Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2)

Part Number E27239-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Logging Component Event Messages

Logging is the mechanism by which components and services write messages to a log file to capture critical component events, process, and state information.

Administrators can configure logging to provide information at various levels of granularity using the same logging infrastructure and guidelines as any other component in Oracle Fusion Middleware 11g: java.util.logging (standard and available in all Java environments). The logging system writes output to flat files only. Logging to an Oracle Database instance is not supported.

Configuring logging and locating log files are the focus of this chapter. Diagnosing problems using the information in log files is outside the scope of this manual.

Note:

Unless explicitly stated, information in this chapter is the same whether you are using Access Manager, Identity Federation, or Security Token Service. You can also use a custom Oracle WebLogic Scripting Tool (WLST) command to change logging levels.

This chapter includes the following topics:

6.1 Prerequisites

Before you can perform tasks in this chapter ensure that the Oracle Access Management Console and a managed OAM Server are running.

Oracle recommends that you review the Chapter 5, "Managing Server Registration".

6.2 Introduction to Logging Component Event Messages

The logging infrastructure records messages that can be used for problem diagnosis. Security Token Service is a J2EE Web application, part of the Access Manager J2EE Application. Both use OJDL for logging purposes. Security Token Service captures the interactions between itself and Partners with timestamps.The Administrator controls the amount of information that is logged in a message by specifying log levels for each component for which a logger is defined.

Note:

Generally, you enable logging to produce files that you send to Oracle Technical Support for problem diagnosis. Documentation for log messages is not available. In some cases, you might be able to diagnose problems on your own by reading log files.

Oracle Access Management makes use of the files in Table 6-1.

Table 6-1 Logging Files

File Type Description

Logging Configuration File

Provides logging level and other configuration information for logging. This file is stored in the following path:

DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml

Note: By default, Security Token Service and Identity Federation messages are logged in the OAM Server's log file. However, for convenience, you can edit logging.xml to direct Security Token Service or Identity Federation information to a separate log file, as described in "Configuring Logging for Security Token Service and Identity Federation".

Log File

Logged information is stored in the following location:

DOMAIN_HOME/servers/SERVER-NAME/logs/ SERVER-NAME-diagnostics.log


Oracle Access Management uses the WebLogic container's logging defaults in Table 6-2.

Table 6-2 Logging Defaults


Description

Events

The following events are logged automatically:

  • OAM Server events (managed run-time servers)

  • Administrative events (generated for configuration changes made using the console)

Levels

By default, the log level for all Oracle Access Management components is the Notification level. Logging at the Error level produces a small amount of output while other log levels can result in voluminous logging output, which can impact performance. In production environments, logging is usually either disabled or the log level is set to a level that results in a small volume of logging output (the error level, for example).


For more information, see:

See Also:

6.2.1 About Component Loggers

This section introduces component loggers for Security Token Service and Access Manager. There are differences.

Security Token Service has only a single logger: oracle.security.fed. For more information, see "Configuring Logging for Security Token Service and Identity Federation".

Each Access Manager component is associated with its own logger name, as listed in the following tables:

Table 6-3 Oracle Access Management Server-Side Component Loggers

Component Name OAM Logger Name Description

Protocol Binding

oracle.oam.binding

Responsible for marshalling/unmarshalling wire protocol request and response to a Java Object representation.

SSO Controller

oracle.oam.controller.sso

Responsible for managing the user session lifecycle and orchestrating the SSO and logout flows.

OAM Proxy

oracle.oam.proxy.oam

Responsible for interacting with OAM Webgates by marshalling/unmarshalling OAP protocol requests and responses and performing the data/message transformation necessary to help the OAM Server process OAP requests/responses.

OSSO Proxy

oracle.oam.proxy.osso

Responsible for interacting with OSSO Agents by marshalling/unmarshalling requests and responses and doing the data/message transformation necessary to help the OAM Server process mod_osso requests/responses.

OpenSSO Proxy

oracle.oam.proxy.opensso

Responsible for interacting with OpenSSO Web and Java Agents by marshalling/unmarshalling requests and responses and performing the data/message transformation necessary to help the OAM Server process OpenSSO agent requests/responses.

Credential Collector

oracle.oam.credcollector

Responsible for interacting with the user to acquire the necessary information required by the Authentication Scheme.

Remote Registration of Partners

oracle.oam.engine.remotereg

Responsible for registering partners with the OAM Server and managing associated protected policies.

Oracle Access Management Console

oracle.oam.admin.console

Console that supports administration and monitoring of the Access Management deployment.

Admin-Service Config

oracle.oam.admin.service.config

Module used by the UI Console to manage the configuration.

