SlideShare a Scribd company logo

Ibm tivoli access manager for e business tracing http connections redp4622

Banking at Ho Chi Minh city
Banking at Ho Chi Minh city
TechnologyDesign
1 of 12
Download to read offline
Redpaper Axel Buecker Ori Pomerantz IBM Tivoli Access Manager for e-business: Tracing HTTP Connections Overview When troubleshooting IBM® Tivoli® Access Manager for e-business it is often necessary to obtain and analyze the traces of HTTP connections. In this IBM Redpaper™ document you will learn how to obtain such traces, and how to interpret them. This paper can help implementors and system administrators who need to solve problems with Tivoli Access Manager for e-business. Why do it? The Tivoli Access Manager for e-business WebSEAL component is an HTTP reverse proxy that receives an HTTP connection from a browser. If an action is authorized, WebSEAL opens a separate HTTP connection to the back-end server. This principle is depicted in Figure 1. Figure 1 HTTP flow between browser, Web SEAL and back-end server © Copyright IBM Corp. 2009. All rights reserved. ibm.com/redbooks 1
WebSEAL does not just transfer the information from one connection to the other. It also modifies the URL to interpret junctions. It adds information to the HTTP header for the back-end connection and cookies for the front-end connection. Those changes might cause problems. The easiest way to trace them is to look at the HTTP connections. To find out more about WebSEAL junctions and links refer to the IBM Redpaper publication IBM Tivoli Access Manager for e-business: Junctions and Links, REDP-4621. HTTP header traces WebSEAL always changes the HTTP headers. You can identify many problems by examining the traces for those HTTP headers. Creating HTTP header traces To create a trace of HTTP headers, run the following pdadmin command to start tracing: server task <WebSEAL instance> trace set pdweb.debug 2 file path=<file path> The trace will appear in the path you specified. Run the following pdadmin command to stop the trace: server task <WebSEAL instance> trace set pdweb.debug 0 Interpreting HTTP header traces The HTTP header trace contains all of the HTTP headers and other information. In this paper we only document the lines that are useful for WebSEAL diagnostic purposes. For information about other fields, see the HTTP specifications in RFC 2616, available at the following URL: http://www.w3.org/Protocols/rfc2616/rfc2616.html Request from the browser In this section we cover an initial request from a browser to WebSEAL. The following text appears on one line. 2009-04-28-19:48:37.622-05:00I----- thread(3) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- The relevant parts of the line are the time stamp at the beginning of the line and the arrow indicating that this is a request coming from the browser to the Policy Director (PD). Policy Director is the former product name for IBM Tivoli Access Manager for e-business; therefore, this is a request going from a browser to WebSEAL. The ID for the WebSEAL thread that handled the request is followed by the HTTP request sent by the browser. Thread_ID:2975017888 GET /junc/index.html HTTP/1.1 The first line of the HTTP request is the request itself. In this case, the browser is requesting GET the file /junc/index.html using version 1.1 of the HTTP protocol. 2 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
The request is followed by the HTTP header fields. Some of these fields are optional, and they can appear in any order. The following line is the host part of the URL (and the port number, if specified): host: tam The host name is useful in the case of virtual host junctions, where this field determines the junction and the back-end server. The following line is the identity of the browser that sent the request: user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 The following line specifies the end of the entry, in this case the request from the browser. --------------------------------------------------- Request for basic authentication The request in the previous section came from an unauthenticated browser. In the next section WebSEAL requests basic authentication before proceeding any further. This code is also on one line. 2009-04-28-19:48:37.670-05:00I----- thread(3) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- Notice that the arrow now points from PD to the Web browser. This is a response. The first line of the HTTP reply is the reply itself. HTTP/1.1 401 Unauthorized In this case, the server is using version 1.1 of the HTTP protocol, the same version as the browser. The response is 401, meaning that the request requires authentication. This reply happens in response to a request that is not authenticated or in response to a response authenticated as an unauthorized user. The number is followed by a string, which can be displayed to the user. The following field specifies the Platform for Privacy Preferences settings, a standard mechanism to specify the privacy practices of Web sites. p3p: CP="NON CUR OTPi OUR NOR UNI" You can read more about P3P at the following URL: http://www.w3.org/P3P The following field identifies the Web server, in this case WebSEAL. server: WebSEAL/6.1.0.0 (Build 080319) Servers that ask for basic authentication include the following field so that the browser can show it to the user. www-authenticate: Basic realm="Access Manager for e-business" To modify this value, change the basic-auth-realm property in the [ba] stanza of the instance configuration file. Set-Cookie: PD-S-SESSION-ID=2_mNCraP8I1j7MvXEqWXfaxFbawImnvMOwKHsrU3MF5mqJpnqS; Path=/; Secure IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 3
This code is all on one line and sets a cookie called PD-S-SESSION-ID that stores the session ID. To modify the cookie name, change the ssl-session-cookie-name (or, for HTTP, tcp-session-cookie-name) in the [session] section of the instance configuration file. The information after the semicolon (;) is the cookie attributes. The Path attribute specifies that this cookie should be sent back with any request that starts with a slash (/), which means any request. The Secure attribute specifies that the cookie needs to be secure, for example, not to be sent back in clear text. For more information about cookies, see the draft specifications that are available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_spec. html Basic authentication response The basic authentication response is almost identical to the original request, but with two additional lines. The authorization: field specifies the user name and password. Because it is sensitive information, the value is not shown in the trace. authorization:*********************************** The following line returns the session ID cookie set by the server in the previous section. If you have to use a trace from a production environment, you can use the session ID to identify which requests come from which browser. Cookie: PD-S-SESSION-ID=2_mNCraP8I1j7MvXEqWXfaxFbawImnvMOwKHsrU3MF5mqJpnqS Request to the back-end WebSEAL decided that the request from the browser was authorized. The next entry is the request that WebSEAL sends to the back-end server. 2009-04-28-19:48:45.977-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- PD ===> BackEnd ----------------- This text is all on one line and represents the request that goes from PD (WebSEAL) to the back-end server. This is the HTTP request: GET /index.html HTTP/1.1 host: backend:81 The host field is taken from the junction. Notice that it includes the port number when that is not the default (80 for HTTP, 443 for HTTPS). The user agent field is relayed from the browser. This way, the back-end server can send different replies to different browsers. user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 The via: field contains proxy information. WebSEAL is a proxy, so the information for WebSEAL is listed here. via: HTTP/1.1 tam:443 4 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
This is one of a number of HTTP header fields that could be inserted by WebSEAL when communicating with the back end. It is specified in the server_name property of the [header-names] stanza of the instance configuration file. iv_server_name: default-webseald-tam.ibm.com If the junction had been created with the -c parameter, you would see the user identification fields: iv-user, iv-user-l, iv-groups, and iv-creds. Back-end response The back-end server responds to the request. The following text, all on one line, shows that the response goes from the back-end server to PD (WebSEAL). 2009-04-28-19:48:46.102-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- PD <=== BackEnd ----------------- The following field identifies the server, which can be useful in verifying that junctions direct to the correct back-end server. server: IBM_HTTP_Server Response to the browser Finally, the browser gets the page the user requested. The text, all on one line, shows that the response goes from PD (WebSEAL) to the browser. 2009-04-28-19:48:46.102-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- WebSEAL sets a new session ID value. Set-Cookie: PD-S-SESSION-ID=2_NZm8soRZG9QP7BDkktl1RXlPmlj0NPLmk-9Q1ubddvU3lGCh; Path=/; Secure Browser request for additional information Displaying an HTML page often requires the browser to retrieve additional files: images, style sheets, and so on. In the following entry you can see the Web page that caused the request in the referer: field. 2009-04-28-19:48:49.895-05:00I----- thread(5) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2973952928 GET /junc/http_server_styles.css HTTP/1.1 accept: text/css,*/*;q=0.1 accept-encoding: gzip,deflate accept-language: en-us,en;q=0.5 authorization:*********************************** connection: keep-alive host: tam keep-alive: 300 referer: https://tam/junc/index.html user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: PD-S-SESSION-ID=2_NZm8soRZG9QP7BDkktl1RXlPmlj0NPLmk-9Q1ubddvU3lGCh IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 5
