| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
2. Case Study: Deploying in a Multimaster Replication Environment
3. Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL
A. Pluggable Authentication Modules
B. Identity Manager and Identity Synchronization for Windows Cohabitation
Connector Layers - Accessor, Controller, and Agent
Changing Central Logs File Location
Changing Component Logs File Location
Isolating Problems in Directory Server
Isolating Problems in Message Queue
Most of the Identity Synchronization for Windows components have debug logging capability. This section describes how to enable debug logging for each component.
Using debug logging to isolate a problem can be a time-consuming process. Be sure to read Chapter 7, Troubleshooting Identity Synchronization for Windows, in Sun Java System Directory Server Enterprise Edition 6.1 Troubleshooting Guide before using this method.
To enable debug logging in one of the Java components (connector, System Manager, or Central Logger), edit the process's command line in the WatchList.properties file to include the -Dcom.sun.directory.wps.flags.Flags.DBG=true flag, and restart the Identity Synchronization for Windows daemon (on Solaris) or service (on Windows). For example, debug logging for the CNN101 Connector has been enabled in the following example. The existing entry for the CNN101 Connector in the /var/opt/SUNWisw/resources/WatchList.properties file is shown below.
process.name[2]=CNN101
process.command[2]=/usr/java/bin/java -Xmx256m -Xrs -DimqConnectionType=TLS
-Djava.library.path=/opt/SUNWisw/lib:/usr/lib/mps/secv1
-Djava.util.logging.config.file=/var/opt/SUNWisw/resources/Log.properties
-Dcom.sun.directory.wps.logging.directory=/var/opt/SUNWisw/logs/CNN101
-DPSWHOME=/var/opt/SUNWisw -DWPSCNFG=resources
-classpath /opt/SUNWisw/lib/common.jar:/opt/SUNWisw/lib/connector.jar:
/opt/SUNWisw/lib/db.jar:/opt/SUNWisw/lib/ldapjdk.jar:
/opt/SUNWisw/lib/manager.jar:
/opt/SUNWisw/lib/registry.jar:
/opt/SUNWisw/lib/watchdog.jar:
/var/opt/SUNWisw/resources:/opt/SUNWisw/locale/resources:
/usr/share/lib/jms.jar:/usr/share/lib/imq.jar:
/usr/share/lib/mps/secv1/jss3.jar:
/usr/sfw/share/lib/xerces-200.jar:. com.sun.directory.wps.controller.
AgentHarness CNN101
process.delay[2]=120000
process.interval[2]=60000
Note - The idsync printstat command provides information about the Connector ID and the installation location, which can be used to find the correct entry in the WatchList.properties list.
In the following example, the command line entry for this connector has been edited to include the special debug option. It is safest to include this option as the first JVM option.
process.name[2]=CNN101
process.command[2]=/usr/java/bin/java
-Dcom.sun.directory.wps.flags.Flags.DBG=true
-Xmx256m -Xrs -DimqConnectionType=TLS
-Djava.library.path=/opt/SUNWisw/lib:/usr/lib/mps/secv1
-Djava.util.logging.config.file=/var/opt/SUNWisw/resources/Log.properties
-Dcom.sun.directory.wps.logging.directory=/var/opt/SUNWisw/logs/CNN101
-DPSWHOME=/var/opt/SUNWisw -DWPSCNFG=resources
-classpath /opt/SUNWisw/lib/common.jar:/opt/SUNWisw/lib/connector.jar:
/opt/SUNWisw/lib/db.jar:/opt/SUNWisw/lib/ldapjdk.jar:
/opt/SUNWisw/lib/manager.jar:/opt/SUNWisw/lib/registry.jar:
/opt/SUNWisw/lib/watchdog.jar:/var/opt/SUNWisw/resources:
/opt/SUNWisw/locale/resources:/usr/share/lib/jms.jar:
/usr/share/lib/imq.jar:/usr/share/lib/mps/secv1/jss3.jar:
/usr/sfw/share/lib/xerces-200.jar:.
com.sun.directory.wps.controller.AgentHarness CNN101
process.delay[2]=120000
process.interval[2]=60000
After enabling this option, stop and start the Identity Synchronization for Windows daemon (on Solaris) or service (on Windows) so that the changes take effect.
To prevent conflicts with Message Queue, wait thirty seconds after stopping the Identity Synchronization for Windows daemon or service before restarting it. Once the process starts, it will write three new logs, logs/CNN101/debug.log, logs/CNN101/debugErrors.log, andogs/CNN101/resyncDebug.log.
debug.log— Includes all debug log messages, as well as all log messages from the audit log file.
debugErrors.log— Includes all debug, warning, and error messages, as well as all messages from the error log file.
resyncDebug.log— Includes all resynchronization log messages that are normally only sent to the central log
Enabling debug logging has an impact on performance and security. Debug logging can generate trace level information that consumes more disk space than audit logs, requires additional processor cycles that can reduce throughput. Although no sensitive information is ever written to the audit log, the debug log might include sensitive information such as passwords.
Unlike audit logging, the amount of information in the debug log is not controlled by the global log level in the console. Instead, debug logging is controlled by the Log.properties file located in the resources/ directory. The primary settings that can be changed in this file are log levels. The log levels for the debug logging behave identical to the setting for the audit logs but give more fine-grained control.
The com.sun.directory.wps.logging.debugLogger.loggerLevel = FINE line in Log.properties sets the default log level to FINE, but individual components change the log level to increase or decrease the default amount of logging. In general, the defaults provided in this file will produce an adequate amount of debug logging without populating the log with unnecessary information.
In Java Components summarizes the component-level debug log levels (In the Component column, com.sun.directory.wps.logging.DebugLogger.prefix is implied):
Table C-1 Component-Level Debug Log Levels
|
These log levels can be changed by editing the Log.properties files. The changes will be reflected after a restart.
Note - All messages that appear in the audit log file also appear in the debug log file to facilitate correlation of events between the logs.
The installer and uninstaller can be configured to write extra debugging information to the installer log file, for example, Identity_Synchronization_for_Windows_install-20041025035143.log, by setting the ISW_DEBUG_INSTALL environment variable to true before starting the installer.
On Solaris, the installer log files are written to the /var/sadm/install/logs directory.
On Windows, these log files are written to a temporary directory, which is controlled with the %TEMP% environment variable.
For example:
bash-2.05# export ISW_DEBUG_INSTALL=true bash-2.05# ./runInstaller.sh
Note - Secure information such as passwords might appear in the installer log file when debug logging is enabled.
The console logs some information to the central log, but most information is only logged if the console is started with the -D option to enable debug logging. The -D option accepts a single argument which controls the amount of logging to generate. It varies from 1 (least) to 9 (most). By default, the logging information is only written to stderr, but it can also be redirected to a file using the -f option, for example:
bash-2.05# ./startconsole -D 7 -f /tmp/console.log
|