Diagnostics and Monitoring

oracle.oam.diag

Provides instrumentation used by the OAM Server components to enable Diagnostic and Monitoring.


Table 6-4 Oracle Access Management Shared-Service Engine Component Loggers

Component Name OAM Logger Name Description

Authentication Engine

oracle.oam.engine.authn

Supports establishing the identity of the user by validating the credentials and other data as required by the specified Authentication scheme.

Policy Service Engine

oracle.oam.engine.policy

Supports management of Authentication, Authorization and Token Issuance Policies. In addition, it also provide a policy decision service to support runtime processing.

Session Management Engine

oracle.oam.engine.session

Supports managing user session and token context information with support for user/administrator-initiated and time-out based events.

Token Engine

oracle.oam.engine.token

Supports managing the entire token life cycle from generation to cancellation.

SSO Engine

oracle.oam.engine.sso

Supports the single sign-on experience by managing the lifecycle of the user login session(s).

PartnerTrustMetadata Engine

oracle.oam.engine.ptmetadata

Supports management of partner metadata and trust information.

Authorization Engine

oracle.oam.engine.authz

Wrapper that provides methods that map directly to OAP runtime request operations.


Table 6-5 Oracle Access Management Foundation API Component Loggers

Component Name OAM Logger Name Description

Session Access

oracle.oam.session.access

** Not useful unless your are decompiling code.

Session Access Implementation

oracle.oam.session.accessimpl

** Not useful unless your are decompiling code.

Policy Access

oracle.oam.policy.access

** Not useful unless your are decompiling code.


6.2.2 Sample Logger and Log Handler Definition

This topic provides a sample for Access Manager only.

Note:

Security Token Service has only one logger and log handler, as described in "Configuring Logging for Security Token Service and Identity Federation".

Example 6-1 illustrates the configuration of an Access Manager logger and a log handler in the file logging.xml.

Example 6-1 Configuring Access Manager Loggers and Log Handlers

<logging_configuration>

  <log_handlers>
    <log_handler name='oam-handler' class='oracle.core.ojdl.logging.
    ODLHandlerFactory'>
      <property name='path' value='oam/diagnostic'/>
      <property name='maxFileSize' value='10485760'/>
      <property name='maxLogSize' value='104857600'/>
    </log_handler>
  </log_handlers>

  <loggers>
    <logger name='oracle.security.am' level='NOTIFICATION:1'>
      <handler name='oam-handler'/> 
      ...
    </logger>
  </loggers>

</logging_configuration>

See Also:

For more information about Java EE application logging, see Appendix I, section I.1.1, in Oracle Fusion Middleware Application Security Guide.

6.2.3 About Logging Levels

This topic applies to Oracle Access Management.

The amount of data output by a logger is controlled by its level; the higher the level, the more information is logged. The level of a logger is specified with the element <logger> in the file logging.xml with the following format:

<logger name="loggerName" level="notifLevel"/>

where loggerName is a logger name (see "About Component Loggers"), and notifLevel is either an ODL message level or a Java message level.

Table 6-6 shows the correspondence between ODL message levels and Java message levels, in increasing order:

Table 6-6 Mapping of ODL to Java Levels

ODL Message Level Java Message Level

INCIDENT_ERROR:1

SEVERE.intValue()+100

ERROR:1

SEVERE (logs exceptions)

WARNING:1

WARNING (logs exceptions)

NOTIFICATION:1

INFO (default)

NOTIFICATION:16

CONFIG

NOTIFICATION:32

INFO and CONFIG

TRACE:1

FINE (occasionally recommended in production environments)

TRACE:16

FINER (not recommended in production environments)

TRACE:32

FINEST (not recommended in production environments)


Any other Java level value not listed above (that is, one outside the interval [SEVERE.intValue()+100 - FINEST] is mapped to the ODL level UNKNOWN.

Note:

if you define a filter to log messages at the finest level for the oracle.security.fed package and sub-package (classes for Security Token Service), after restarting the server you would see logs for the OAM Server. For more information, see "Configuring Logging for Security Token Service and Identity Federation".

6.3 Configuring Logging for Access Manager

This section describes tasks for only Access Manager.

There is no graphical user interface available to change logger levels; only WLST commands can be used. This section provides the following topics:

6.3.1 Modifying the Logger Level for Access Manager

Administrators can use custom WLST commands for Access Manager to change logger settings as described in the following procedure. Your deployment and choices will be different.

Note:

Use the WLST command help("fmw diagnostics").

