Recommended Resources
Abstract
Collecting data for Tivoli Access Manager (TAM) integration with IBM WebSphere Portal 6.1. Gathering this information before contacting IBM Support will help to understand the problem and save time analyzing the data.
Content
If you already contacted IBM Support and must collect data to determine the nature of a problem in WebSphere Portal, review the information below regarding data collection. Otherwise, review Collecting Data: Read first for WebSphere Portal.
Collecting Tivoli Access Manager integration specific information
Tivoli Access Manager is an external security manager that can be leveraged to provide the following services for WebSphere Portal:
-WebSEAL Single Sign-on (SSO) for authentication
-Protected Object Space and Access Control List Management for authorization
-Global Sign-on (GSO) lockbox credential vault integration
-Automatic user provisioning from WebSphere Portal self-registration to Tivoli Access Manager
Note: In addition to the Portal tracing described below, it is advisable to gather the pdweb.snoop and pdweb.debug tracing from the WebSEAL instance for authentication issues. See the link under Related information for instructions on setting such tracing.
Automated log collection is available for this information and is the recommended method for improving accuracy of the data collection.
IBM Support Assistant Lite
Download Tool | View Demo of Trace Collection
After downloading IBM Support Assistant Lite, perform the following steps to collect the data and send to IBM Support:
1. Extract the contents of the downloaded file to the <wp_profile_root>\PortalServer directory, which will create the subdirectory "ISALite" (e.g. c:\WebSphere\wp_profile\PortalServer\ISALite).
2. Run the runISALite.bat file (Windows) or runISALite.sh (UNIX or Linux) from the ISALite directory (e.g. c:\WebSphere\wp_profile\PortalServer\ISALite\runISALite.bat).
3. Once the tools starts, select the following Problem Type: WebSphere Portal->Security and Administration->Portal Integration with Tivoli Access Manager Problem.
4. Provide the output path and a file name of "<PMR #>.isalite.zip" (e.g. 22222,111,000.isalite.zip).
5. Click Collect Data and follow the series of dialog boxes to set the tracing, reproduce the issue, and send the files to IBM Support.
If you are unable to use IBM Support Assistant Lite for automatic log collection, use the following instructions for manually collecting the necessary information.
I. Enabling trace logging
Enable tracing during problem recreation in order to investigate the specific behavior of the component(s). Choose to enable either static or dynamic tracing and proceed with the steps accordingly. For further information regarding logging and tracing in the portal, refer to the Logging and Tracing topic in the WebSphere Portal 6.1 Information Center.
Option A: Enabling static (extended) tracing
Static tracing is the recommended method of capturing data, as it collects data from server startup until problem recreation.
1. Log into the Integrated Solutions Console as the WebSphere Application Server administrator.
2. Click Troubleshooting->Logs and Trace->WebSphere_Portal->Diagnostic Trace.
3. On the Configuration tab, ensure Enable Log is selected. On this same tab, ensure you increase the Maximum File Size and and Maximum Number of Historical Files as needed to ensure that the tracing of the problem recreation is not overwritten due to the amount of traffic on the system and output of the tracing itself.
4. Click Change Log Level Details and enter the following trace string:
Authentication
If experiencing an authentication issue, use the following trace string. For example, you would set this tracing if you log into TAM WebSEAL and rather than being redirected to the authenticated portal page, you receive the portal login page.
*=info:com.ibm.ws.security.*=all:com.ibm.wps.engine.*=all:
com.ibm.wps.services.authentication.*=all:com.ibm.ws.wim.*=all:
com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all
Authorization
If experiencing an authorization issue when Tivoli Access Manager is set up to handle authorization for WebSphere Portal, use the following trace string:
*=info:com.ibm.wps.ac.esm.*=all:com.ibm.wps.ac.authtable.*=all
Credential Vault
If experiencing a Single Sign-On issue with a back-end application using the Credential Vault, use the following trace string:
*=info:com.ibm.wps.sso.*=all
5. Click OK and save the changes.
6. Restart the WebSphere_Portal application server.
Option B: Enabling dynamic tracing
Dynamic tracing can be used for situations that do not permit a server restart.
1. Log in as the Portal administrator.
2. Click Administration->Portal Analysis->Enable Tracing. The Enable Tracing portlet appears.
3. Type the required trace string into the field Append these trace settings:
[see step 4 under Option A for applicable trace string]
4. Click the Add icon. Enable Tracing updates the field Current trace settings.
Note: Restarting WebSphere Portal will remove traces that were set by using the Enable Tracing Administration portlet.
II. Collecting and submitting logs and configuration data
1. Reproduce the problem and immediately copy (if possible) the trace logs to prevent rolling over. Confirm that the timestamp for the issue is included in the trace logs, and then collect the following information for review:
- Step-by-step details of test case including screenshots, user ID, and approximate timestamps
- <WP_profile_root>/logs/WebSphere_Portal/SystemOut.log
- <WP_profile_root>/logs/WebSphere_Portal/SystemErr.log
- <WP_profile_root>/logs/WebSphere_Portal/trace.log (s)
- <WP_profile_root>/PortalServer/log/VersionInfo.log
- <WP_profile_root>/ConfigEngine/log/ConfigTrace.log
- <WP_profile_root>/ConfigEngine/properties/wkplc_comp.properties
- <WP_profile_root>/config/cells/<cellname>/security.xml
- <WP_profile_root>/config/cells/<cellname>/nodes/<nodename>/servers/WebSphere_Portal/resources.xml (located in /clusters/<cluster_name> for clustered server)
- <WP_profile_root>/config/cells/<cellname>/wim (including sub-directories)
- <WP_profile_root>/config/cells/<cellname>/fileRegistry.xml
- <WAS_root>/java/jre/PolicyDirector/PdPerm.properties
- <WEBSEAL_root>/etc/webseald-<webseal_instance_name>.conf
- WebSEAL junction XML files (include only those used to access Portal) from the junction database directory as defined in the [junction] stanza of webseald-<webseal_instance_name>.conf
Was this topic helpful?
Document Information
Modified date:
03 December 2021
UID
swg21312840