Tech Tip – How to enable webseal trace logs using pdadmin

How to enable webseal trace logs using pdadmin

Environment
  • ISAM 9.0.0.5 on Docker
Instructions

1. Open a bash for webseal docker container.

docker exec -it <webseal_container_name> bash
PS C:\WINDOWS\system32> docker exec -it idp-webseal bash

2. Open pdadmin tool
[root@idp-webseal /]# pdadmin

3. Login to pdadmin with sec_master user credentials

login [-a <admin_id>] [-p <password>]
e.g.
pdadmin> login -a sec_master -p siteminder
pdadmin sec_master>

4. List web server server instances

pdadmin sec_master> server list
default-webseald-isam-conf
ivmgrd-master
pdadmin sec_master>

5. Enable pdweb.debug log

server task <webseald-instance> trace set pdweb.debug 2 file path=debug.log
e.g.
pdadmin sec_master> server task default-webseald-isam-conf trace set pdweb.debug 2 file path=debug.log

6. List all enabled trace components

server task <webseald-instance> trace show
e.g.
pdadmin sec_master> server task default-webseald-isam-conf trace show
pdweb.debug 2 file path=debug.log
pdadmin sec_master>

Disable Trace Log :

server task <webseald-instance> trace set <trace-component> 0

e.g.

pdadmin sec_master> server task default-webseald-sp-config trace show
pdweb.debug 2 file path=debug.log
pdadmin sec_master> server task default-webseald-sp-config trace set pdweb.debug 0
pdadmin sec_master> server task default-webseald-sp-config trace show
pdadmin sec_master>

Testing

Sample pdweb debug log :

Note :

  • The tracing enabled using pdadmin is only dynamic tracing. The tracing will be enabled until the webseal instance restart.
  • The same procedure could be followed to enable tracing on various other components, e.g pdweb.snoop , pdweb.jct etc.
  • Common tracing components
    – pd.ivc.ira (trace ISAM interactions with the LDAP server)
    – pdweb.debug (trace the HTTP headers sent from/to WebSEAL)
    – pdweb.snoop (trace the HTTP packets which are transmitted to/from WebSEAL)
    – pdweb.wan.azn (trace the authorization decisions for all transactions)
    – pdweb.wns.authn (trace details concerning the authentication process applied by WebSEAL)
  • List of all available trace components can be obtained by executing command :

server task <webseald-instance> trace list

pdadmin sec_master> server task default-webseald-isam-conf trace list
pd
pd.ivc
pd.ivc.general
pd.ivc.file
pd.ivc.log
pd.ivc.ira
pd.idb
pd.idb.general
pd.idb.database

The following table contains all trace components that are common to all Security Access Manager servers:

Table 1. Common trace components
Component Description
pd.bst.general Used to trace the Kerberos authentication process.
pd.acl.general The general trace for the authorization API.
pd.acl.client Used to trace the plug-in services for the authorization server.
pd.acl.authzn Used to trace the authorization decision.
pd.acl.adminsvc Used to trace the interface into the administration service plug-in.
pd.acl.remsvc Used to trace the authorization decision during remote mode operation.
pd.acl.aznapi Used to trace the usage of the Security Access Manager authorization API.
pd.acl.aznsvc Used to trace the plug-in services that are provided by the authorization server.
pd.idb.database Used to trace access to the Security Access Manager policy database.
pd.ivc.ira The IRA is the Security Access Manager interface into the LDAP server. This trace component is used to trace the Security Access Manager communication with the LDAP server.
pd.mgr.general Used to trace the Security Access Managerr administration commands in the Policy Server.
pd.mgr.svrmgmt Used to trace the management of the authorization servers within the policy server.
pd.ias.general User to trace the Security Access Manager supplied authentication mechanisms, otherwise known as CDASs.
pd.ras.exception.trace Used to trace any exceptions that might be caught by the server.

The following table contains all available pdadmin trace components:

Table 2. The pdadmin trace components
Component Description
pdweb.bca.general Used to trace the client side of the Security Access Manager authorization API.
pdweb.bca.user Used to trace the client side of user pdadmin command.
pdweb.bca.group Used to trace the client side of group pdadmin command.
pdweb.bca.acl Used to trace the client side of acl pdadmin command.
pdweb.bca.protobj Used to trace the client side of object pdadmin command.
pdweb.bca.protobjspace Used to trace the client side of objectspace pdadmin command.
pdweb.bca.appsvrcfg Used to trace the client side of user config command.
pdweb.bca.ssoresource Used to trace the client side of user rsrc command.
pdweb.bca.ssoresourcegroup Used to trace the client side of rsrcgroup pdadmin command.
pdweb.bca.ssocred Used to trace the client side of rscrcred pdadmin command.
pdweb.bca.action Used to trace the client side of action pdadmin command.
pdweb.bca.server Used to trace the client side of server pdadmin command.
pdweb.bca.pop Used to trace the client side of pop pdadmin command.
pdweb.bca.domain Used to trace the client side of domain pdadmin command.
pdweb.bca.authzrule Used to trace the client side of authzrule pdadmin command

The following table contains all available WebSEAL trace components:

Table 3. The WebSEAL trace components
Component Description
pdweb.wan.ssl Used to trace the SSL connection between WebSEAL and junctioned web servers.
pdweb.wns.session Used to trace the WebSEAL sessions, as they are stored within the session cache and retrieved or removed from the session cache.
pdweb.wns.authn Used to trace the authentication processing.

Note

This trace component includes the header information that WebSEAL uses for header-based authentication. This header might contain sensitive information. For example, a BA header.
pdweb.adm.config Used to trace the configuration for e-community SSO.
pdweb.wan.bool Used to trace the WebSEAL processing of Security Access Manager authorization rules.
pdweb.wns.compress Used to trace the WebSEAL compression of HTTP messages.
pdweb.cas.general Used to trace the interface between WebSEAL and a custom-written CDAS shared library.
pdweb.wco.azn Used to trace the entitlements service, which manages the maximum concurrent web session policy. The policy is used with SMS to limit the number of times a particular user can create a session concurrently.
pdweb.debug Used to trace the HTTP headers sent between WebSEAL and the client.

Note

The pdweb.debug trace could contain sensitive information.
pdweb.snoop.client Used to trace the HTTP packets that are transmitted between WebSEAL and the client.

Note

This component traces each request and response in its entirety as it is read off the socket. This trace might contain sensitive information.
pdweb.snoop.jct Used to trace the HTTP packets that are transmitted between WebSEAL and the junctioned back-end web server.

Note

This component traces each request and response in its entirety as it is read off the socket. This trace might contain sensitive information.
pdweb.url Used to trace the creation and parsing of the URL.
pdweb.wan.azn Used to trace the WebSEAL authorization decision.
pdweb.wan.ltpa Used to trace the management of LTPA cookies.
pdweb.oauth Used to trace OAuth EAS authorization decisions.

Note

This component traces the data that passes into the EAS, which is governed by the [azn-decision-info] stanza. This trace might contain sensitive information.
pdweb.http.transformation Used to trace HTTP transformation processing.

Note

This component traces the header information in the request, which might contain sensitive information. For example, a Basic Authentication header.
RELATED BLOGS :

Tech Tip – How to protect web app using ISAM Web Reverse Proxy

Leave a Reply