Policy evaluation for roles occurs at the Identity Server. For Authorization and Identity Injection policies, policy evaluation occurs on the Embedded Service Provider where the policy is enabled.
For Form Fill policies, the evaluation and logging is done by the Embedded Service Provider and the proxy service. To set the logging level on the Access Gateway for the proxy service, see the following:
Logging for the policy evaluation done by Embedded Service Providers is controlled by the log settings of the Identity Server configuration. To enable this type of logging:
Click > > Edit > .
If you have set up more than one Identity Server configuration, make sure you select the configuration to which the other Access Manager components have been assigned.
Select for .
Select to echo the trace messages to the console.
For the Linux Access Gateway Appliance, Linux Access Gateway Service, or Linux Identity Server, this sends the messages to the catalina.out file.
For the Linux Access Gateway Service or Windows Identity Server, this sends the messages to the stdout.log file.
(Optional) Specify a path for the Identity Server log files.
If you have a mixed platform environment (for example, the Identity Server is installed on Windows and the Access Gateway is on Linux), do not specify a path.
For policy evaluation tracing, set the level to in the section.
If you are only troubleshooting policies at this time, do not select any other options. This reduces the amount of information recorded in the log files.
To see the policy SOAP messages, you need to set the level to
Update the Identity Server.
Click > .
For role evaluation traces, view the Identity Server catalina.out file (Linux) or the stdout.log file (Windows).
If your Identity Servers are clustered, you need to look at the file from each Identity Server.
For Authorization, Form Fill, and Identity Injection evaluation traces, view the log file of the Embedded Service Provider of the device that is protecting the resource.
Linux Access Gateway Appliance or Service: This is the catalina.out file of the Access Gateway where the protected resource is defined. If the Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.
To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/logs directory (or the directory you specified in Step 4). Depending upon how you have configured , the * portion of the filename contains the month, the week, the day, and the hour.
Windows Access Gateway Service: This is the stdout.log file of the Access Gateway where the protected resource is defined. If the Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.
To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the \Program Files\Novell\tomcat\webapps\nesp\WEB-INF\logs directory (or the directory you specified in Step 4). Depending upon how you have configured , the * portion of the filename contains the month, the week, the day, and the hour.
J2EE Agent:
See Viewing Log Files
in the Novell Access Manager 3.1 SP2 J2EE Agent Guide.
To understand what you are looking for in the log file, continue with one of the following:
Section 6.2, Understanding Policy Evaluation Traces if you set level to
Section 6.10, Policy Evaluation: Access Gateway Devices if you set level to .