This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
JohnRumball
Beginner
Beginner
‎2019-02-21 11:54 AM

SecurID authentication manager ODA delivery logs

Jump to solution

Where can I find these types of logs in AM v8.2?  I'm guessing there should be a record of an ODA token being delivered to a user, either by SMS or by email.  I know there are logs recorded when authentication is successful, but to me, there should be a record of the delivery attempt even before authentication occurs.

 

This has come up because we are trying to troubleshoot the regular occurrence of delayed token delivery, specifically by email.

 

Thanks in advance.

 

John

Labels (1)
Labels
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2019-02-22 04:12 PM

Jump to solution

There is not a way in the web browser interface to do this.

 

However, to do temporary troubleshooting looking for an issue there are two advanced level debug actions that can be performed on the Primary, and logs will be in /opt/rsa/am/server/logs directory of (Primary or Replica).

 

This will result in enhanced debug output in the /opt/rsa/am/server/logs/imsTrace.log, but use caution as if you leave this debug on, over time (weeks/months) the trace logs may fill up too much disk space,  and you'll need to monitor how much extra logs and disk space you use with these commands.

--------------------------

 

Trace SMS 

/opt/rsa/am/utils

./rsautil set-trace -c trace.com.rsa.authmgr.internal.smsplugin -l VERBOSE

 

 

Trace SMTP  (this will be the one you want, also on Replicas)

/opt/rsa/am/utils

./rsautil set-trace -c trace.com.rsa.ims.smtp -l VERBOSE

 

to enable trace for Replica(s), use the Primary command line....

./rsautil set-trace -c trace.com.rsa.ims.smtp -l VERBOSE -i ReplicaInstance -n

----------------------------------------------

 

Example of What you can see in the log, I have only the smtp example:

2019-02-22 15:52:08,928, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SMTPServiceImpl.java:796), trace.com.rsa.ims.smtp.impl.SMTPServiceImpl, DEBUG, edavis-vm150.na.rsa.net,,,,Sending mail to: [administrator@farmco.local], with subject: Your On-Demand Tokencode
2019-02-22 15:52:08,956, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SMTPServiceImpl.java:816), trace.com.rsa.ims.smtp.impl.SMTPServiceImpl, DEBUG, edavis-vm150.na.rsa.net,,,,Message successfully sent to: [administrator@farmco.local], with subject: Your On-Demand Tokencode

 

Now, this is in VERBOSE level, there are other levels you may want to experiment with

 -l, --level           Level to set to (VERBOSE, INFO, WARN, ERROR, FATAL, NONE)

 

------------------------------------------

And to see what you have already activated for tracing (so you know what to later disable after troubleshooting)

 

./rsautil set-trace -s

 

Trace category settings for this node (overrides settings from the instance):
Trace category settings for specified instance:
trace.com.rsa.authmgr.internal.smsplugin : VERBOSE
trace.com.rsa.ims.smtp : VERBOSE

------------------------------------------

To disable tracing (set back to normal)

 

put a -r at the end like so and run the trace category

 

./rsautil set-trace -c trace.com.rsa.authmgr.internal.smsplugin -r
Administrator user ID (RETURN to exit): admin
Enter Administrator password: *********

 

and so on

./rsautil set-trace -c trace.com.rsa.ims.smtp -r

 

------------------------------------------

NOTE: If you have a Primary and Replica(s), when users are trying to fetch ODA codes, the RSA AM server that receives the incoming ODA pin request, will be the server sending the outgoing SMS or SMTP, so be aware of additional 'poking around' on Replicas to sort issues.

Also note: to reliably TEST ODA, the Primary Security Console allows you to pick a Replica, and test sending ODA or SMTP, but you actually need to use the Replica Security Console to have that Replica make the attempt...Otherwise the Primary will be doing all the test messages, even if you chose a Replica using the Primary Security Console.