To modify the OAM logger level

  1. Confirm that the OAM Server is running.

  2. Acquire the custom WLST script for Access Manager. For example:

    ORACLE_HOME/common/bin/wlst.sh
    
  3. Connect to the WebLogic Server and log in as the WebLogic Administrator. For example:

    sh wlst.sh wls:/offline> connect adminID password
    
  4. List available loggers for the OAM Server. For example:

    wls:/base_domain/serverConfig> listLoggers(pattern="oracle.oam.*",target="oam_
    server1")
    

    Here pattern= represents the oam.controller component and target= represents the desired OAM Server as it was specified during registration.

  5. View the list of Access Manager loggers associated with this OAM Server. For example:

    Logger                                      | Level
    --------------------------------------------+-----------------
    oracle.oam                                  | <Inherited>
    oracle.oam.admin.foundation.configuration   | <Inherited>
    oracle.oam.agent-default                    | <Inherited>
    oracle.oam.audit                            | <Inherited>
    oracle.oam.binding                          | <Inherited>
    oracle.oam.commonutil                       | <Inherited>
    oracle.oam.config                           | <Inherited>
    oracle.oam.controller                       | <Inherited>
    oracle.oam.default                          | <Inherited>
    oracle.oam.diagnostic                       | <Inherited>
    oracle.oam.engine.authn                     | <Inherited>
    oracle.oam.engine.authz                     | <Inherited>
    oracle.oam.engine.policy                    | <Inherited>
    oracle.oam.foundation.access                | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.user.identity.provider           | <Inherited>
    
  6. Modify the log level based on your requirements. For example, this sequence changes the log level of the oam.controller to TRACE:32 with no persistence:

    wls:/base_domain/serverConfig> domainRuntime()
    wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.oam.controller", 
    level="TRACE:32", persist="0", target="oam_server1")
    
  7. Repeat step 4 to list the loggers again and verify the log level change. For example:

    wls:/base_domain/serverConfig> listLoggers(pattern="oracle.oam.*",target="oam_
    server1")
    
    Logger                                      | Level
    --------------------------------------------+-----------------
    oracle.oam                                  | <Inherited>
    oracle.oam.admin.foundation.configuration   | <Inherited>
    oracle.oam.agent-default                    | <Inherited>
    oracle.oam.audit                            | <Inherited>
    oracle.oam.binding                          | <Inherited>
    oracle.oam.commonutil                       | <Inherited>
    oracle.oam.config                           | <Inherited>
    oracle.oam.controller                       | TRACE:32
    oracle.oam.default                          | <Inherited>
    oracle.oam.diagnostic                       | <Inherited>
    oracle.oam.engine.authn                     | <Inherited>
    oracle.oam.engine.authz                     | <Inherited>
    oracle.oam.engine.policy                    | <Inherited>
    oracle.oam.foundation.access                | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.idm                              | <Inherited>
    oracle.oam.user.identity.provider           | <Inherited>
    
  8. Verify the generated log file to confirm the controller is logged at the TRACE:32 level:

    DOMAIN_HOME/server/SERVER_INSTNCE_NAME/logs/
    
  9. Proceed to "Validating Run-time Event Logging Configuration".

6.3.2 Adding an Access Manager-Specific Logger and Log Handler

Administrators can use the following procedure to specify a log file path and necessary attributes.

In the following procedure, you will identify the target OAM Server, rotation and retention periods, a path to the log file, the handler, and logger. Your deployment and choices will be different.

Note:

Use the WLST command help("fmw diagnostics") to get more information.

Skip steps 1 through 3 if the following items are true:

  • The OAM Server is running

  • You have the WLST script

  • You have connected to the server and logged in

To specify the OAM logger, level, and log handler

  1. Confirm that the OAM Server is running.

  2. Acquire the WLST script. For example:

    $ORACLE_HOME/common/bin/wlst.sh
    
  3. Connect to the WebLogic Server and log in as the WebLogic Administrator. For example:

    sh wlst.sh wls:/offline> connect
    
  4. Add an Access Manager logger and level for the OAM Server. For example:

    wls:/base_domain/serverConfig> domainRuntime()
    wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.oam", 
    level="WARNING", persist="0", target="oam_server1")
    
  5. Add a custom log handler and associate it with the Access Manager logger. For example:

    wls:/base_domain/domainRuntime> configureLogHandler(name="oam-log-handler", 
    target="oam_server1", rotationFrequency="daily", retentionPeriod="week", path="${domain.home}/oamlogs" , maxFileSize ="10485760", maxLogSize = "104857600", addHandler="true", handlerType="oracle.core.ojdl.logging
    .ODLHandlerFactory", addToLogger="oracle.oam")
    
    wls:/base_domain/domainRuntime>configureLogHandler(name="oam-log-handler", 
    addProperty="true", propertyName="supplementalAttributes", propertyValue=
    "OAM.USER, OAM.COMPONENT", target="oam_server1")
    
  6. Verify all the logs in the $DOMAIN_HOME/oamlogs directory:

    $DOMAIN_HOME/oamlogs/ 
    

6.4 Configuring Logging for Security Token Service and Identity Federation

By default Security Token Service and Identity Federation messages are logged into the OAM Server's log files. You can view and configure logs in Fusion Middleware Control. However, you can also edit logging.xml and direct Security Token Service and Identity Federation information to a separate log file, as described here.