Using header traces The following example is a problem that can be solved using a header trace. WebSEAL is set up for forms authentication. A user complains that WebSEAL ignores the authentication. The relevant part of the trace is: 2009-04-30-21:07:21.712-05:00I----- thread(17) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2961496992 GET /junc HTTP/1.1 accept: text/html, image/jpeg, image/png, text/*, image/*, */* accept-encoding: x-gzip, x-deflate, gzip, deflate accept-language: en connection: Keep-Alive host: 192.168.90.3 user-agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.19; X11) KHTML/3.5.5 (like Gecko) (Debian package 4:3.5.5a.dfsg.1-5) accept-charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 cache-control: no-cache pragma: no-cache The browser is asking for a page protected by WebSEAL. --------------------------------------------------- 2009-04-30-21:07:21.713-05:00I----- thread(17) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- Thread_ID:2961496992 HTTP/1.1 200 OK content-length: 1970 content-type: text/html date: Fri, 01 May 2009 02:07:21 GMT p3p: CP=”NON CUR OTPi OUR NOR UNI” server: WebSEAL/6.1.0.0 (Build 080319) pragma: no-cache cache-control: no-cache Set-Cookie: PD-H-SESSION-ID=4_ITXlIcoIVJkyRq8fpH3BXYmKW792wrlKZHBEkq8NLV57109J; Path=/ WebSEAL replies, probably with the logon form. It also attempts to set a cookie, PD-H-SESSION-ID. --------------------------------------------------- 2009-04-30-21:07:26.718-05:00I----- thread(17) trace.pdweb.debug:1 /project/amweb610/build/amweb610/src/pdweb/webseald/http/server/handle-call.cpp:13 9: IO error during request parsing 2009-04-30-21:07:30.168-05:00I----- thread(18) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2960964512 POST /pkmslogin.form HTTP/1.1 accept: text/html, image/jpeg, image/png, text/*, image/*, */* accept-encoding: x-gzip, x-deflate, gzip, deflate accept-language: en connection: Keep-Alive content-length: 57 content-type: application/x-www-form-urlencoded host: 192.168.90.3 referer: http://192.168.90.3/junc 6 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
user-agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.19; X11) KHTML/3.5.5 (like Gecko) (Debian package 4:3.5.5a.dfsg.1-5) accept-charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 cache-control: no-cache pragma: no-cache The browser posts to /pkmslogin.form, presumably the logon information. However, it does not return the cookie. The problem might be that the cookies are turned off in the browser. Forms authentication cannot work without cookies. Message body traces To solve some problems, you need to look at the message bodies, the actual files transferred using HTTP. To do that, use pdweb.snoop. It provides the same function as a network sniffer, but provides it within WebSEAL outside the SSL tunnel so that the encryption is not an issue. Creating message body traces To create a trace that includes the message body, run the following pdadmin command to start tracing: server task <WebSEAL instance> trace set pdweb.snoop 9 file path=<file path> The trace will appear in the path you specified. Run the following pdadmin command to stop the trace: server task <WebSEAL instance> trace set pdweb.snoop 0 Instead of pdweb.snoop, you can use pdweb.snoop.client to trace only the communication between WebSEAL and the client. You can also use pdweb.snoop.jct to trace only the communication between WebSEAL and the back-end server. Interpreting message body traces The following example is the output of pdweb.snoop. 2009-04-29-23:25:49.966-05:00I----- thread(16) trace.pdweb.snoop.jct:1 /project/amwebrte610/build/amwebrte610/src/pdwebrte/webcore/amw_snoop.cpp:170: The header line shows the time and date. It also shows the exact component that generated the message, either pdweb.snoop.client for communication between a browser and WebSEAL or pdweb.snoop.jct for communication between WebSEAL and a back-end server. The following line shows the IP address and port number for the local (WebSEAL) and remote (browser or back-end server). ---------------------------------------- Thread 2963569568; fd 18; local 192.168.90.3:54192; remote 192.168.90.4:81 Receiving 454 bytes The main snoop output consists of three columns: byte number (in hexadecimal), the bytes (also in hexadecimal), and the bytes as ASCII text. The third column is typically the most useful one. IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 7
0x0000 4854 5450 2f31 2e31 2034 3034 204e 6f74 HTTP/1.1.404.Not 0x0010 2046 6f75 6e64 0d0a 4461 7465 3a20 5765 .Found..Date:.We 0x0020 642c 2032 3920 4170 7220 3230 3039 2031 d,.29.Apr.2009.1 0x0030 393a 3238 3a30 3020 474d 540d 0a53 6572 9:28:00.GMT..Ser 0x0040 7665 723a 2049 424d 5f48 5454 505f 5365 ver:.IBM_HTTP_Se 0x0050 7276 6572 0d0a 436f 6e74 656e 742d 4c65 rver..Content-Le 0x0060 6e67 7468 3a20 3238 310d 0a43 6f6e 6e65 ngth:.281..Conne 0x0070 6374 696f 6e3a 2063 6c6f 7365 0d0a 436f ction:.close..Co 0x0080 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text 0x0090 2f68 746d 6c3b 2063 6861 7273 6574 3d69 /html;.charset=i 0x00a0 736f 2d38 3835 392d 310d 0a0d 0a3c 2144 so-8859-1....<!D The lines show an HTTP header (the error message is 404, which means a file requested from the server was not found). To preserve the column format, non printable characters, such as new line, are printed as dots. You can identify them by looking at the bytes in hexadecimal. The characters, 0d0a, would be in the location corresponding to a new line. Notice the two consecutive new lines (shown in bold). They mark the end of the header and the beginning of the message body. 0x00b0 4f43 5459 5045 2048 544d 4c20 5055 424c OCTYPE.HTML.PUBL 0x00c0 4943 2022 2d2f 2f49 4554 462f 2f44 5444 IC.”-//IETF//DTD 0x00d0 2048 544d 4c20 322e 302f 2f45 4e22 3e0a .HTML.2.0//EN”>. 0x00e0 3c68 746d 6c3e 3c68 6561 643e 0a3c 7469 <html><head>.<ti 0x00f0 746c 653e 3430 3420 4e6f 7420 466f 756e tle>404.Not.Foun 0x0100 643c 2f74 6974 6c65 3e0a 3c2f 6865 6164 d</title>.</head 0x0110 3e3c 626f 6479 3e0a 3c68 313e 4e6f 7420 ><body>.<h1>Not. 0x0120 466f 756e 643c 2f68 313e 0a3c 703e 5468 Found</h1>.<p>Th 0x0130 6520 7265 7175 6573 7465 6420 5552 4c20 e.requested.URL. 0x0140 2f69 6d61 6765 732f 6f64 6f74 2e6a 7067 /images/odot.jpg 0x0150 2077 6173 206e 6f74 2066 6f75 6e64 206f .was.not.found.o 0x0160 6e20 7468 6973 2073 6572 7665 722e 3c2f n.this.server.</ 0x0170 703e 0a3c 6872 202f 3e0a 3c61 6464 7265 p>.<hr./>.<addre 0x0180 7373 3e49 424d 5f48 5454 505f 5365 7276 ss>IBM_HTTP_Serv 0x0190 6572 2053 6572 7665 7220 6174 2062 6163 er.Server.at.bac 0x01a0 6b65 6e64 2050 6f72 7420 3831 3c2f 6164 kend.Port.81</ad 0x01b0 6472 6573 733e 0a3c 2f62 6f64 793e 3c2f dress>.</body></ 0x01c0 6874 6d6c 3e0a html>. These lines show the HTML, which is the HTTP message body. To make the HTML easier to read, put the lines together and translate the control characters, as listed in Table 1. Table 1 Control characters Hexadecimal Byte Character 09 Tab 0a New line 0d Ignore 20 Space 8 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
By translating 0a to a new line and 20 to a space, you can make the HTML easier to read. <!DOCTYPE HTML PUBLIC "-//IEFT//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <o>The requested URL /images/odot.jpg was not found on this server.</p> <hr /> <address>IBM_HTTP_Server Server at backend Port 81</address> </body></html> Using message body traces The following example is a problem that can be solved by tracing the message body. A Web page contains a link that does not work through WebSEAL. This is the relevant part of the trace: 2009-04-30-22:58:13.895-05:00I----- thread(24) trace.pdweb.snoop.client:1 /project/amwebrte610/build/amwebrte610/src/pdwebrte/webcore/amw_snoop.cpp:196: ---------------------------------------- Thread 2972412832; fd 8; local [::ffff:192.168.90.3]:443; remote [::ffff:192.168.90.3]:56700 Sending 3727 bytes 0x0000 4854 5450 2f31 2e31 2032 3030 204f 4b0d HTTP/1.1.200.OK. 0x0010 0a61 6363 6570 742d 7261 6e67 6573 3a20 .accept-ranges:. 0x0020 6279 7465 730d 0a63 6f6e 7465 6e74 2d74 bytes..content-t 0x0030 7970 653a 2074 6578 742f 6874 6d6c 0d0a ype:.text/html.. . . . 0x0450 3c48 323e 5765 6c63 6f6d 6520 746f 2074 <H2>Welcome.to.t 0x0460 6865 2042 6163 6b65 6e64 2053 6572 7665 he.Backend.Serve 0x0470 723c 2f48 323e 0a0a 3c73 6372 6970 743e r</H2>..<script> 0x0480 0a64 6f63 756d 656e 742e 7772 6974 6528 .document.write( 0x0490 223c 6120 6872 6566 3d5c 2268 7474 703a “<a.href=”http: 0x04a0 2f2f 6261 636b 656e 643a 3831 2f6c 696e //backend:81/lin 0x04b0 6b65 642e 6874 6d6c 5c22 3e43 6c69 636b ked.html”>Click 0x04c0 2068 6572 652e 3c2f 613e 3c2f 6272 3e22 .here.</a></br>” 0x04d0 293b 0a3c 2f73 6372 6970 743e 0a0a 3c74 );.</script>..<t 0x04e0 723e 0a0a 2020 2020 2020 2020 3c74 643e r>..........<td> As you can see, there is an absolute link inside a script that is not translated. To fix this problem, recreate the junction with -j. Summary You should now be able to view the information passing through WebSEAL and use it to troubleshoot HTTP-related problems. IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 9
Resources For more information consult the following resources. More information about the IBM Tivoli Access Manager for e-business architecture and components can be found in the IBM Redbooks® publication Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014. http://www.redbooks.ibm.com/abstracts/sg246014.html?Open The HTTP protocol is defined in RFC 2616, available at the following URL: http://tools.ietf.org/html/rfc2616 Cookies are explained in the draft specifications, available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_sp ec.html An explanation of P3P is available at the following URL: http://www.w3.org/P3P The team who wrote this IBM Redpaper This paper was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Axel Buecker a Certified Consulting Software IT Specialist at the ITSO, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of software security architecture and network computing technologies. He holds a degree in Computer Science from the University of Bremen, Germany. He has 23 years of experience in a variety of areas related to workstation and systems management, network computing, and e-business solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Ori Pomerantz has been securing computer networks—and teaching other people to do the same—since 1995. Since joining IBM in 2003, he has written classes on several Tivoli security products. He is also a co-author of the IBM Press publication Mainframe Basics for Security Professionals: Getting Started with RACF, ISBN-13: 978-0-13-173856-0, 2007. Thanks to the following people for their contributions to this project: Alison Chandler International Technical Support Organization, Poughkeepsie Center Sten Drescher, Erica Smith IBM 10 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. © Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 11
This document REDP-4622-00 was created or updated on December 3, 2009. Send us your comments in one of the following ways: ® Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A. Redpaper ™ Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM® Redbooks® Redbooks (logo) ® RACF® Redpaper™ Tivoli® Other company, product, or service names may be trademarks or service marks of others. 12 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections

Recommended

Setting up a web server in Linux (Ubuntu)
Setting up a web server in Linux (Ubuntu)Setting up a web server in Linux (Ubuntu)
Setting up a web server in Linux (Ubuntu)Zakaria Hossain
 
Webserver Administration: Apache as a case study
Webserver Administration: Apache as a case studyWebserver Administration: Apache as a case study
Webserver Administration: Apache as a case studyTata Consultancy Services
 
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseConfigure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseTola LENG
 
Tola.leng mail server (sq_mail &amp; rcmail)_q5_
Tola.leng mail server (sq_mail &amp; rcmail)_q5_Tola.leng mail server (sq_mail &amp; rcmail)_q5_
Tola.leng mail server (sq_mail &amp; rcmail)_q5_Tola LENG
 
Open vpn server_linux
Open vpn server_linuxOpen vpn server_linux
Open vpn server_linuxTola LENG
 
DominoMigrationProposal
DominoMigrationProposalDominoMigrationProposal
DominoMigrationProposalLynn Levash
 
Protocol
ProtocolProtocol
Protocolm_bahba
 
OFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationOFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationChandima Kulathilake
 

Recommended

Setting up a web server in Linux (Ubuntu)
Setting up a web server in Linux (Ubuntu)Setting up a web server in Linux (Ubuntu)
Setting up a web server in Linux (Ubuntu)Zakaria Hossain
 
Webserver Administration: Apache as a case study
Webserver Administration: Apache as a case studyWebserver Administration: Apache as a case study
Webserver Administration: Apache as a case studyTata Consultancy Services
 
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseConfigure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseTola LENG
 
Tola.leng mail server (sq_mail &amp; rcmail)_q5_
Tola.leng mail server (sq_mail &amp; rcmail)_q5_Tola.leng mail server (sq_mail &amp; rcmail)_q5_
Tola.leng mail server (sq_mail &amp; rcmail)_q5_Tola LENG
 
Open vpn server_linux
Open vpn server_linuxOpen vpn server_linux
Open vpn server_linuxTola LENG
 
DominoMigrationProposal
DominoMigrationProposalDominoMigrationProposal
DominoMigrationProposalLynn Levash
 
Protocol
ProtocolProtocol
Protocolm_bahba
 
OFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationOFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationChandima Kulathilake
 
Apache Manager Table of Contents
Apache Manager Table of ContentsApache Manager Table of Contents
Apache Manager Table of Contentswebhostingguy
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7Tola LENG
 
System Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba ServerSystem Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba ServerTola LENG
 
Http2
Http2Http2
Http2Islam Gamal
 
Ew7206 apb releasenote
Ew7206 apb releasenoteEw7206 apb releasenote
Ew7206 apb releasenotemamat1590
 
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...Microsoft Technet France
 
Indy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVCIndy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVCaaronlerch
 
Oracle database 12c client quick installation guide
Oracle database 12c client quick installation guideOracle database 12c client quick installation guide
Oracle database 12c client quick installation guidebupbechanhgmail
 
9i lin relnotes
9i lin relnotes9i lin relnotes
9i lin relnotesAnil Pandey
 
Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2bupbechanhgmail
 
The app server, web server and everything in between
The app server, web server and everything in betweenThe app server, web server and everything in between
The app server, web server and everything in betweenColdFusionConference
 
IBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft OutlookIBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft Outlookjayeshpar2006
 
Some useful c panel terms
Some useful c panel termsSome useful c panel terms
Some useful c panel termsHTS Hosting
 
The Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 PrimerThe Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 PrimerBill Malchisky Jr.
 
Readme en us
Readme en usReadme en us
Readme en usgwoodslim
 
US07FFT-mod_ftp.ppt
US07FFT-mod_ftp.pptUS07FFT-mod_ftp.ppt
US07FFT-mod_ftp.pptwebhostingguy
 
HCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New FeaturesHCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New Featureshemantnaik
 
Installing license server
Installing license serverInstalling license server
Installing license serverKang YAyan
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationjayeshpar2006
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
gofortution
gofortutiongofortution
gofortutiongofortution
 
Sun Web Server Brief
Sun Web Server BriefSun Web Server Brief
Sun Web Server BriefMurthy Chintalapati
 

More Related Content

What's hot

Apache Manager Table of Contents
Apache Manager Table of ContentsApache Manager Table of Contents
Apache Manager Table of Contentswebhostingguy
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7Tola LENG
 
System Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba ServerSystem Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba ServerTola LENG
 
Ew7206 apb releasenote
Ew7206 apb releasenoteEw7206 apb releasenote
Ew7206 apb releasenotemamat1590
 
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...Microsoft Technet France
 
Indy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVCIndy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVCaaronlerch
 
Oracle database 12c client quick installation guide
Oracle database 12c client quick installation guideOracle database 12c client quick installation guide
Oracle database 12c client quick installation guidebupbechanhgmail
 
Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2bupbechanhgmail
 
The app server, web server and everything in between
The app server, web server and everything in betweenThe app server, web server and everything in between
The app server, web server and everything in betweenColdFusionConference
 
IBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft OutlookIBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft Outlookjayeshpar2006
 
Some useful c panel terms
Some useful c panel termsSome useful c panel terms
Some useful c panel termsHTS Hosting
 
Readme en us
Readme en usReadme en us
Readme en usgwoodslim
 
HCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New FeaturesHCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New Featureshemantnaik
 
Installing license server
Installing license serverInstalling license server
Installing license serverKang YAyan
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationjayeshpar2006
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 

What's hot (20)

Apache Manager Table of Contents
Apache Manager Table of ContentsApache Manager Table of Contents
Apache Manager Table of Contents
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7
 
System Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba ServerSystem Engineer: OpenLDAP and Samba Server
System Engineer: OpenLDAP and Samba Server
 
Http2
Http2Http2
Http2
 
Ew7206 apb releasenote
Ew7206 apb releasenoteEw7206 apb releasenote
Ew7206 apb releasenote
 
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
Exchange Server 2013 : upgrade migration et co-existence avec les anciennes v...
 
Indy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVCIndy Tech Fest 2008 - ASP.NET MVC
Indy Tech Fest 2008 - ASP.NET MVC
 
Oracle database 12c client quick installation guide
Oracle database 12c client quick installation guideOracle database 12c client quick installation guide
Oracle database 12c client quick installation guide
 
9i lin relnotes
9i lin relnotes9i lin relnotes
9i lin relnotes
 
Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2Oracle database 12c client quick installation guide 2
Oracle database 12c client quick installation guide 2
 
The app server, web server and everything in between
The app server, web server and everything in betweenThe app server, web server and everything in between
The app server, web server and everything in between
 
IBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft OutlookIBM Mail Support for Microsoft Outlook
IBM Mail Support for Microsoft Outlook
 
Some useful c panel terms
Some useful c panel termsSome useful c panel terms
Some useful c panel terms
 
The Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 PrimerThe Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 Primer
 
Readme en us
Readme en usReadme en us
Readme en us
 
US07FFT-mod_ftp.ppt
US07FFT-mod_ftp.pptUS07FFT-mod_ftp.ppt
US07FFT-mod_ftp.ppt
 
HCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New FeaturesHCL Domino Volt Installation, Configuration & New Features
HCL Domino Volt Installation, Configuration & New Features
 
Installing license server
Installing license serverInstalling license server
Installing license server
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integration
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 

Similar to Ibm tivoli access manager for e business tracing http connections redp4622

HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...Edward Burns
 
Network and distributed systems
Network and distributed systemsNetwork and distributed systems
Network and distributed systemsSri Prasanna
 
How do I securely deploy Internet websites in PHP on my IBMi?
How do I securely deploy Internet websites in PHP on my IBMi?How do I securely deploy Internet websites in PHP on my IBMi?
How do I securely deploy Internet websites in PHP on my IBMi?Zend by Rogue Wave Software
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Niels de Bruijn
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
IRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET Journal
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
SharePoint 2010 Virtualization
SharePoint 2010 VirtualizationSharePoint 2010 Virtualization
SharePoint 2010 VirtualizationMichael Noel
 
Apache ppt
Apache pptApache ppt
Apache pptReka
 
SharePoint 2010 architecture and infrastructure
SharePoint 2010 architecture and infrastructureSharePoint 2010 architecture and infrastructure
SharePoint 2010 architecture and infrastructureSparked
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Microsoft Windows 7 Improved Network Access
Microsoft Windows 7 Improved Network AccessMicrosoft Windows 7 Improved Network Access
Microsoft Windows 7 Improved Network AccessMicrosoft TechNet
 
Web Server and how we can design app in C#
Web Server and how we can design app in C#Web Server and how we can design app in C#
Web Server and how we can design app in C#caohansnnuedu
 

Similar to Ibm tivoli access manager for e business tracing http connections redp4622 (20)

gofortution
gofortutiongofortution
gofortution
 
Sun Web Server Brief
Sun Web Server BriefSun Web Server Brief
Sun Web Server Brief
 
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
 
Network and distributed systems
Network and distributed systemsNetwork and distributed systems
Network and distributed systems
 
How do I securely deploy Internet websites in PHP on my IBMi?
How do I securely deploy Internet websites in PHP on my IBMi?How do I securely deploy Internet websites in PHP on my IBMi?
How do I securely deploy Internet websites in PHP on my IBMi?
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 
Web Security
Web SecurityWeb Security
Web Security
 
IRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time Communication
 
Sun Web Server Brief
Sun Web Server BriefSun Web Server Brief
Sun Web Server Brief
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Webconnection
WebconnectionWebconnection
Webconnection
 
SharePoint 2010 Virtualization
SharePoint 2010 VirtualizationSharePoint 2010 Virtualization
SharePoint 2010 Virtualization
 
Babitha.4appach
Babitha.4appachBabitha.4appach
Babitha.4appach
 
Babitha.4appach
Babitha.4appachBabitha.4appach
Babitha.4appach
 
Apache ppt
Apache pptApache ppt
Apache ppt
 
SharePoint 2010 architecture and infrastructure
SharePoint 2010 architecture and infrastructureSharePoint 2010 architecture and infrastructure
SharePoint 2010 architecture and infrastructure
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Microsoft Windows 7 Improved Network Access
Microsoft Windows 7 Improved Network AccessMicrosoft Windows 7 Improved Network Access
Microsoft Windows 7 Improved Network Access
 
Web Server and how we can design app in C#
Web Server and how we can design app in C#Web Server and how we can design app in C#
Web Server and how we can design app in C#
 

More from Banking at Ho Chi Minh city

IBM MobileFirst Platform v7.0 POT Offers Lab v1.0
IBM MobileFirst Platform v7.0 POT Offers Lab v1.0IBM MobileFirst Platform v7.0 POT Offers Lab v1.0
IBM MobileFirst Platform v7.0 POT Offers Lab v1.0Banking at Ho Chi Minh city
 
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1Banking at Ho Chi Minh city
 
IBM MobileFirst Platform v7.0 POT Analytics v1.1
IBM MobileFirst Platform v7.0 POT Analytics v1.1IBM MobileFirst Platform v7.0 POT Analytics v1.1
IBM MobileFirst Platform v7.0 POT Analytics v1.1Banking at Ho Chi Minh city
 
IBM MobileFirst Platform Pot Sentiment Analysis v3
IBM MobileFirst Platform Pot Sentiment Analysis v3IBM MobileFirst Platform Pot Sentiment Analysis v3
IBM MobileFirst Platform Pot Sentiment Analysis v3Banking at Ho Chi Minh city
 
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1Banking at Ho Chi Minh city
 
Tme 10 cookbook for aix systems management and networking sg244867
Tme 10 cookbook for aix systems management and networking sg244867Tme 10 cookbook for aix systems management and networking sg244867
Tme 10 cookbook for aix systems management and networking sg244867Banking at Ho Chi Minh city
 
Tivoli data warehouse version 1.3 planning and implementation sg246343
Tivoli data warehouse version 1.3 planning and implementation sg246343Tivoli data warehouse version 1.3 planning and implementation sg246343
Tivoli data warehouse version 1.3 planning and implementation sg246343Banking at Ho Chi Minh city
 
Tivoli data warehouse 1.2 and business objects redp9116
Tivoli data warehouse 1.2 and business objects redp9116Tivoli data warehouse 1.2 and business objects redp9116
Tivoli data warehouse 1.2 and business objects redp9116Banking at Ho Chi Minh city
 
Tivoli business systems manager v2.1 end to-end business impact management sg...
Tivoli business systems manager v2.1 end to-end business impact management sg...Tivoli business systems manager v2.1 end to-end business impact management sg...
Tivoli business systems manager v2.1 end to-end business impact management sg...Banking at Ho Chi Minh city
 
Tape automation with ibm e server xseries servers redp0415
Tape automation with ibm e server xseries servers redp0415Tape automation with ibm e server xseries servers redp0415
Tape automation with ibm e server xseries servers redp0415Banking at Ho Chi Minh city
 
Tivoli storage productivity center v4.2 release guide sg247894
Tivoli storage productivity center v4.2 release guide sg247894Tivoli storage productivity center v4.2 release guide sg247894
Tivoli storage productivity center v4.2 release guide sg247894Banking at Ho Chi Minh city
 
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317Synchronizing data with ibm tivoli directory integrator 6.1 redp4317
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317Banking at Ho Chi Minh city
 

More from Banking at Ho Chi Minh city (20)

Postgresql v15.1
Postgresql v15.1Postgresql v15.1
Postgresql v15.1
 
Postgresql v14.6 Document Guide
Postgresql v14.6 Document GuidePostgresql v14.6 Document Guide
Postgresql v14.6 Document Guide
 
IBM MobileFirst Platform v7.0 Pot Intro v0.1
IBM MobileFirst Platform v7.0 Pot Intro v0.1IBM MobileFirst Platform v7.0 Pot Intro v0.1
IBM MobileFirst Platform v7.0 Pot Intro v0.1
 
IBM MobileFirst Platform v7 Tech Overview
IBM MobileFirst Platform v7 Tech OverviewIBM MobileFirst Platform v7 Tech Overview
IBM MobileFirst Platform v7 Tech Overview
 
IBM MobileFirst Foundation Version Flyer v1.0
IBM MobileFirst Foundation Version Flyer v1.0IBM MobileFirst Foundation Version Flyer v1.0
IBM MobileFirst Foundation Version Flyer v1.0
 
IBM MobileFirst Platform v7.0 POT Offers Lab v1.0
IBM MobileFirst Platform v7.0 POT Offers Lab v1.0IBM MobileFirst Platform v7.0 POT Offers Lab v1.0
IBM MobileFirst Platform v7.0 POT Offers Lab v1.0
 
IBM MobileFirst Platform v7.0 pot intro v0.1
IBM MobileFirst Platform v7.0 pot intro v0.1IBM MobileFirst Platform v7.0 pot intro v0.1
IBM MobileFirst Platform v7.0 pot intro v0.1
 
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1
IBM MobileFirst Platform v7.0 POT App Mgmt Lab v1.1
 
IBM MobileFirst Platform v7.0 POT Analytics v1.1
IBM MobileFirst Platform v7.0 POT Analytics v1.1IBM MobileFirst Platform v7.0 POT Analytics v1.1
IBM MobileFirst Platform v7.0 POT Analytics v1.1
 
IBM MobileFirst Platform Pot Sentiment Analysis v3
IBM MobileFirst Platform Pot Sentiment Analysis v3IBM MobileFirst Platform Pot Sentiment Analysis v3
IBM MobileFirst Platform Pot Sentiment Analysis v3
 
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1
IBM MobileFirst Platform 7.0 POT InApp Feedback V0.1
 
Tme 10 cookbook for aix systems management and networking sg244867
Tme 10 cookbook for aix systems management and networking sg244867Tme 10 cookbook for aix systems management and networking sg244867
Tme 10 cookbook for aix systems management and networking sg244867
 
Tivoli firewall magic redp0227
Tivoli firewall magic redp0227Tivoli firewall magic redp0227
Tivoli firewall magic redp0227
 
Tivoli data warehouse version 1.3 planning and implementation sg246343
Tivoli data warehouse version 1.3 planning and implementation sg246343Tivoli data warehouse version 1.3 planning and implementation sg246343
Tivoli data warehouse version 1.3 planning and implementation sg246343
 
Tivoli data warehouse 1.2 and business objects redp9116
Tivoli data warehouse 1.2 and business objects redp9116Tivoli data warehouse 1.2 and business objects redp9116
Tivoli data warehouse 1.2 and business objects redp9116
 
Tivoli business systems manager v2.1 end to-end business impact management sg...
Tivoli business systems manager v2.1 end to-end business impact management sg...Tivoli business systems manager v2.1 end to-end business impact management sg...
Tivoli business systems manager v2.1 end to-end business impact management sg...
 
