Generally, you enable logging to produce files that you send to Oracle Technical Support for problem diagnosis. Documentation for log messages is not available. In some cases, you might be able to diagnose problems on your own by reading log files.
Oracle Access Management makes use of the files in Table 7-1.
Table 7-1 Logging Files
| File Type | Description |
|---|---|
|
Logging Configuration File |
Provides logging level and other configuration information for logging. This file is stored in the following path: $DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml Note: By default, Security Token Service and Identity Federation messages are logged in the OAM Server's log file. However, for convenience, you can edit logging.xml to direct Security Token Service or Identity Federation information to a separate log file, as described in "Configuring Logging for Security Token Service and Identity Federation". |
|
Log File |
Logged information is stored in the following location: $DOMAIN_HOME/servers/SERVER-NAME/logs/ SERVER-NAME-diagnostics.log |
Oracle Access Management uses the WebLogic container's logging defaults in Table 7-2.
Table 7-2 Logging Defaults
| Log Type | Description |
|---|---|
|
Events |
The following events are logged automatically:
|
|
Levels |
By default, the log level for all Oracle Access Management components is the Notification level. Logging at the Error level produces a small amount of output while other log levels can result in voluminous logging output, which can impact performance. In production environments, logging is usually either disabled or the log level is set to a level that results in a small volume of logging output (the error level, for example). |
For more information, see:
See Also:
Monitoring Performance and Logs with Fusion Middleware Control for details about how you can configure and view logs using Fusion Middleware Control
Logging information in the Securing Applications with Oracle Platform Security Services
The component loggers for Security Token Service and Access Manager are different.
Security Token Service has only a single logger: oracle.security.fed. For more information, see "Configuring Logging for Security Token Service and Identity Federation".
Each Access Manager component is associated with its own logger name, as listed in the following tables:
Table 7-3 Oracle Access Management Server-Side Component Loggers
| Component Name | OAM Logger Name | Description |
|---|---|---|
|
Protocol Binding |
oracle.oam.binding |
Responsible for marshalling/unmarshalling wire protocol request and response to a Java Object representation |
|
SSO Controller |
oracle.oam.controller.sso |
Responsible for managing the user session lifecycle and orchestrating the SSO and logout flows |
|
OAM Proxy |
oracle.oam.proxy.oam |
Responsible for interacting with OAM Webgates by marshalling/unmarshalling OAP protocol requests and responses and performing the data/message transformation necessary to help the OAM Server process OAP requests/responses |
|
OSSO Proxy |
oracle.oam.proxy.osso |
Responsible for interacting with OSSO Agents by marshalling/unmarshalling requests and responses and doing the data/message transformation necessary to help the OAM Server process mod_osso requests/responses |
|
OpenSSO Proxy |
oracle.oam.proxy.opensso |
Responsible for interacting with OpenSSO Web and Java Agents by marshalling/unmarshalling requests and responses and performing the data/message transformation necessary to help the OAM Server process OpenSSO agent requests/responses |
|
Credential Collector |
oracle.oam.credcollector |
Responsible for interacting with the user to acquire the necessary information required by the Authentication Scheme |
|
Remote Registration of Partners |
oracle.oam.engine.remotereg |
Responsible for registering partners with the OAM Server and managing associated protected policies |
|
Oracle Access Management Console |
oracle.oam.admin.console |
Console that supports administration and monitoring of the Access Management deployment |
|
Admin-Service Config |
oracle.oam.admin.service.config |
Module used by the UI Console to manage the configuration |
|
Diagnostics and Monitoring |
oracle.oam.diag |
Provides instrumentation used by the OAM Server components to enable Diagnostic and Monitoring |
Table 7-4 Oracle Access Management Shared-Service Engine Component Loggers
| Component Name | OAM Logger Name | Description |
|---|---|---|
|
Authentication Engine |
oracle.oam.engine.authn |
Supports establishing the identity of the user by validating the credentials and other data as required by the specified Authentication scheme |
|
Policy Service Engine |
oracle.oam.engine.policy |
Supports management of Authentication, Authorization and Token Issuance Policies. In addition, it also provide a policy decision service to support runtime processing |
|
Session Management Engine |
oracle.oam.engine.session |
Supports managing user session and token context information with support for user/administrator-initiated and time-out based events |
|
Token Engine |
oracle.oam.engine.token |
Supports managing the entire token life cycle from generation to cancellation |
|
SSO Engine |
oracle.oam.engine.sso |
Supports the single sign-on experience by managing the lifecycle of the user login session(s) |
|
PartnerTrustMetadata Engine |
oracle.oam.engine.ptmetadata |
Supports management of partner metadata and trust information |
|
Authorization Engine |
oracle.oam.engine.authz |
Wrapper that provides methods that map directly to OAP runtime request operations |
Table 7-5 Oracle Access Management Foundation API Component Loggers
| Component Name | OAM Logger Name | Description |
|---|---|---|
|
Session Access |
oracle.oam.session.access |
** Not useful unless your are decompiling code |
|
Session Access Implementation |
oracle.oam.session.accessimpl |
** Not useful unless your are decompiling code |
|
Policy Access |
oracle.oam.policy.access |
** Not useful unless your are decompiling code |
Here is a sample logger and a log handler for Access Manager only.
Security Token Service has only one logger and log handler, as described in "Configuring Logging for Security Token Service and Identity Federation".
Following example illustrates the configuration of an Access Manager logger and a log handler in the file logging.xml.
<logging_configuration>
<log_handlers>
<log_handler name='oam-handler' class='oracle.core.ojdl.logging.
ODLHandlerFactory'>
<property name='path' value='oam/diagnostic'/>
<property name='maxFileSize' value='10485760'/>
<property name='maxLogSize' value='104857600'/>
</log_handler>
</log_handlers>
<loggers>
<logger name='oracle.security.am' level='NOTIFICATION:1'>
<handler name='oam-handler'/>
...
</logger>
</loggers>
</logging_configuration>
See Also:
For more information about Java EE application logging, see Appendix I, section I.1.1, in Securing Applications with Oracle Platform Security Services.
InOracle Access Management, the amount of data output by a logger is controlled by its level; the higher the level, the more information is logged.
The level of a logger is specified with the element <logger> in the file logging.xml with the following format:
<logger name="loggerName" level="notifLevel"/>
where loggerName is a logger name (see "Component Loggers for Security Token Service and Access Manager"), and notifLevel is either an ODL message level or a Java message level.
Table 7-6 shows the correspondence between ODL message levels and Java message levels, in increasing order:
Table 7-6 Mapping of ODL to Java Levels
| ODL Message Level | Java Message Level |
|---|---|
|
INCIDENT_ERROR:1 |
SEVERE.intValue()+100 |
|
ERROR:1 |
SEVERE (logs exceptions) |
|
WARNING:1 |
WARNING (logs exceptions) |
|
NOTIFICATION:1 |
INFO (default) |
|
NOTIFICATION:16 |
CONFIG |
|
NOTIFICATION:32 |
INFO and CONFIG |
|
TRACE:1 |
FINE (occasionally recommended in production environments) |
|
TRACE:16 |
FINER (not recommended in production environments) |
|
TRACE:32 |
FINEST (not recommended in production environments) |
Any other Java level value not listed above (that is, one outside the interval [SEVERE.intValue()+100 - FINEST] is mapped to the ODL level UNKNOWN.
Note:
If you define a filter to log messages at the finest level for the oracle.security.fed package and sub-package (classes for Security Token Service), after restarting the server you would see logs for the OAM Server. For more information, see "Configuring Logging for Security Token Service and Identity Federation".