7.4 Configuring Logging for Security Token Service and Identity Federation

By default Security Token Service and Identity Federation messages are logged into the OAM Server's log files.

You can view and configure these logs in Fusion Middleware Control. However, you can also edit logging.xml and direct Security Token Service and Identity Federation information to a separate log file, as described in this section. The files involved in this procedure are:

• Logging Configuration File: Provides logger names and other configuration information for logging. This file is stored in: $DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml.

• Log File: $DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log, for example.

Security Token Service and Identity Federation do not categorize log handlers as Access Manager does. Instead, there is only one logger that affects the log levels for Security Token Service and Identity Federation. Table 7-7 provides details for this logger, which are required in the WLST command.

Table 7-7 Oracle Security Token Service and Identity Federation Loggers

Component Name	Logger Name	Log Handler Name	Log Class
Security Token Service or Identity Federation	oracle.security.fed	stsfed-handler	class=oracle.core.ojdl.logging.ODLHandlerFactory

For details, see:

• Configuring Logging for Security Token Service or Identity Federation

• Defining Log Level and Log Details for Security Token Service or Identity Federation

See Also:

• Monitoring Performance and Logs with Fusion Middleware Control for details about how you can configure and view logs using Fusion Middleware Control

• Logging information in the Securing Applications with Oracle Platform Security Services

7.4.1 Configuring Logging for Security Token Service or Identity Federation

Administrators can separate Security Token Service or Identity Federation log messages from OAM Server message logs.

To configure:

1. Locate and open logging.xml: $DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml.
2. Add the following to create the independent message log for Security Token Service and Identity Federation:

   <log_handler name='stsfed-handler' class='oracle.core.ojdl.logging.ODLHand
   lerFactory'>
         <property name='path' value='sts/log'/>
         <property name='maxFileSize' value='10485760'/>
         <property name='maxLogSize' value='104857600'/>
       </log_handler>
   
   <logger name='oracle.security.fed' level='TRACE:32'>
         <handler name='stsfed-handler'/>
       </logger>
   

3. Save the file.
4. Proceed with "Defining Log Level and Log Details for Security Token Service or Identity Federation".

7.4.2 Defining Log Level and Log Details for Security Token Service or Identity Federation

Administrators can use custom WLST commands for Oracle Access Management to change logger settings for Security Token Service as described here. This specifies an independent output file for only Security Token Service log messages.

Use the WLST command help("fmw diagnostics").

Skip steps 1 through 3 if the following items are true:

• The OAM Server is running

• You have the WLST script

• You have connected to the server and logged in

See Also:

WLST Command Reference for WebLogic Server

This sample procedure for Security Token Service logging is very similar to the one for Access Manager. However, there are a few differences. Your deployment choices will be different.

1. Confirm that the OAM Server is running.
2. Acquire the custom WLST script for Oracle Access Management:

   $ORACLE_HOME/common/bin/wlst.sh
   

3. Connect to the WebLogic Server and log in as the WebLogic Administrator. For example:

   sh wlst.sh wls:/offline> connect adminID password
   

4. Modify the log level of oracle.security.fed based on your requirements. For example, this sequence changes the log level to WARNING with no persistence:

   wls:/base_domain/serverConfig> domainRuntime()
   wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.security.fed", 
   level="WARNING", persist="0", target="oam_server1")
   

5. Specify the target OAM Server, as well as rotation and retention periods, path to the log file, the handler, and logger. For example:

    wls:/base_domain/domainRuntime> configureLogHandler(name="osts-log-handler",  
   target="oam_server1", rotationFrequency="daily", retentionPeriod="week", 
   path="${domain.home}/ostslogs", maxFileSize ="10485760", maxLogSize  
   ="104857600", addHandler="true",handlerType="oracle.core.ojdl.logging.ODL 
   HandlerFactory", addToLogger="oracle.security.fed")
   

6. Verify the generated log file to confirm the controller is logged at the WARNING level:

    $DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log 
    $DOMAIN_HOME/oiflogs/SERVER-NAME-diagnostics.log 
   

7. Proceed to "Validating Run-time Event Logging Configuration".