Sun OpenSSO

• Collecting Config Files/ install and log files

Please collect following files located in the base directory for OpenSSO (Note: This is the same directory which is given while going through the configurator screens, as part of initial installation)

.version
install.log
bootstrap
.configParam

Zip/tar following directories:
 /opensso/debug
 /opensso/log
 /opensso/sms

• Deployment Architecture information

Its good idea to provide a JPEG file which covers the deployment diagram, clearly showing following components...

• All the OpenSSO server instances in the deployment
• Various Agents and their versions used against these OpenSSO servers
• CDSSO (if used)
• Load Balancers/Firewalls (specify SSL termination if applicable)
• Directory servers
• Session Failover enabled or not
• Hostname / ipddresses (of above components)
• agent and server Confguration ( is it centralized or local) ?
• Web container name and version

• Hardware platform and operating system with version information

Please make sure you know what Operating System the affected component is running on.

For Windows, you can get version information from the System Properties dialog box. Right click on My Computer, and choose Properties. Note the Version and Service Pack (if any).

For Unix, the flavor (Solaris, HP-UX, AIX) and the major version and minor version numbers, if applicable. The command

uname -a

will usually tell you what you need to know if you don't already know it.

For Linux, please collect the distribution information. If you don't already know this, the most reliable and accurate source of the distribution can be got by executing the command from the command line.

cat /etc/*release

• Problem Description

Please provide as much information as you think is relevant: by all means be concise, but don't do so at the expense of facts.

• Is this impacting a Production/Staging/Development system?
• What has recently changed in your environment? for ex: including but not limited to firewall rules change, DS/LDAP changes etc..
• If you are aware that there has been an external system configuration change recently, a migration, or a change of vendor, please let us know.
• Frequency that the issue occurs
• If you're having a problem that occurs repeatably and predictably, then that's useful information.
• Reproduction steps (if applicable)

Support may need to duplicate your issue in-house, particularly if there is going to be a fix. Quality Engineering will verify that fix does what we expect it to do, and can only do this if they have a procedure for recreating the issue and then verifying that the fix changes the behavior so that the issue no longer occurs.

Please try to keep the procedure as simple as possible. The more complex the steps are, the more likely it is that they will be misunderstood or somehow followed slightly wrong, and we will not be able to duplicate your results without repeating the process and refining it. This can delay resolution significantly.

• Business impact

Again, this helps us to set the priority of the issue. It can also help justify the urgency of a fix.

• Additional information

If available, please provide screenshots, log files, or any other information you think would be helpful to Support to expedite the troubleshooting process.

• Verbose Debug log level collection

Access OpenSSO Server console and log in as "amadmin"
Select
Configuration --> Server and Sites ---> <The server which has issues> ---> Debugging

Reference Screens:

Selecting Server which has issues

Selecting the proper Debug level

Once the log level is changes, reproduce the issue and collect the time stamp when the issue was seen and the debug directory
<opensso base dir>/opensso/debug and <opensso base dir>/opensso/log and the web container access logs

• IIS Logs collection (applicable if you have AM/SSO agent for IIS)

To determine where your IIS log files are stored, please perform the following steps on your server:

1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Right-click on it and choose Properties.
5. On the Web site tab, you will see an option near the bottom that says "Active Log Format." Click on the Properties button.
6. At the bottom of the General Properties tab, you will see a box that contains the log file directory and the log file name. The full log path is comprised of the log file directory plus the first part of the log file name.

For example, if the dialog box displayed the following values:

• Log file directory: C:\Windows\System32\LogFiles
• Log file name: W3SVC1\exyymmdd.log

Collect and send the above log file.

• Client (Browser) Side Log collection

This log collection is required when the issue is with the setup where agent and/or CDSSO is involved (multiple redirects of users requests)

• Pl install "TamperData" Firefox AddOn and use FireFox browser to reproduce the issue.
• Make sure there is only one instance/tab/window of Firefox is running to avoid the clutter in the snooping.
• Record the Time stamp and start the "usecase" and reproduce the issue.
• Select all the communication segments from the top of the TamperData window and Right click ---> Select Export XML All and save it as "ClientComm.xml" and send it to support along with all the above dataset

Ref Screen Shot:

• Product FAQ

https://opensso.dev.java.net/public/about/faqcenter/index.html

• OpenSSO Web Site

https://opensso.dev.java.net/

• OpenSSO Resource Center

http://wikis.sun.com/display/OpenSSO/OpenSSO+Resource+Center

• OpenSSO Mailing List

https://opensso.dev.java.net/servlets/ProjectMailingListList

• OpenSSO Email Alias

users@opensso.dev.java.net

• OpenSSO Agents Support Matrix

Policy Agents Supported for OpenSSO Enterprise 8.0 (http://docs.sun.com/app/docs/doc/820-3745/ghsav?a=view)
Policy Agents Platform/OS Support (http://wikis.sun.com/display/OpenSSO/Policy+Agents+Support+Matrix)

• Troubleshooting

OpenSSO using Firefox Add-ons (http://developers.sun.com/identity/reference/techart/troubleshooting.html)
OpenSSO Configurator (http://blogs.sun.com/indira/entry/how_to_get_debug_logs)
Web Agents (http://wikis.sun.com/display/OpenSSO/WebAgentTrouble)
J2EE Agents (http://wikis.sun.com/display/OpenSSO/J2EEAgentTrouble)
Policy Agent 2.2 for Sun Application Server 9.x or GlassFish (http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble#GlassFishAgentTrouble-installfailnotnoticed)

• How Do I...

Setup ssoadm commadline untility (http://blogs.sun.com/docteger/entry/exporting_configuration_data_using_ssoadm)
Generate and configure fedlets (http://blogs.sun.com/sid/entry/generating_configuring_and_using_fedlets)
Compile and run OpenSSO clientsdk samples (http://blogs.sun.com/docteger/entry/client_sdk_command_line_samples)

• Policy Agent Issues

If you have problems when installing, or configuring an agent, there are a couple of places you can start looking and some ways to get more information to determine the problem:

1. Installation Logs

During installation, all the activity is stored in a special set of log files. Look inside the log files under j2ee_agents/<container-name>/Agent_00x/logs/debug and j2ee_agents/<container-name>/Agent_00x/logs/audit to see all the activity that is logged during installation. Check for any exceptions or unsuccessful installation messages.

2. Agent Run-time Logs

During run-time, the agents log all the debug info in the agent instance debug directory in different files, under the j2ee_agents\<container-name>/Agent_00x/logs/debug directory and you can look in those files for any error messages or exceptions.

3. Increase Debug Logging Level

Customize the debug logging level settings to get more info. You must stop your application-server domain, then edit the j2ee_agents\<container-name>/Agent_00x/config/AMAgent.properties file or the Agent configuration on the OpenSSO console, for the agent instance, and change the property com.iplanet.services.debug.level to message level. This will enable a lot more information to be printed in the logs.

4. Application Server Logs

Besides the agent logs, you could also check the application-server logs. Each application-server domain has a separate logging directory, for instance in Glassfish the glassfish\domains\domain1\logs\server.log contains some useful information. You can look in that file for exceptions and error messages.

• Cookie Encoding/Decoding Issues

http://blogs.sun.com/madan/

• OpenSSO Issues

Problem : After Authentication to the OpenSSO console, instead of OpenSSO common task screens, the log in screen gets presented.

Assumptions:
DataStore authentication is used and is configured to an external Directory Server

Use Case:
Access OpenSSO console
Login screen is presented
submit the authentication credentials
Again the Login screen is presented instead of the default OpenSSO screen.

Resolution:
This issue is seen when the external LDAP (used via datastore) which is configured with OpenSSO server is not up/running , please double check the following log files if thats the case...

• Go to /<openSSO-Base-Dir>/opensso/debug
• Check the "IdRepo" logs for following messages

LDAPv3Repo:07/24/2009 08:17:37:066 AM PDT: Thread[pool-1-thread-4,5,main|pool-1-thread-4,5,main]
\*********************************************\*
LDAPv3Repo:07/24/2009 08:17:37:061 AM PDT: Thread[pool-1-thread-4,5,main|pool-1-thread-4,5,main]
ERROR: LDAPv3Repo: initConnectionPool ConnectionPool failed: 91; ldapServerName:tycoon.red.iplanet.com:389
LDAPv3Repo:07/24/2009 08:17:37:068 AM PDT: Thread[pool-1-thread-4,5,main|pool-1-thread-4,5,main]
ERROR: LDAPv3Repo: addListener failed. Incorrect ldap server configuration.[tycoon.red.iplanet.com:389]

• Pl. start the external LDAP server specified in the above logs, followed by OpenSSO container and the issue is expected to go away.. If not pl. open the service ticket with the required information as discussed in the first part of this page.

• References

ssoadm agent specific commands - http://docs.sun.com/app/docs/doc/820-4803/ghkby?l=en&a=view
Error Code and Log References - http://docs.sun.com/app/docs/doc/820-3886/ghhtn?a=view