Tec implementation examples sg245216
Tec implementation examples sg245216Tec implementation examples sg245216
Tec implementation examples sg245216
 
Tape automation with ibm e server xseries servers redp0415
Tape automation with ibm e server xseries servers redp0415Tape automation with ibm e server xseries servers redp0415
Tape automation with ibm e server xseries servers redp0415
 
Tivoli storage productivity center v4.2 release guide sg247894
Tivoli storage productivity center v4.2 release guide sg247894Tivoli storage productivity center v4.2 release guide sg247894
Tivoli storage productivity center v4.2 release guide sg247894
 
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317Synchronizing data with ibm tivoli directory integrator 6.1 redp4317
Synchronizing data with ibm tivoli directory integrator 6.1 redp4317
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Ibm tivoli access manager for e business tracing http connections redp4622

  • 1. Redpaper Axel Buecker Ori Pomerantz IBM Tivoli Access Manager for e-business: Tracing HTTP Connections Overview When troubleshooting IBM® Tivoli® Access Manager for e-business it is often necessary to obtain and analyze the traces of HTTP connections. In this IBM Redpaper™ document you will learn how to obtain such traces, and how to interpret them. This paper can help implementors and system administrators who need to solve problems with Tivoli Access Manager for e-business. Why do it? The Tivoli Access Manager for e-business WebSEAL component is an HTTP reverse proxy that receives an HTTP connection from a browser. If an action is authorized, WebSEAL opens a separate HTTP connection to the back-end server. This principle is depicted in Figure 1. Figure 1 HTTP flow between browser, Web SEAL and back-end server © Copyright IBM Corp. 2009. All rights reserved. ibm.com/redbooks 1
  • 2. WebSEAL does not just transfer the information from one connection to the other. It also modifies the URL to interpret junctions. It adds information to the HTTP header for the back-end connection and cookies for the front-end connection. Those changes might cause problems. The easiest way to trace them is to look at the HTTP connections. To find out more about WebSEAL junctions and links refer to the IBM Redpaper publication IBM Tivoli Access Manager for e-business: Junctions and Links, REDP-4621. HTTP header traces WebSEAL always changes the HTTP headers. You can identify many problems by examining the traces for those HTTP headers. Creating HTTP header traces To create a trace of HTTP headers, run the following pdadmin command to start tracing: server task <WebSEAL instance> trace set pdweb.debug 2 file path=<file path> The trace will appear in the path you specified. Run the following pdadmin command to stop the trace: server task <WebSEAL instance> trace set pdweb.debug 0 Interpreting HTTP header traces The HTTP header trace contains all of the HTTP headers and other information. In this paper we only document the lines that are useful for WebSEAL diagnostic purposes. For information about other fields, see the HTTP specifications in RFC 2616, available at the following URL: http://www.w3.org/Protocols/rfc2616/rfc2616.html Request from the browser In this section we cover an initial request from a browser to WebSEAL. The following text appears on one line. 2009-04-28-19:48:37.622-05:00I----- thread(3) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- The relevant parts of the line are the time stamp at the beginning of the line and the arrow indicating that this is a request coming from the browser to the Policy Director (PD). Policy Director is the former product name for IBM Tivoli Access Manager for e-business; therefore, this is a request going from a browser to WebSEAL. The ID for the WebSEAL thread that handled the request is followed by the HTTP request sent by the browser. Thread_ID:2975017888 GET /junc/index.html HTTP/1.1 The first line of the HTTP request is the request itself. In this case, the browser is requesting GET the file /junc/index.html using version 1.1 of the HTTP protocol. 2 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
  • 3. The request is followed by the HTTP header fields. Some of these fields are optional, and they can appear in any order. The following line is the host part of the URL (and the port number, if specified): host: tam The host name is useful in the case of virtual host junctions, where this field determines the junction and the back-end server. The following line is the identity of the browser that sent the request: user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 The following line specifies the end of the entry, in this case the request from the browser. --------------------------------------------------- Request for basic authentication The request in the previous section came from an unauthenticated browser. In the next section WebSEAL requests basic authentication before proceeding any further. This code is also on one line. 2009-04-28-19:48:37.670-05:00I----- thread(3) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- Notice that the arrow now points from PD to the Web browser. This is a response. The first line of the HTTP reply is the reply itself. HTTP/1.1 401 Unauthorized In this case, the server is using version 1.1 of the HTTP protocol, the same version as the browser. The response is 401, meaning that the request requires authentication. This reply happens in response to a request that is not authenticated or in response to a response authenticated as an unauthorized user. The number is followed by a string, which can be displayed to the user. The following field specifies the Platform for Privacy Preferences settings, a standard mechanism to specify the privacy practices of Web sites. p3p: CP="NON CUR OTPi OUR NOR UNI" You can read more about P3P at the following URL: http://www.w3.org/P3P The following field identifies the Web server, in this case WebSEAL. server: WebSEAL/6.1.0.0 (Build 080319) Servers that ask for basic authentication include the following field so that the browser can show it to the user. www-authenticate: Basic realm="Access Manager for e-business" To modify this value, change the basic-auth-realm property in the [ba] stanza of the instance configuration file. Set-Cookie: PD-S-SESSION-ID=2_mNCraP8I1j7MvXEqWXfaxFbawImnvMOwKHsrU3MF5mqJpnqS; Path=/; Secure IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 3
