICEID#esp-7AA324FFCBA4D4ED: PolicyID#43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715: Evaluating policy </amLogEntry><amLogEntry> 2010-02-05T10:49:31Z INFO NIDS Application: AM#501103050: AMDEVICEID#esp-7AA324FFCBA4D4ED: AMAUTHID#98514F39F4D2A2D5A8638C25560765A: 43KO7M0O-9719-280O-200M-N5772M447KL4: NXPESID#5715: AGIdentityInjection Policy Trace: ~~RL~1~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1239275044815~IdentityInjection~DNF~~0:3~~Success(67) ~~PA~ActionID_1265966514254~~InjectAuthHeader~uid~uid(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialprofile~3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D:~Ok:ttl -1~Success(0)~~PA~ActionID_1265966514254~~InjectAuthHeader~password~pwd(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredentialprofile~3A2005ret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D:~Ok~Success(0) ~~PC~ActionID_1265966514254~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rule=(1::RuleID_1239275044815),Action=(InjectAuthHeader::ActionID_1265966514254)~~~~Success(0) ~~PA~ActionID_1254471149303~~Inject Custom Header~Xmail~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A200602~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D:~Ok:ttl -1~Success(0) ~~PC~ActionID_1254471149303~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rule=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1254471149303)~~~~Success(0) ~~PA~ActionID_1261572496536~~InjectCustomHeader~XClientCert~Value(2):LdapAttribute(6647:):NEPXurn~3Anovell~3Aldap~3A200602~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D:~Ok:ttl -1~Success(0) ~~PC~ActionID_1261572496536~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IdentityInjection),Rule=(1::RuleID_1239275044815),Action=(InjectCustomHeader::ActionID_1261572496536)~~~~Success(0) </amLogEntry>



Check AG catalina.out log for parameter values and return codesQuery Response: <ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap itemIdRef=exss80bmcyk3x timeStamp=2007-02-05T10:49:30Z <ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK <ldap:Data(urn:novell:ldap:2006-02)>: itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D

<ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80521py4a Target Attribute: mail

<ldap:Value(urn:novell:ldap:2006-02)>: Value: *****

Method: com.novell.nidp.liberty.wsc.WSC.getDataWithoutInteraction()(Thread: http-8080-Processor3): Completed Request. Response: WSCResponse: Status: All Success WSCQResponseEntry: WSCQLDAPToken: Model Entry: UserAttribute Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D Select String: /UserAttribute[@ldap:targetAttribute="userCertificate"]

Status: OK Location Cookie: com.novell.nidp.liberty.wsc.WSCResourceOffering Value: <ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i Target Attribute: userCertificate // missing "Value: *****" field



• Catalina.out file shows values returned but masked (!)

• Check AG Loopback interface for values returned

– Tcpdump -i any -s 0 -w IIValues.cap port 8080

– See values for all requested attributes BUT ldap UserCertificate is blank



Check IDP log for userCertificate parameter values

<ldap:Query(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap id=exss814edf549 itemId=exss814f5d44a <ldap:ResourceID(urn:novell:ldap:2006-02)>: Text: http://idpcluster.lab.novell.com:8080/nidp/?rsid%3D147.2.16.109%26sess%3D9C1CD281A9B0B6B68D8F65EE10B09A0F%26ugid%3D810de4119743d711a8d400c04fb1d4e2%26tpid%3Dhttp%3A%2F%2Fwww.mylag.com%3A80%2Fnesp%2Fidff%2Fmetadata%26auth%3DLDAPLDAPV.1.0%26svc%3Durn%3Anovell%3Aldap%3A2006-02%26ulid%3DnbYvdXIvClJdw7bimcu%2B55jOvOqVxr3jPVwIAA%3D%3D%26OB%3Dfalse <ldap:QueryItem(urn:novell:ldap:2006-02)>:id=exss814f1jf4b itemId=NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D includeCommonAttributes=false <ldap:Select(urn:novell:ldap:2006-02)>:Select String: /UserAttribute[@ldap:targetAttribute="userCertificate"]

<ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap itemIdRef=exss814f5d44a timeStamp=2007-02-05T10:49:31Z <ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK <ldap:Data(urn:novell:ldap:2006-02)>: itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22userCertificate~22~5D

<ldap:UserAttribute(urn:novell:ldap:2006-02)>: Id: exss80z7w0v4i Target Attribute: userCertificate <Neil> No value returned!



Check LDAP traffic with User store for userCertificate request/response


Policy Case Study – Solution

• Confirmed that LDAP sent requested info to IDP

• Confirmed that IDP sent the AG a resulting NULL for the requested attribute

• Concluded that IDP did not handle response from LDAP correctly

– No values displayed

• Identified issue with IDP server's inability to handle base64 encoded format of data returned

– Bug in Novell® Access Manager™


Additional Reading

• Troubleshooting 100101044/43 errors– http://www.intl.novell.com/communities/node/2297/troubleshooting-100101043-

and-100101044-errors-access-manager• Troubleshooting SAML

– http://www.intl.novell.com/communities/node/2303/configuring-and-troubleshooting-saml-11-novell-access-manager

• Troubleshooting SSLVPN– http://www.intl.novell.com/communities/node/3071/troubleshooting-sslvpn

• SSLVPN Architecture– http://www.intl.novell.com/communities/node/2974/ssl-vpn-architecture

• Troubleshooting formfill issues– http://www.novell.com/support/php/search.do?

cmd=displayKC&docType=kc&externalId=7002780&sliceId=1&docTypeID=DT_TID_1_1&dialogID=39679063&stateId=0%200%2039677453

• SAML cool solutions on Concur (1.1), GoogleApps (2.0 IDP), Shibboleth (2.0 SP)

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Technology

Troubleshooting Novell Access Manager 3.1