 

 

View solution in original post

Reply
6 Replies
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2019-02-22 03:09 PM

Jump to solution

John Rumball

 

I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA SecurID Access" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

 

Regards,

Erica

0 Likes
Reply
JohnRumball
Beginner
Beginner
In response to EricaChalfin
‎2019-02-22 03:43 PM

Jump to solution

Thank you Erica. My apologies for posting in the wrong group. Not sure how I missed that. ☺

 

John Rumball - Network Analyst

Information Technology Department - Infrastructure and Security

Health Sciences North | Horizon Santé-Nord

Sudbury Outpatient Centre

865 Regent Street South, Sudbury, ON Canada P3E 3Y9

Phone: (705)523-7100 Ext. 3911 Fax: (705)523-7075

Office Hours: 9:00am - 5:00pm Eastern Time

www.hsnsudbury.ca<http://www.hsnsudbury.ca/>

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2019-02-22 04:12 PM

Jump to solution

There is not a way in the web browser interface to do this.

 

However, to do temporary troubleshooting looking for an issue there are two advanced level debug actions that can be performed on the Primary, and logs will be in /opt/rsa/am/server/logs directory of (Primary or Replica).

 

This will result in enhanced debug output in the /opt/rsa/am/server/logs/imsTrace.log, but use caution as if you leave this debug on, over time (weeks/months) the trace logs may fill up too much disk space,  and you'll need to monitor how much extra logs and disk space you use with these commands.

--------------------------

 

Trace SMS 

/opt/rsa/am/utils

./rsautil set-trace -c trace.com.rsa.authmgr.internal.smsplugin -l VERBOSE

 

 

Trace SMTP  (this will be the one you want, also on Replicas)

/opt/rsa/am/utils

./rsautil set-trace -c trace.com.rsa.ims.smtp -l VERBOSE

 

to enable trace for Replica(s), use the Primary command line....

./rsautil set-trace -c trace.com.rsa.ims.smtp -l VERBOSE -i ReplicaInstance -n

----------------------------------------------

 

Example of What you can see in the log, I have only the smtp example:

2019-02-22 15:52:08,928, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SMTPServiceImpl.java:796), trace.com.rsa.ims.smtp.impl.SMTPServiceImpl, DEBUG, edavis-vm150.na.rsa.net,,,,Sending mail to: [administrator@farmco.local], with subject: Your On-Demand Tokencode
2019-02-22 15:52:08,956, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SMTPServiceImpl.java:816), trace.com.rsa.ims.smtp.impl.SMTPServiceImpl, DEBUG, edavis-vm150.na.rsa.net,,,,Message successfully sent to: [administrator@farmco.local], with subject: Your On-Demand Tokencode

 

Now, this is in VERBOSE level, there are other levels you may want to experiment with

 -l, --level           Level to set to (VERBOSE, INFO, WARN, ERROR, FATAL, NONE)

 

------------------------------------------

And to see what you have already activated for tracing (so you know what to later disable after troubleshooting)

 

./rsautil set-trace -s

 

Trace category settings for this node (overrides settings from the instance):
Trace category settings for specified instance:
trace.com.rsa.authmgr.internal.smsplugin : VERBOSE
trace.com.rsa.ims.smtp : VERBOSE

------------------------------------------

To disable tracing (set back to normal)

 

put a -r at the end like so and run the trace category

 

./rsautil set-trace -c trace.com.rsa.authmgr.internal.smsplugin -r
Administrator user ID (RETURN to exit): admin
Enter Administrator password: *********

 

and so on

./rsautil set-trace -c trace.com.rsa.ims.smtp -r

 

------------------------------------------

NOTE: If you have a Primary and Replica(s), when users are trying to fetch ODA codes, the RSA AM server that receives the incoming ODA pin request, will be the server sending the outgoing SMS or SMTP, so be aware of additional 'poking around' on Replicas to sort issues.

Also note: to reliably TEST ODA, the Primary Security Console allows you to pick a Replica, and test sending ODA or SMTP, but you actually need to use the Replica Security Console to have that Replica make the attempt...Otherwise the Primary will be doing all the test messages, even if you chose a Replica using the Primary Security Console.

 

 

View solution in original post

Reply
JohnRumball
Beginner
Beginner
In response to EdwardDavis
‎2019-02-22 04:48 PM

Jump to solution

Thanks very much Edward... that's perfect!

0 Likes
Reply
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to JohnRumball
‎2019-02-22 05:18 PM

Jump to solution

John Rumball‌,

 

No worries, happens all the time.  Welcome to the community!

 

Regards,

Erica

0 Likes
Reply
ReggieFisher
Contributor
Contributor
‎2020-09-03 03:35 PM

Jump to solution

What if you did not have the debug turned on at the time the message was sent? Is there another way to trace an SMS message?

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.