  • 4. This code is all on one line and sets a cookie called PD-S-SESSION-ID that stores the session ID. To modify the cookie name, change the ssl-session-cookie-name (or, for HTTP, tcp-session-cookie-name) in the [session] section of the instance configuration file. The information after the semicolon (;) is the cookie attributes. The Path attribute specifies that this cookie should be sent back with any request that starts with a slash (/), which means any request. The Secure attribute specifies that the cookie needs to be secure, for example, not to be sent back in clear text. For more information about cookies, see the draft specifications that are available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_spec. html Basic authentication response The basic authentication response is almost identical to the original request, but with two additional lines. The authorization: field specifies the user name and password. Because it is sensitive information, the value is not shown in the trace. authorization:*********************************** The following line returns the session ID cookie set by the server in the previous section. If you have to use a trace from a production environment, you can use the session ID to identify which requests come from which browser. Cookie: PD-S-SESSION-ID=2_mNCraP8I1j7MvXEqWXfaxFbawImnvMOwKHsrU3MF5mqJpnqS Request to the back-end WebSEAL decided that the request from the browser was authorized. The next entry is the request that WebSEAL sends to the back-end server. 2009-04-28-19:48:45.977-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- PD ===> BackEnd ----------------- This text is all on one line and represents the request that goes from PD (WebSEAL) to the back-end server. This is the HTTP request: GET /index.html HTTP/1.1 host: backend:81 The host field is taken from the junction. Notice that it includes the port number when that is not the default (80 for HTTP, 443 for HTTPS). The user agent field is relayed from the browser. This way, the back-end server can send different replies to different browsers. user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 The via: field contains proxy information. WebSEAL is a proxy, so the information for WebSEAL is listed here. via: HTTP/1.1 tam:443 4 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
  • 5. This is one of a number of HTTP header fields that could be inserted by WebSEAL when communicating with the back end. It is specified in the server_name property of the [header-names] stanza of the instance configuration file. iv_server_name: default-webseald-tam.ibm.com If the junction had been created with the -c parameter, you would see the user identification fields: iv-user, iv-user-l, iv-groups, and iv-creds. Back-end response The back-end server responds to the request. The following text, all on one line, shows that the response goes from the back-end server to PD (WebSEAL). 2009-04-28-19:48:46.102-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- PD <=== BackEnd ----------------- The following field identifies the server, which can be useful in verifying that junctions direct to the correct back-end server. server: IBM_HTTP_Server Response to the browser Finally, the browser gets the page the user requested. The text, all on one line, shows that the response goes from PD (WebSEAL) to the browser. 2009-04-28-19:48:46.102-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- WebSEAL sets a new session ID value. Set-Cookie: PD-S-SESSION-ID=2_NZm8soRZG9QP7BDkktl1RXlPmlj0NPLmk-9Q1ubddvU3lGCh; Path=/; Secure Browser request for additional information Displaying an HTML page often requires the browser to retrieve additional files: images, style sheets, and so on. In the following entry you can see the Web page that caused the request in the referer: field. 2009-04-28-19:48:49.895-05:00I----- thread(5) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2973952928 GET /junc/http_server_styles.css HTTP/1.1 accept: text/css,*/*;q=0.1 accept-encoding: gzip,deflate accept-language: en-us,en;q=0.5 authorization:*********************************** connection: keep-alive host: tam keep-alive: 300 referer: https://tam/junc/index.html user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: PD-S-SESSION-ID=2_NZm8soRZG9QP7BDkktl1RXlPmlj0NPLmk-9Q1ubddvU3lGCh IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 5
  • 6. Using header traces The following example is a problem that can be solved using a header trace. WebSEAL is set up for forms authentication. A user complains that WebSEAL ignores the authentication. The relevant part of the trace is: 2009-04-30-21:07:21.712-05:00I----- thread(17) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2961496992 GET /junc HTTP/1.1 accept: text/html, image/jpeg, image/png, text/*, image/*, */* accept-encoding: x-gzip, x-deflate, gzip, deflate accept-language: en connection: Keep-Alive host: 192.168.90.3 user-agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.19; X11) KHTML/3.5.5 (like Gecko) (Debian package 4:3.5.5a.dfsg.1-5) accept-charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 cache-control: no-cache pragma: no-cache The browser is asking for a page protected by WebSEAL. --------------------------------------------------- 2009-04-30-21:07:21.713-05:00I----- thread(17) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- Browser <=== PD ----------------- Thread_ID:2961496992 HTTP/1.1 200 OK content-length: 1970 content-type: text/html date: Fri, 01 May 2009 02:07:21 GMT p3p: CP=”NON CUR OTPi OUR NOR UNI” server: WebSEAL/6.1.0.0 (Build 080319) pragma: no-cache cache-control: no-cache Set-Cookie: PD-H-SESSION-ID=4_ITXlIcoIVJkyRq8fpH3BXYmKW792wrlKZHBEkq8NLV57109J; Path=/ WebSEAL replies, probably with the logon form. It also attempts to set a cookie, PD-H-SESSION-ID. --------------------------------------------------- 2009-04-30-21:07:26.718-05:00I----- thread(17) trace.pdweb.debug:1 /project/amweb610/build/amweb610/src/pdweb/webseald/http/server/handle-call.cpp:13 9: IO error during request parsing 2009-04-30-21:07:30.168-05:00I----- thread(18) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:134: ----------------- Browser ===> PD ----------------- Thread_ID:2960964512 POST /pkmslogin.form HTTP/1.1 accept: text/html, image/jpeg, image/png, text/*, image/*, */* accept-encoding: x-gzip, x-deflate, gzip, deflate accept-language: en connection: Keep-Alive content-length: 57 content-type: application/x-www-form-urlencoded host: 192.168.90.3 referer: http://192.168.90.3/junc 6 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
  • 7. user-agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.19; X11) KHTML/3.5.5 (like Gecko) (Debian package 4:3.5.5a.dfsg.1-5) accept-charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 cache-control: no-cache pragma: no-cache The browser posts to /pkmslogin.form, presumably the logon information. However, it does not return the cookie. The problem might be that the cookies are turned off in the browser. Forms authentication cannot work without cookies. Message body traces To solve some problems, you need to look at the message bodies, the actual files transferred using HTTP. To do that, use pdweb.snoop. It provides the same function as a network sniffer, but provides it within WebSEAL outside the SSL tunnel so that the encryption is not an issue. Creating message body traces To create a trace that includes the message body, run the following pdadmin command to start tracing: server task <WebSEAL instance> trace set pdweb.snoop 9 file path=<file path> The trace will appear in the path you specified. Run the following pdadmin command to stop the trace: server task <WebSEAL instance> trace set pdweb.snoop 0 Instead of pdweb.snoop, you can use pdweb.snoop.client to trace only the communication between WebSEAL and the client. You can also use pdweb.snoop.jct to trace only the communication between WebSEAL and the back-end server. Interpreting message body traces The following example is the output of pdweb.snoop. 2009-04-29-23:25:49.966-05:00I----- thread(16) trace.pdweb.snoop.jct:1 /project/amwebrte610/build/amwebrte610/src/pdwebrte/webcore/amw_snoop.cpp:170: The header line shows the time and date. It also shows the exact component that generated the message, either pdweb.snoop.client for communication between a browser and WebSEAL or pdweb.snoop.jct for communication between WebSEAL and a back-end server. The following line shows the IP address and port number for the local (WebSEAL) and remote (browser or back-end server). ---------------------------------------- Thread 2963569568; fd 18; local 192.168.90.3:54192; remote 192.168.90.4:81 Receiving 454 bytes The main snoop output consists of three columns: byte number (in hexadecimal), the bytes (also in hexadecimal), and the bytes as ASCII text. The third column is typically the most useful one. IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 7
