CA Identity Manager Connector Guides › Connectors Guide › Managing CA IAM Connector Server

Managing CA IAM Connector Server

This section contains the following topics:

Change the Administrator Password for CA IAM Connector Server

Connect to CA IAM Connector Server from JXplorer

Find the Version of CA IAM Connector Server

Log In to CA IAM Connector Server

You can use a web browser to log on to CA IAM Connector Server from any computer, using details that you specified during installation.

Use the following URL:

http://hostname:port

hostname: Specifies the name of the computer running CA IAM Connector Server, as a fully qualified domain name
port: Specifies the HTTP or HTTPS port that was set during installation.

Example URLs for CA IAM Connector Server

http://myserver.mycompany.org:20080

https://myserver.mycompany.org:20443

Start and Stop CA IAM Connector Server

You can start and stop CA IAM Connector Server using the following methods.

UNIX daemon—The installation process creates a startup script named im_jcs and links it to the rc.d system on the local system. The script automatically runs CA IAM Connector Server in run levels 2-5, or shuts it down on 0,1, and 6 corresponding to system halt, single user mode, and reboot.
Use the following commands to start, restart, and stop the daemon:
```
/etc/init.d/im_jcs start
```
```
/etc/init.d/im_jcs restart 
```
```
/etc/init.d/im_jcs stop 
```
Use the following command to display the status of the daemon:
```
/etc/init.d/im_jcs status
```
Windows service—Start and stop the CA Identity Manager - Connector Server (Java) service.
Windows command line—Use the following commands to start and stop the service:
```
net start im_jcs
```
```
net stop im_jcs
```

Logging for CA IAM Connector Server

You can see log files for the following components:

Logging for CA IAM Connector Server
Logging for each endpoint type

View a Log

You can view a log by reading a text file, or through a web browser.

To see the 500 most recent log messages, log in to CA IAM Connector Server, and click the Logs tab.

To see an entire log, open one of the following files from cs_home\jcs\logs:

Log File Name	Description
jcs_daily.log	Today's logging from CA IAM Connector Server. These messages are also displayed in the Logs tab.
jcs_daily.log.YYYYMMDD	jcs_daily.log for a particular date
servicemix.log	All the content from the jcs_daily.log, plus some additional messages from ServiceMix. ServiceMix is the toolkit with which CA IAM Connector Server was created.
servicemix.log.YYYYMMDD	servicemix.log for a particular date
endpoint-type/jcs_conn_connector-name.log	Logging for a connector
endpoint-type/jcs_conn_connector-name.log.YYYYMMDD	Logging for a connector for a particular date

When you are trying to identify a fault, we recommend that you start with jcs_daily* files and work downwards to the connector-specific log files.

Configure Logging for CA IAM Connector Server

The jcs_daily.log and servicemix.log files that are listed in View a Log are configured in a text file. You can modify the file to change the following aspects of logging:

The logging levels for each of the components in CA IAM Connector Server.
Whether log files are appended daily
The formatting of the lines that are written to the log

By default, the logging configuration is minimal, so that performance is not reduced.

If you find a problem with a connector or CA IAM Connector Server, contact CA Support. Before you send your logs to the support team, we recommend that you configure the logging to capture detailed information.

Follow these steps:

Identify how to trigger the problem with your deployment.
Replace the default logging configuration file with the verbose configuration:
1. Find the following file:
```
cs_home/etc/org.ops4j.pax.logging.cfg
```
2. Rename this file to org.ops4j.pax.logging.cfg.original.
3. Find org.ops4j.pax.logging.cfg.verbose and rename it to remove .verbose. This file will now provide the logging configuration.
4. Restart CA IAM Connector Server.
Trigger the problem that you have identified.
Zip the entire cs_home/logs directory, and include the zipped file with your support request.
To reduce the logging level, reverse step 2:
1. Rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.verbose.
2. Rename org.ops4j.pax.logging.cfg.original to org.ops4j.pax.logging.cfg.
3. Restart CA IAM Connector Server.

Note: You can also edit org.ops4j.pax.logging.cfg in a text editor.

Configure Logging for a Connector

Each endpoint type has a configuration file that defines its logging. You can configure the logging for a particular connector by sending LDAP commands to CA IAM Connector Server.

