Policy evaluation for roles occurs at the Identity Server. For Authorization and Identity Injection policies, policy evaluation occurs on the embedded service provider where the policy is enabled.
For Form Fill policies, the evaluation and logging is done by the embedded service provider and the proxy service. To set the logging level on the Access Gateway for the proxy service, see the following:
Logging for the policy evaluation done by embedded service providers is controlled by the log settings of the Identity Server configuration. To enable this type of logging:
Click > > Edit > .
If you have set up more than one Identity Server configuration, make sure you select the configuration to which the other Access Manager components have been assigned.
Select for .
Select to echo the trace messages to the console.
For a Linux Access Gateway, this sends the messages to the catalina.out file.
For a NetWare® Access Gateway, this sends the messages to the NetWare console.
For the Linux Identity Server, this sends the messages to the catalina.out file.
(Optional) Specify a path for the Identity Server log files.
If you have a mixed platform environment (for example, the Identity Server is installed on Linux and the Access Gateway is on NetWare), do not specify a path.
For policy evaluation tracing, set the level to in the section.
If you are only troubleshooting polices at this time, do not select any other options. This reduces the amount of information recorded in the log files.
To see the policy SOAP messages, you need to set the level to
Update the Identity Server.
Click > .
For role evaluation traces, view the Identity Server catalina.out file.
If your Identity Servers are clustered, you need to look at the file from each Identity Server.
For Authorization, Form Fill, and Identity Injection evaluation traces, view the log file of the embedded service provider of the device that is protecting the resource.
For a Linux Access Gateway, this is the catalina.out file of the Access Gateway where the protected resource is defined. If the Linux Access Gateway is part of a group, you need to look at this file from each Access Gateway in the group.
The actual ESP log file is not displayed in the list. To view this file, which contains only ESP log messages, see the nidp.*.xml files in the /var/ops/novell/tomcat4/logs directory (or the directory you specified in Step 4). Depending upon how you have configured , the * portion of the filename contains the month, the week, the day, and the hour.
For a NetWare Access Gateway, the file is not displayed in the list. To view the trace messages, you need to go to the system console or view the nipd.*.xml file in the sys:\tomcat\4\webapps\nesp\WEB-INF\logs directory. Depending upon how you have configured , the * portion of the filename contains the month, the week, the day, and the hour.
To view the nipd.*.xml file, you need to enable FTP or SSH and copy the file.
For a J2EE Agent, see Viewing Log Files
in the Novell Access Manager 3.0 SP4 Agent Guide.
To understand what you are looking for in the log file, continue with one of the following:
Section 39.2, Understanding Policy Evaluation Traces if you set level to
Section 39.10, Policy Evaluation: Access Gateway Devices if you set level to .