Identity Governance

Troubleshooting

Chris Weber
Level 2 support, IBM Security

May 16, 2017

 Identity Governance Troubleshooting

• Support Files contents

• Accessing different logs and other files though the IGI appliance interface

• Changing logging levels

• Logging statements in rule code

• Miscellaneous issues

2 IBM Security
Support Files contents
 Support files contents
• Generate Support Files package from IGI appliance to include with PMR open for errors or other
unexpected IGI application or appliance issues. Manage -> System Settings -> Support Files -> New

4 IBM Security
 Support files contents

• IGI 5.2.2 support files package contents

̶ tmp - liberty_dump.zip, logs/data for appliance server itself

̶ var/logs/messages - OS log, relevant for patching/appliance issues and file upload issues

̶ var/ibm/tivoli/common/CTGIM/logs – ID broker trace/msg logs (“isim” code logs)

̶ opt/isig/IDEASPlatformEnv/log/ – IGI application logs

̶ opt/IBM/wlp/usr/servers – contains three subdirectories of the Liberty/WebSphere profile servers

• broker – Liberty/WebSphere server logs running ID broker
• default – Liberty/WebSphere appliance server logs
• igi – Liberty/Websphere server logs running IGI application

5 IBM Security
 Support files contents
Logs to check for issues uploading files to IGI appliance, appliance configuration issues, or fixpack
install/upgrade issues.

• LMI or Liberty/WebSphere server logs that run the

appliance interface
<support file zip file>\tmp\liberty_dump.zip
<support file zip file>\tmp\liberty_dump\logs\ - message
and trace logs

• The appliance OS logs themselves

<support file zip file>\var\log\messages
Mar 3 10:06:47 mesa_control[17433]: Installing fixpack from file /tmp/5.2.2.0-ISS-IGI-IF0001.fixpack
Mar 3 10:06:48 kernel: EXT4-fs (loop0): mounted filesystem without journal. Opts:
Mar 3 10:06:50 mesa_install_fixpack: 5.2.2.0-ISS-IGI-IF0001 install successful
Mar 3 10:06:50 mesa_control[17433]: Fixpack /tmp/5.2.2.0-ISS-IGI-IF0001.fixpack: install successful

6 IBM Security
Accessing different logs and other files though
the IGI appliance interface
 Accessing different logs and other files though the IGI appliance interface

• IGI application logs

• IGI Liberty/WebSphere server logs

• IGI sdk.zip file

8 IBM Security
 Accessing different logs and other files though the IGI appliance interface
• IGI application logs
Configure -> Manage Server Settings ->
Custom File Management

9 IBM Security
 Accessing different logs and other files though the IGI appliance interface

log -> console. Logs related to the different UI interfaces of IGI.

10 IBM Security
 Accessing different logs and other files though the IGI appliance interface

log -> iga_core. Main set of the logs for different operations/activities in IGI. The logs for the event
queues and schedulers.

11 IBM Security
 Accessing different logs and other files though the IGI appliance interface

log -> system. For some database related issues we might check the hibernate.log.

12 IBM Security
 Accessing different logs and other files though the IGI appliance interface
IGI Liberty/WebSphere server logs
Manage -> Maintenance -> Log
Retrieval and Configuration

Appliance tab logs are the IGI appliance server itself.

13 IBM Security
 Accessing different logs and other files though the IGI appliance interface
Identity tab contains IGI and Broker application server logs and SDI logs

*note that the interface only shows the latest log file. To get to previous or older log
files need to generate support files package.

14 IBM Security
 Accessing different logs and other files though the IGI appliance interface
• IGI SDK package download from IGI appliance
• Contains client jar files, for example used with ISIGADI
• Javadoc for API
• Some API examples

• Usually gets updated when IGI fixpacks are

applied to the IGI server

15 IBM Security
Changing logging levels
 Changing logging levels
Manage -> Maintenance -> Log Retrieval and Configuration -> Configure

Identity tab for changing logging levels for IGI application itself

Restart of “Security Identity Governance and Intelligence” server from appliance home page
required after Identity or Application Server logging changes to take effect.

17 IBM Security
 Changing logging levels
Application Server tab to change logging for Liberty/WebSphere servers for IGI and Broker servers

Example setting
“com.ibm.iga.idbrokerage.*”
to “All” level for debugging
brokerage issues.
18 IBM Security
 Changing logging levels

Example of logging settings for debugging OpenID issues from IGI server side.

com.ibm.ws.security.*=all
com.ibm.ws.webcontainer.security.*=all
com.ibm.oauth.*=all
com.ibm.wsspi.security.oauth20.*=all
com.ibm.ws.transport.http.*=all
org.apache.http.client.*=all

19 IBM Security
 Changing logging levels

SDI tab for changing logging levels of SDI/dispatcher

running on IGI appliance

20 IBM Security
Logging statements in rule code
 Logging statements in rule code
• Can use logger.debug() and logger.info() level statements to help in debugging rule code.

logger.debug(“### DEBUG *** Sync level: " + eventOut.getCodiceOperazione());

logger.info(“### INFO *** Sync level: " + eventOut.getCodiceOperazione());

• Example accessgovernancecore_event_out.log file output from above logger statements

Jan 26, 2017, 9:21:36 AM DEBUG AGC:? - ### DEBUG *** Sync level: PM_1866277246650801262_admin

Jan 26, 2017, 9:21:36 AM INFO AGC:? - ### INFO *** Sync level: PM_1866277246650801262_admin

• Can also use System.out.println() to write to IGI application server message log file.