The endpoint log files contain most of the logging data for the relevant connector. However, also look for relevant logging in the jcs_daily.log* systemwide log file. Messages can be logged to the systemwide file for the following reasons:

A connector uses third-party libraries.
A connector was developed (using Connector Xpress or the SDK) without sufficient attention to logging.
Problems occur while creating or activating a connector.

Follow these steps:

With an LDAP client, bind to CA IAM Connector Server using the following details:
- Port: 20410 (LDAP) or 20411 (LDAPS)
- User: cn=root,dc=etasa
- Password: Use the password that was specified during installation
Find the entry with the following DN:
```
eTDYNDirectoryName=${CONN},eTNamespaceName=${CONN_TYPE},dc=${DOMAIN},dc=etasa
```
You can enable and configure logging by changing the attributes of this entry.
To enable logging for a connector, modify the following attribute:
- eTLog=1 (active)
To configure the logging level for a connector, include the following attributes:
- eTLogDestination='F' (file)
- eTLogFileSeverity=severity-code
  Use the following severity codes:

Logging Level	Severity in Provisioning Server	Severity Code in Provisioning Server
DEBUG	Information	I
INFO	Non-Admin Success	S
WARN	Warning	W
ERROR	Error	E
FATAL	Fatal	F

Increase the Number of Log Messages Seen

When you log in to CA IAM Connector Server to view log messages, you can see only the 500 most recent messages. These messages are kept in memory, which is why so few can be seen.

You can filter which messages are shown on the Logs tab, using the options under the Logs heading. These filters apply to the 500 most recent messages. They do not change the way that CA IAM Connector Server records log messages.

You can configure the page to display more or fewer messages.

Follow these steps:

Open the following file in a text editor:
```
cs_home/etc/org.apache.karaf.log.cfg
```
Find and edit the following setting:
```
size = 500
```
Note: If you set the size too high, CA IAM Connector Server becomes slower.
Save the file.
Restart CA IAM Connector Server.

Interpreting Log Messages

All log messages include the following information:

Date and time

The timestamp on the local host when the message was logged. The date and time use ISO8601 format.

Elapsed time

The number of milliseconds elapsed since the server started.

Thread name

The thread that logged the message, for example [Timer-1].

Bundle name, class name, and line number

The bundle that contains the executed code, the class from which the message came, and the line number (if this number is available). This section uses the following format:

(bundle-name:class-name:line)

For example:

(com.ca.jcs.core:com.ca.jcs.osgi.listener.ImplBundleServiceListener:123)

Severity level

The severity of the message:

Error
Warning
Info
Debug

Message

The actual log message.

Change the Administrator Password for CA IAM Connector Server

To ensure better security across a deployment you can change the password of the administrative user of CA IAM Connector Server.

CA IAM Connector Server remembers all passwords for all users since it was last restarted. All of these passwords are accepted as valid for bind requests. Each user can reset only their own cache.

The cache of old passwords is useful for a system where many applications connect to one connector server. In this situation, the applications may not update their stored passwords for CA IAM Connector Server at the same time, but they can still access the connector server.

However, these old passwords make your system potentially insecure. To make the connector server forget the old passwords, clear the password cache. To clear a password cache, you must be logged in as that user.

Follow these steps:

Log in to CA IAM Connector Server as the administrator and change the password.
Update the password stored in all provisioning servers and any other clients that connect to CA IAM Connector Server.
Log in to CA IAM Connector Server as the administrator.
Choose the Reset Password Cache option in your username menu in the top right.
The following example shows the menu for a user named admin:

Connect to CA IAM Connector Server from JXplorer

You can use the following parameters to connect to CA IAM Connector Server from an LDAP browser such as JXplorer.

These settings are configured in server_osgi_jcs.xml. Changing the User DN is problematic because of assumptions within ApacheDS. To avoid problems, server_osgi_jcs.xml includes the property java.naming.security.principal.alias. This property simulates use of a different user DN, as an alias to "uid=admin,ou=system".

Host

Specifies the host server name of CA IAM Connector Server

Protocol

LDAP v3

Port

Default port number: 20411, when using level: SSL + User + Password (TLS)

20410, when using the less safe level: User + Password

User DN

uid=admin,ou=system

Password

As configured during installation.

Note: For more information on JXplorer, see http://www.jxplorer.org.

Find the Version of CA IAM Connector Server

To determine the version of your CA IAM Connector Server installation, look in the following file:

cs_home/version.properties