Policy evaluation for roles occurs at Identity Server. For Authorization and Identity Injection policies, policy evaluation occurs on the Embedded Service Provider (ESP) where the policy is enabled.
For the Form Fill policies, the evaluation and logging is done by ESP and the proxy service. To set the logging level on Access Gateway for the proxy service, see Enabling Form Fill Logging.
Logging for the policy evaluation done by ESP is controlled by the log settings of Identity Server configuration. To enable this type of logging:
Click Devices > Identity Servers > Edit > Auditing and Logging.
If you have set up more than one Identity Server configuration, ensure that you select the configuration to which the other Access Manager components have been assigned.
Select Enabled for File Logging.
Select to echo the trace messages to the console: For Access Gateway Appliance, Access Gateway Service, or Identity Server, this sends the messages to the catalina.out file.
(Optional) Specify a path for Identity Server log files.
For policy evaluation tracing, set the Application level to info in the Component File Logger Levels section.
If you are only troubleshooting policies at this time, do not select any other options. This reduces the amount of information recorded in the log files.
To see the policy SOAP messages, you need to set the Application level to verbose.
Update Identity Server.
Click Auditing > General Logging and download Identity Server and ESP catalina.out logs.
For role evaluation traces, view Identity Server catalina.out file.
If your Identity Servers are clustered, you need to look at the file from each Identity Server.
For Authorization, Form Fill, and Identity Injection evaluation traces, view the log file of ESP of the device that is protecting the resource.
Access Gateway Appliance or Service: This is the catalina.out file of Access Gateway where the protected resource is defined. If Access Gateway is part of a cluster, you need to look at this file from each Access Gateway in the group.
To view the actual ESP log file that contains only ESP log messages, see the nidp.*.xml files in the /var/opt/novell/tomcat/webapps/nesp/WEB-INF/logs directory (or the directory you specified in step 4). Depending upon how you have configured File Wrap, the * portion of the filename contains the month, the week, the day, and the hour.
To understand what you are looking for in the log file, continue with one of the following:
Understanding Policy Evaluation Traces if you set Application level to info.
Policy Evaluation: Access Gateway Devices if you set Application level to verbose.