Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)

Part Number E14568-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

L Rule and Fingerprint Logging

You can enable logging to help troubleshoot problems or test rules.

In Oracle Adaptive Access Manager, rule logs are captured during the execution of various policies and rules at the different checkpoints (such as Pre-Authentication, Post-Authentication, and others).

Oracle Adaptive Access Manager supports two rule logging options:

Time taken values are performance statistics and the length of time that the rule or policy took to execute.

Note:

On a production machine, you want to manage the amount of time logging is enabled since increasing the amount of logging may negatively affect performance.

L.1 Detailed Rule Logging

Detailed rule logging captures the time taken at each rule level.

L.1.1 Enabling Detailed Rule Logging

The steps to enable detailed rule logging are:

  1. In the Navigation tree, double-click Properties under Environment.

  2. Enter vcrypt.tracker.rules.trace.policySet in the Name field and click Search.

  3. In the Results table, select vcrypt.tracker.rules.trace.policySet.

  4. In the Details vcrypt.tracker.rules.trace.policySet section, enter true in the Value field.

  5. Click Save.

    A confirmation dialog is displayed.

  6. Click OK to dismiss the dialog.

  7. Specify checkpoint to log rules.

L.1.2 Specifying When to Log

The steps to specify the checkpoint in which to log are:

  1. In the Navigation tree, double-click Properties under Environment.

  2. Click the New Property button or the Create new property icon.

  3. Enter vcrypt.tracker.rules.trace.policySet.<checkpoint string value> in the Name field.

  4. Enter true in the Value field and click Create.

L.1.3 Configuring Detailed Logging Threshold Time

For detailed rule logging, you can configure a threshold time value, "x," so that logging is performed only if the time taken for the rule is greater than the threshold value.

To modify the threshold time after which the rule logging should begin, follow these steps:

  1. In the Navigation tree, double-click Properties under Environment.

  2. Enter vcrypt.tracker.rulelog.detailed.minMillis in the Name field and click Search.

  3. In the Results table, select vcrypt.tracker.rulelog.detailed.minMillis.

  4. In the Details vcrypt.tracker.rulelog.detailed.minMillis section, edit the value in the Value field.

  5. Click Save.

    A confirmation dialog is displayed.

  6. Click OK to dismiss the dialog.

If a policy takes more than "x" in milliseconds specified, Oracle Adaptive Access Manager starts the detailed rule logging.

L.1.4 Rule Logging Flow

In the next sections, the Post-Authentication checkpoint is used to illustrate rule logging.

In detailed rule logging, the flow is as follows:

  1. The Rules Engine checks for a vcrypt.tracker.rules.trace.policySet.<checkpoint string value> configuration.

    For example, vcrypt.tracker.rules.trace.policySet.postauth.

  2. If there is no configuration for vcrypt.tracker.rules.trace.policySet.postauth, the Rules Engine checks the value of vcrypt.tracker.rules.trace.policySet.

    By default, the value for vcrypt.tracker.rules.trace.policySet is set to "true".

The values of the two properties determine whether rule logging is enabled for a given checkpoint.

Refer to Section L.1.5, "Value Combinations" for details on value combinations that specify rule logging.

L.1.5 Value Combinations

If the logging configuration is explicitly set at the given checkpoint, the Rules Engine uses that value; otherwise, it uses the value of vcrypt.tracker.rules.trace.policySet.

The following matrix shows an example of how value combinations control logging during a specified checkpoint.

The Post-Authentication checkpoint is used in this example.

value of vcrypt.tracker.rules.trace.policySet.postauth value of vcrypt.tracker.rules.trace.policySet Will Rule logging be enabled for the postauth checkpoint?
true false yes
true true yes
true not set yes
false false no
false true no
false not set no
not set false no
not set true yes
not set not set yes

L.1.6 Logging Non-Triggered Rules

The properties to control the logging of rules that did not trigger are:

vcrypt.tracker.rules.trace.notTriggered=[true|false]
vcrypt.tracker.rules.trace.notTriggered.logMillis=[millis]

The value of vcrypt.tracker.rules.trace.notTriggered adds rules to log. If set to "true," rules that are not triggered are logged along with the triggered rules.

The value of vcrypt.tracker.rules.trace.notTriggered.logMillis narrows down which rules are logged.

If the rule execution for non-triggered rules exceeds the value of vcrypt.tracker.rules.trace.notTriggered.logMillis, only then will the Rules Engine log the non-triggered Rules.

L.1.6.1 Examples

The following table shows the property values that control what non-triggered rules are logged.

vcrypt.tracker.rules.trace.notTriggered vcrypt.tracker.rules.trace.notTriggered.logMillis Result
true n Logs the non-triggered Rules that took more than "n". If "n" is set to a negative value, all Rules are logged
false n None of the non-triggered Rules will be logged

L.2 Enabling Fingerprint Rule Logging

To enable or disable fingerprint rule logging, modify the following property

vcrypt.tracker.rulelog.fingerprint.enabled=true

L.3 Specifying Properties in Running Both Fingerprint and Detailed Logging

Properties can be set for

Specify Whether Fingerprint or Detailed Logging Runs

To set a property to determine if fingerprint or detailed logging runs, set

vcrypt.tracker.rulelog.exectime.maxlimit

If the value is exceeded, detailed logging is performed.

Specify to Include Other Limits

To include all specified properties in determining the use of both, set

vcrypt.tracker.rulelog.exectime.maxlimit=-1

Specify Not to Use Both

To specify to perform logging with both logging mechanisms (detailed and fingerprint), set

vcrypt.tracker.rulelog.logBoth

to true. The value overrides vcrypt.tracker.rulelog.exectime.maxlimit.

Configuring Fingerprint Logging Threshold Time

To modify the threshold time after which fingerprint rule logging should be used, set the following property in milliseconds:

vcrypt.tracker.rulelog.exectime.maxlimit=