RSA^® Identity Governance & Lifecycle Discussions

As of now setting the connector specific logs are not doable from ACM.

Here is a quick excerpts from an internal wiki I wrote recently about how to enable debug log for connectors:

Enabling debug logs in AFX

1. Go to the $AFX_HOME
2. And then to go to the respective connector’s deployed location. For example, if the connector name is ‘testADConnector’, go to $AFX_HOME/esb/apps/AFX_CONN-testADCOnnetcor/classes.
3. Locate the file log4j.xml.
4. Edit the level value from “INFO” to “DEBUG” for logger name=”org.mule”.
5. Do similar changes for org.mule.api.processor.LoggerMessageProcessor",“org.mule.module.scripting.component.Scriptable" and “org.mule.component.ComponentLifecycleManager”.
6. Edit the level value from “INFO” to “DEBUG” for respective transports. For example, if you are debugging Active Directory or LDAP connectors then do it for logger name =”com.novell.ldap”.
7. Similarly if you are using a SSH connector then do the same for logger name = "org.mule.transport.ssh”.
8. We would suggest not enabling the debug for the logger "com.aveksa.AFX.server.runtime.mule.core.ExpressionResultToPayloadMapTransformer" as it will log the entire payload and that may contains sensitive information such as passwords.

To enable more connector debug logs, follow the below steps:

• Open the connector-flow.xml file from $AFX_HOME/esb/apps/AFX-CONN-<Connector-Endpoint>/

Change the logger level to “INFO” from “DEBUG” and save the changes.

• Run the following command on mule-config.xml from same location ($AFX_HOME/esb/apps/AFX-CONN-<Connector-Endpoint>/)

touch mule-config.xml

• Test/Run the capability and check the logs enabled from mule.AFX-CONN-<Connector-Endpoint>.log at $AFX_HOME/esb/logs.

AD Connector Debugging Tips

Some Generic Errors:

java.net.UnknownHostExceptionThis can occur due to following reasons:  host name is incorrect, Active Directory server is not accessible from the RSA Via L&G AFX server or no network connectivity is available, etc. To verify the host name, “ping <host name/IP>” command can be used.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. In that case make sure the AD server certificate is imported in the default trust-store depending on the JVM or application server.

AFX Brief Messages:

1. “LDAPException: Cannot connect to server. Please check the host and port settings” – This is derived from the error due to connectivity as mentioned above.
2. “LDAPException: The object does not support this operation. Please check the Account/Group values" – you can get this message if the account DN, Group DN are incorrectly passed.
3. “LDAPException: Operations error, likely cannot bind to server. Please check the bindDN and password" – This kind of error happens when the bind credentials are incorrect.
4. “LDAPException: Server refused to perform operation. Ensure that you are using a secure port (e.g. 636) for this operation" – you will get this message if the LDAP server is not willing to perform.
5. For CreateAccount and ResetPassword verb: “LDAPException: Server refused to perform operation. Password does not meet complexity requirements (e.g. too short)" – you can this message irrespective of using a secure connection if the password does not conform to the AD password policy
6. For EnableAccount and DisableAccount verb: “LDAPException: Server refused to perform operation. Make sure a password is set for the account (requires secure port e.g. 636)" – you can get this message if the account may not have an password