The files that are involved include:

Security Token Service and Identity Federation do not categorize log handlers as Access Manager does. Instead, there is only one logger that affects the log levels for Security Token Service and Identity Federation. Table 6-7 provides details for this logger, which are required in the WLST command.

Table 6-7 Oracle Security Token Service and Identity Federation Loggers

Component Name Logger Name Log Handler Name Log Class

Security Token Service or Identity Federation

oracle.security.fed

stsfed-handler

class=oracle.core.ojdl.logging.ODLHandlerFactory


For details, see:

See Also:

6.4.1 Configuring Logging for Security Token Service or Identity Federation

Administrators can use the following procedure to separate Security Token Service or Identity Federation log messages from OAM Server message logs.

To configure logging for Security Token Service or Identity Federation

  1. Locate and open logging.xml: DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml.

  2. Add the following to create the independent message log for Security Token Service:

    <log_handler name='stsfed-handler' class='oracle.core.ojdl.logging.ODLHand
    lerFactory'>
          <property name='path' value='sts/log'/>
          <property name='maxFileSize' value='10485760'/>
          <property name='maxLogSize' value='104857600'/>
        </log_handler>
    
    <logger name='oracle.security.fed' level='TRACE:32'>
          <handler name='stsfed-handler'/>
        </logger>
    
  3. Save the file.

  4. Proceed with "Defining Log Level and Log Details for Security Token Service or Identity Federation".

6.4.2 Defining Log Level and Log Details for Security Token Service or Identity Federation

Administrators can use custom WLST commands for Oracle Access Management to change logger settings for Security Token Service as described here. This specifies an independent output file for only Security Token Service log messages.

This sample procedure for Security Token Service logging is very similar to the one for Access Manager. However, there are a few differences. Your deployment choices will be different.

Note:

Use the WLST command help("fmw diagnostics").

Skip steps 1 through 3 if the following items are true:

  • The OAM Server is running

  • You have the WLST script

  • You have connected to the server and logged in

To modify the logger level and log file for Security Token Service

  1. Confirm that the OAM Server is running.

  2. Acquire the custom WLST script for Oracle Access Management:

    ORACLE_HOME/common/bin/wlst.sh
    
  3. Connect to the WebLogic Server and log in as the WebLogic Administrator. For example:

    sh wlst.sh wls:/offline> connect adminID password
    
  4. Modify the log level of oracle.security.fed based on your requirements. For example, this sequence changes the log level to WARNING with no persistence:

    wls:/base_domain/serverConfig> domainRuntime()
    wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.security.fed", 
    level="WARNING", persist="0", target="oam_server1")
    
  5. Specify the target OAM Server, as well as rotation and retention periods, path to the log file, the handler, and logger. For example:

    wls:/base_domain/domainRuntime> configureLogHandler(name="osts-log-handler",  
    target="oam_server1", rotationFrequency="daily", retentionPeriod="week", 
    path="${domain.home}/ostslogs", maxFileSize ="10485760", maxLogSize  
    ="104857600", addHandler="true",handlerType="oracle.core.ojdl.logging.ODL 
    HandlerFactory", addToLogger="oracle.security.fed")
    
  6. Verify the generated log file to confirm the controller is logged at the WARNING level:

    DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log 
     DOMAIN_HOME/oiflogs/SERVER-NAME-diagnostics.log 
    
  7. Proceed to "Validating Run-time Event Logging Configuration".

6.5 Validating Run-time Event Logging Configuration

You can use the following procedure to test your run-time event logging configuration.

Prerequisites

To validate run-time event logging

  1. In a browser, enter the URL to a protected resource and sign in using an invalid credential.

  2. Sign in again using the proper credential.

  3. On the physical server, verify all the logs appear in:

    DOMAIN_HOME/oamlogs/
    DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log
    DOMAIN_HOME/oiflogs/SERVER-NAME-diagnostics.log
    
  4. Open the log file and look for the last entries to confirm authentication failure and success, respectively.