  • 8. 0x0000 4854 5450 2f31 2e31 2034 3034 204e 6f74 HTTP/1.1.404.Not 0x0010 2046 6f75 6e64 0d0a 4461 7465 3a20 5765 .Found..Date:.We 0x0020 642c 2032 3920 4170 7220 3230 3039 2031 d,.29.Apr.2009.1 0x0030 393a 3238 3a30 3020 474d 540d 0a53 6572 9:28:00.GMT..Ser 0x0040 7665 723a 2049 424d 5f48 5454 505f 5365 ver:.IBM_HTTP_Se 0x0050 7276 6572 0d0a 436f 6e74 656e 742d 4c65 rver..Content-Le 0x0060 6e67 7468 3a20 3238 310d 0a43 6f6e 6e65 ngth:.281..Conne 0x0070 6374 696f 6e3a 2063 6c6f 7365 0d0a 436f ction:.close..Co 0x0080 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text 0x0090 2f68 746d 6c3b 2063 6861 7273 6574 3d69 /html;.charset=i 0x00a0 736f 2d38 3835 392d 310d 0a0d 0a3c 2144 so-8859-1....<!D The lines show an HTTP header (the error message is 404, which means a file requested from the server was not found). To preserve the column format, non printable characters, such as new line, are printed as dots. You can identify them by looking at the bytes in hexadecimal. The characters, 0d0a, would be in the location corresponding to a new line. Notice the two consecutive new lines (shown in bold). They mark the end of the header and the beginning of the message body. 0x00b0 4f43 5459 5045 2048 544d 4c20 5055 424c OCTYPE.HTML.PUBL 0x00c0 4943 2022 2d2f 2f49 4554 462f 2f44 5444 IC.”-//IETF//DTD 0x00d0 2048 544d 4c20 322e 302f 2f45 4e22 3e0a .HTML.2.0//EN”>. 0x00e0 3c68 746d 6c3e 3c68 6561 643e 0a3c 7469 <html><head>.<ti 0x00f0 746c 653e 3430 3420 4e6f 7420 466f 756e tle>404.Not.Foun 0x0100 643c 2f74 6974 6c65 3e0a 3c2f 6865 6164 d</title>.</head 0x0110 3e3c 626f 6479 3e0a 3c68 313e 4e6f 7420 ><body>.<h1>Not. 0x0120 466f 756e 643c 2f68 313e 0a3c 703e 5468 Found</h1>.<p>Th 0x0130 6520 7265 7175 6573 7465 6420 5552 4c20 e.requested.URL. 0x0140 2f69 6d61 6765 732f 6f64 6f74 2e6a 7067 /images/odot.jpg 0x0150 2077 6173 206e 6f74 2066 6f75 6e64 206f .was.not.found.o 0x0160 6e20 7468 6973 2073 6572 7665 722e 3c2f n.this.server.</ 0x0170 703e 0a3c 6872 202f 3e0a 3c61 6464 7265 p>.<hr./>.<addre 0x0180 7373 3e49 424d 5f48 5454 505f 5365 7276 ss>IBM_HTTP_Serv 0x0190 6572 2053 6572 7665 7220 6174 2062 6163 er.Server.at.bac 0x01a0 6b65 6e64 2050 6f72 7420 3831 3c2f 6164 kend.Port.81</ad 0x01b0 6472 6573 733e 0a3c 2f62 6f64 793e 3c2f dress>.</body></ 0x01c0 6874 6d6c 3e0a html>. These lines show the HTML, which is the HTTP message body. To make the HTML easier to read, put the lines together and translate the control characters, as listed in Table 1. Table 1 Control characters Hexadecimal Byte Character 09 Tab 0a New line 0d Ignore 20 Space 8 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
  • 9. By translating 0a to a new line and 20 to a space, you can make the HTML easier to read. <!DOCTYPE HTML PUBLIC "-//IEFT//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <o>The requested URL /images/odot.jpg was not found on this server.</p> <hr /> <address>IBM_HTTP_Server Server at backend Port 81</address> </body></html> Using message body traces The following example is a problem that can be solved by tracing the message body. A Web page contains a link that does not work through WebSEAL. This is the relevant part of the trace: 2009-04-30-22:58:13.895-05:00I----- thread(24) trace.pdweb.snoop.client:1 /project/amwebrte610/build/amwebrte610/src/pdwebrte/webcore/amw_snoop.cpp:196: ---------------------------------------- Thread 2972412832; fd 8; local [::ffff:192.168.90.3]:443; remote [::ffff:192.168.90.3]:56700 Sending 3727 bytes 0x0000 4854 5450 2f31 2e31 2032 3030 204f 4b0d HTTP/1.1.200.OK. 0x0010 0a61 6363 6570 742d 7261 6e67 6573 3a20 .accept-ranges:. 0x0020 6279 7465 730d 0a63 6f6e 7465 6e74 2d74 bytes..content-t 0x0030 7970 653a 2074 6578 742f 6874 6d6c 0d0a ype:.text/html.. . . . 0x0450 3c48 323e 5765 6c63 6f6d 6520 746f 2074 <H2>Welcome.to.t 0x0460 6865 2042 6163 6b65 6e64 2053 6572 7665 he.Backend.Serve 0x0470 723c 2f48 323e 0a0a 3c73 6372 6970 743e r</H2>..<script> 0x0480 0a64 6f63 756d 656e 742e 7772 6974 6528 .document.write( 0x0490 223c 6120 6872 6566 3d5c 2268 7474 703a “<a.href=”http: 0x04a0 2f2f 6261 636b 656e 643a 3831 2f6c 696e //backend:81/lin 0x04b0 6b65 642e 6874 6d6c 5c22 3e43 6c69 636b ked.html”>Click 0x04c0 2068 6572 652e 3c2f 613e 3c2f 6272 3e22 .here.</a></br>” 0x04d0 293b 0a3c 2f73 6372 6970 743e 0a0a 3c74 );.</script>..<t 0x04e0 723e 0a0a 2020 2020 2020 2020 3c74 643e r>..........<td> As you can see, there is an absolute link inside a script that is not translated. To fix this problem, recreate the junction with -j. Summary You should now be able to view the information passing through WebSEAL and use it to troubleshoot HTTP-related problems. IBM Tivoli Access Manager for e-business: Tracing HTTP Connections 9
  • 10. Resources For more information consult the following resources. More information about the IBM Tivoli Access Manager for e-business architecture and components can be found in the IBM Redbooks® publication Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014. http://www.redbooks.ibm.com/abstracts/sg246014.html?Open The HTTP protocol is defined in RFC 2616, available at the following URL: http://tools.ietf.org/html/rfc2616 Cookies are explained in the draft specifications, available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_sp ec.html An explanation of P3P is available at the following URL: http://www.w3.org/P3P The team who wrote this IBM Redpaper This paper was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Axel Buecker a Certified Consulting Software IT Specialist at the ITSO, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of software security architecture and network computing technologies. He holds a degree in Computer Science from the University of Bremen, Germany. He has 23 years of experience in a variety of areas related to workstation and systems management, network computing, and e-business solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Ori Pomerantz has been securing computer networks—and teaching other people to do the same—since 1995. Since joining IBM in 2003, he has written classes on several Tivoli security products. He is also a co-author of the IBM Press publication Mainframe Basics for Security Professionals: Getting Started with RACF, ISBN-13: 978-0-13-173856-0, 2007. Thanks to the following people for their contributions to this project: Alison Chandler International Technical Support Organization, Poughkeepsie Center Sten Drescher, Erica Smith IBM 10 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections
  • 11. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. © Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 11
  • 12. This document REDP-4622-00 was created or updated on December 3, 2009. Send us your comments in one of the following ways: ® Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A. Redpaper ™ Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM® Redbooks® Redbooks (logo) ® RACF® Redpaper™ Tivoli® Other company, product, or service names may be trademarks or service marks of others. 12 IBM Tivoli Access Manager for e-business: Tracing HTTP Connections