Detailed trace logging is available to help you solve your X.509 certificate authentication and validation problems.
In addition to the typical OCSP and CRL messages, the Policy Server also logs information about failover events. If a failover event occurs, the Policy Server logs diagnostic messages specific to the certificate validation failure, followed by messages describing the failover. The message can indicate that OCSP could not be contacted and that it is using a CRL or that the CRL fetch failed and that the Policy Server is failing over to OCSP checking.
To view OCSP and CRL log message, enable authentication trace logging using the Profiler in the Policy Server Management Console.
You can determine which components and data fields the Policy Server includes for trace logging by modifying the default template file smtracedefault.txt.
The following smtracedefault.txt file shows some recommended components to include in the file for certificate validation diagnostics in the trace log.
components: Login_Logout/Authentication, Login_Logout/Certificates, Login_Logout/Receive_Request, IsAuthorized/Policy_Evaluation, IsAuthorized/Receive_Request, Directory_Access, LDAP/Ldap_Error_Messages
data: Date, PreciseTime, SrcFile, Function, ReturnValue, Message, User, Directory, SearchKey, ErrorString, ErrorValue, AuthStatus, AuthReason, CertSerial, SubjectDN, IssuerDN, CertDistPt, UserDN, Data, HexadecimalData, CallDetail, Returns, Result
For OCSP signing only, you can enable trace messages when trying to validate signatures.
To enable tracing for OCSP signing:
policy_server_home is the directory where you installed the Policy Server.
-DOCSP_PS_TRACE=true
The trace file, named OcspCertKeyRetriever.log is written to the current working directory of the Policy Server, as follows:
Windows: system32
Unix: siteminder or siteminder/bin
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|