22.6 Turning on Logging for Policy Evaluation

Policy evaluation for roles occurs at Identity Server. For Authorization and Identity Injection policies, policy evaluation occurs on Embedded Service Provider (ESP) where the policy is enabled.

For the Form Fill policies, the evaluation and logging is done by ESP and the proxy service. To set the logging level on Access Gateway for the proxy service, see Enabling Form Fill Logging.

Logging for the policy evaluation done by ESP is controlled by the log settings of Identity Server configuration. To enable this type of logging:

  1. Click Devices > Identity Servers > Edit > Auditing and Logging.

    If you have set up more than one Identity Server configuration, select the configuration to which the other Access Manager components have been assigned.

  2. Select Enabled for File Logging.

  3. Select to echo the trace messages to the console: For Access Gateway or Identity Server, this sends the messages to the catalina.out file.

  4. (Optional) Specify a path for Identity Server log files.

  5. For policy evaluation tracing, set the Application level to info in Component File Logger Levels.

    If you are only troubleshooting policies at this time, do not select any other options. This reduces the amount of information recorded in the log files.

    To see the policy SOAP messages, you need to set the Application level to config.

  6. Update Identity Server.

  7. Click Auditing > General Logging.

    • For role evaluation traces, view Identity Server catalina.out file.

      If your Identity Servers are clustered, you need to look at the file from each Identity Server.

    • For Authorization, Form Fill, and Identity Injection evaluation traces, view the log file of ESP of the device that is protecting the resource.

      Access Gateway Appliance or Service: This is the catalina.out file of the Access Gateway where the protected resource is defined. If the Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.

      To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the /var/opt/novell/tomcat/webapps/nesp/WEB-INF/logs directory (or the directory you specified in Step 4). Depending upon how you have configured File Wrap, the * portion of the filename contains the month, the week, the day, and the hour.

  8. To understand what you are looking for in the log file, continue with one of the following: