IBM Support

Collecting Data for ITAM: WebSEAL (network issues)

Product Documentation


Abstract

This document describes the specific data needed for problem determination for network issues, including certificate authentication issues, regarding the WebSEAL component of the IBM Tivoli Access Manager for e-Business product.

Content

  1. If there are multiple WebSEAL instances, and it is not possible to recreate the problem by using only a single WebSEAL instance, all data must be collected concurrently from all WebSEAL instances involved.
  2. Ensure that 'requests = yes' in the [logging] stanza, and 'text/html = -1' at the beginning of the [compress-mime-types] stanza, of the webseald.conf file. If the settings are changed, restart the WebSEAL instance.
  3. Create a 'traces' directory under the WebSEAL server var directory (/var/pdweb/www-default for the default instance), or in another temporary storage location, and make it writable by the WebSEAL user (ivmgr by default). If the directory exists, ensure that previous trace files have been removed. The full path to this directory is referred to as <traces>.
  4. Enable WebSEAL tracing.
    • pdadmin> server task <webseald-instance> trace set pdweb.debug 9 file path=<traces>/pdweb.debug.txt,rollover_size=100000000
    • pdadmin> server task <webseald-instance> trace set pdweb.snoop 9 file path=<traces>/pdweb.snoop.txt,rollover_size=100000000
  5. Start a network trace on the WebSEAL system.
    • NOTE: If multiple interfaces are used, traffic on each interface must be collected simultaneously. If limiting the collected traffic, the The TCP traffic from the ports WebSEAL and the backend servers are using to listen for requests must be collected.
    • The WireShark (formerly Ethereal) network protocol analyzer may be used to collect network traces on all Access Manager WebSEAL platforms. Native network trace utilities (such as AIX-iptrace, Solaris- snoop, windows-etherreal, linux-etherreal, HPUX- nettl / nettladm) may also by used.
    • Additional information regarding network trace tools can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21175744
  6. Recreate the problem. If possible, use a new browser after clearing the browser cache.
  7. Stop the network trace.
  8. Wait 1 minute, then disable WebSEAL tracing.
    • pdadmin> server task <webseald-instance> trace set pdweb.debug 0
    • pdadmin> server task <webseald-instance> trace set pdweb.snoop 0
The following data must be collected in a compressed archive using the PMR number in the file name (<PMR number>.<branch>.<country code>-<date>.tar.gz, i.e., 99999.999.000-20070212.tar.gz):
  1. Information from the WebSEAL environment
    1. The output of the `pdversion`, and `gsk7ver` (TAM 6.1.1 and lower) or `gsk8ver_64` (ISAM 7.0.0) commands on the policy server system (all output should be captured as text, not as screen shots).
    2. The output of the `pdversion`, and `gsk7ver` (TAM 6.1.1 and lower) or `gsk8ver_64` (ISAM 7.0.0), and `/opt/pdweb/bin/webseald -version` commands on the WebSEAL server system.
    3. The webseald.conf file from the WebSEAL instance.
    4. The junction XML files from the junction-db directory specified in the webseald.conf file.
    5. The fsso.conf files for any FSSO junctions.
    6. If used, the jmt-map (jmt.conf) and/or dynurl-map (dynurl.conf) files specified in the webseald.conf file.
    7. If requested, the pd.conf and ldap.conf files from /opt/PolicyDirector/etc
  2. WebSEAL traces from the <traces> directory.
  3. Network traces, in raw/binary format.
  4. The requests-file (request.log), and server-log (msg__webseald.log) files specified in the webseald.conf file. If the server-log is large, please include only the last 30000 lines (`tail -30000 msg__webseald.log > msg__webseald-tail.log`). These logs must be concurrent with the WebSEAL traces.
  5. The WebSEAL user ID used to recreate the problem
  6. The IP address from the client system
  7. The time the problem was recreated
  8. The exact URI used for recreating the problem.

If traces have been submitted previously for the current PMR, only a single Access Manager WebSEAL environment is involved, and there have been no configuration changes, item A does not need to be collected.

The secure data upload methods from the Access Manager MustGather document should be used to submit the compressed archive for the PMR.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0;6.1;6.1.1;7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ITAM;TAM;ITAM for ebu;ITAM for e-business;WebSeal;IBM Tivoli Access Manager for e-business;TAM for ebu

Document Information

Modified date:
17 June 2018

UID

swg27013231

Page Feedback