22 IBM Security
 Logging statements in rule code
• Which level of the log statements show IGI application log files is controlled by the “Log Level” setting
under Access Governance Core -> Settings -> Core Configurations -> General. Debug level will show
both logger.debug() and logger.info() lines.

23 IBM Security
 Logging statements in rule code
• Different rule class log file locations

̶ Live and Deferred (In only)

• logs\iga_core\accessgovernancecore_event_in.log
• logs\iga_core\accessgovernancecore_event_out.log
• logs\iga_core\accessgovernancecore_event_target.log

̶ Authorization Digest
• The logger() statements don't write to any IGI appliance log file in these rules. Instead use System.out.println() to write to
the IGI server message log file.

̶ Advanced
• logs\iga_core\scheduler_job.log

̶ Account
• logs\iga_core\accessgovernancecore.log

̶ Attestation
• logs\iga_core\scheduler_job.log

̶ Hierarchy
• logs\iga_core\scheduler_job.log

24 IBM Security
 Logging statements in rule code
• During development and testing of new rule code, change the cacheTime of the jobs on the
RuleEngine task in Task Planner to value smaller than default 120 minutes. This allows for the
updated/modified rule contents to take effect without server restart or waiting 120 minutes.

25 IBM Security
 Logging statements in rule code
• The cacheTime updated to 0 minutes. The rule code will get recompiled every time it is run, no
caching or delay for changes to take effect.

• The RuleEngine task has to be stopped to modify the settings on the Jobs of the task.

26 IBM Security
Miscellaneous issues
 Miscellaneous issues

• Task planner tasks in inconsistent state

• Launching Target Administration issues

28 IBM Security
 Miscellaneous issues
• Task Planner tasks in inconsistent state

Inconsistent state of Tasks Good state of Tasks

(orange exclamation marks)

29 IBM Security
 Miscellaneous issues
• Select each of the Schedulers and perform Actions -> Synchronize

30 IBM Security
 Miscellaneous issues
Launching Target Administration issues

• Launching Target Administration and seeing following

page displayed with error about session timed out.
This is often result of some communication or data
issue with the IGI/broker LDAP.

31 IBM Security
 Miscellaneous issues
• Checking the “IBM Security Identity Governance and Intelligence trace log”

32 IBM Security
 Miscellaneous issues
Example log output from the “IBM Security Identity Governance and Intelligence trace log”
<Trace Level="MIN">
<Time Millis="1485446097851"> 2017.01.26 16:54:57.851+01:00</Time>
<Server Format="IP">igiva.ibm.com</Server>
<ProductId>CTGIM</ProductId>
<Component>com.ibm.itim.apps.ejb.home</Component>
<ProductInstance>server1</ProductInstance>
<LogText><![CDATA[]]></LogText>
<Source FileName="com.ibm.itim.apps.ejb.home.HomeBean" Method="getAuthenticationObject"/>
<Thread>LargeThreadPool-thread-69</Thread>
<Exception><![CDATA[com.ibm.itim.apps.exception.AppProcessingException: Communication Failure. The directory server is not available.
Error: 192.168.159.128:389
at com.ibm.itim.apps.ejb.home.HomeBean.getDirectorySystemEntity(HomeBean.java:1965)
at com.ibm.itim.apps.ejb.home.HomeBean.getAuthenticationObject(HomeBean.java:869)
at com.ibm.itim.apps.ejb.home.HomeBean.getAuthenticationObject(HomeBean.java:853)
<…>

<Trace Level="MIN">
<Time Millis="1485446101339"> 2017.01.26 16:55:01.339+01:00</Time>
<Server Format="IP">igiva.ibm.com</Server>
<ProductId>CTGIM</ProductId>
<Component>com.ibm.itim.ui</Component>
<ProductInstance>server1</ProductInstance>
<LogText><![CDATA[An application error occurred.]]></LogText>
<Source FileName="com.ibm.itim.ui.controller.ITIMControlServlet" Method="doGet"/>
<Thread>LargeThreadPool-thread-84</Thread>
<Exception><![CDATA[com.ibm.itim.apps.ApplicationException: Your session timed out. Enter your user ID and password to re-establish your
session.
at com.ibm.itim.ui.controller.ITIMControlServletFilter.doFilter(ITIMControlServletFilter.java:179)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
<…>

33 IBM Security
 Miscellaneous reference documentation

• IGI tuning guide

̶ http://www-01.ibm.com/support/docview.wss?uid=swg27049419

• IGI 5.2.2 Knowledge Center

̶ https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.2/com.ibm.igi.doc/kc-homepage.html

• Cookbook for ISAM 9.0 and IGI 5.2.x

̶ https://developer.ibm.com/identitydev/wp-content/uploads/sites/55/2017/04/ISAM9-IGI52-integration-Cookbook-v1.4.pdf
• https://developer.ibm.com/identitydev/deploy/#tabs-2

34 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any
statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper
access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful,
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products
or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.