Www.novell.com Avoiding the Top iChain ® Technical Support Issues Neil Cashell Technical Support Engineer Novell, Inc. [email protected] Shane Johns

www.novell.com

Avoiding the Top iChain® Technical Support Issues

Avoiding the Top iChain® Technical Support Issues

Neil CashellTechnical Support EngineerNovell, [email protected]

Shane JohnsSenior Software EngineerNovell, [email protected]

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Presentation Outline

• iChain® configuration files

• iChain troubleshooting tools• iChain components

Interfaces• Inputs and outputs• Flow of information

Troubleshooting steps Common issues Case study

iChain Configuration Files

iChain Configuration/Info Files

• iChain Proxy Server Configuration

• CURRENT.NAS• TCPIP.CFG• OAC.PROPERTIES/TRACERMEDIA.PROPERTIES• Custom login/logout pages• APPSTART.NCF and TUNE.NCF

Troubleshooting• CONSOLE.LOG• TRACE.TXT• CAPTERR.LOG and CAPTOUT.LOG• DEBUG00X.LOG/DEBUG.LOG • Proxy and aclcheck log files

iChain Configuration/Info Files (cont.)

• iChain eDirectory™ LDAP Server LDIF file showing schema objects/attributes

• ICE or LDAP browser can export this to file• FormFill profile

• iChain Authentication Server Debug output for authentication method

• ‘Radius debug on’ captured to console log (radius)• DSTRACE.LOG with +LDAP/TIME enabled (LDAP

authentication)

iChain Configuration/Info Files (cont.)

• Network layout Firewalls L4 switches DMZ

Generic iChain Troubleshooting Tools

Generic iChain Troubleshooting Tools

• ConsoleOne®

LDAP Group Object ISO object attributes

• Protected resource mode and OLAC parameters• Password management setup

RuleObject attributes (Rule TAB) Rules applying to users (User TAB)

• ICE (Server and client-based) Export configuration to file

Generic iChain Troubleshooting Tools (cont.)

• LDAP browser http://www.iit.edu/~gawojar/ldap/ Easily export configuration to file Confirm iChain objects and attribute values are

valid

• LSEARCH.NLM from LDAP client SDK LDAP bind done for every request http://developer.novell.com/ndk/cldap.htm


• ICS GUI Home->Health status for details of services running Monitor TAB gives services and stats information

• Services running• Disk space info, CPU utilization, cache hit ratio

Access ACLCHECK and Proxy logs via MONITOR TAB

• ICS Java console Proxy authentication and aclcheck profiles exists


• Proxycfg debug screen LDAP profile errors

• TCPCON Connectivity specific tool (ICMP, TCP issues) Active TCP listeners

• Logs from authentication servers DSTRACE.NLM for LDAP (view DS trace traffic

for object/attribute resolution) ‘Radius debug ON’ trace from Radius server


• Network layout information Firewalls/L4 may pose Connectivity/State

problems

• LAN analyzer Trace traffic between proxy and auth server Trace traffic between browser and proxy server Trace traffic between proxy and origin server

iChain Components“Proxy Authentication”

Proxy Interfaces

•Inputs and outputs

•Flow of information

Proxy Interfaces

• PROXY.NLM Calls authentication callback methods

• LDAP (requires LDAP, LDAPSDK), mutual, Radius (Radchk)

• TCPIP.NLM Connection into proxy ports

• PROXYCFG.NLM Stores profile information + Error reporting tool

• NILE/PKI Certificate management

Proxy Flow Control

Proxy processes incoming requests on Port 80 (default)• Check if authentication required

– Cookie exists - yes => process cookie (see next page)– No => need to identify user

» Compare URL with ISO protected resource defined and return mode if match found

» If mode is NOT public, authenticate connection (next page)

Proxy Flow Control

• Subsequent requests check for cookie in header

Verify checksum ok Verify source IP address match Forward request to origin server

Proxy Troubleshooting Tools

Proxy Troubleshooting Tools

• Proxy Console -> iAgent console

Proxy Troubleshooting Tools (cont.)

• Internet browser Useful for importing certificates Netscape browser setup with NULL encryption

– Enabled via Security TAB -> Navigator -> Configure SSL v3 and disable everything except for ‘No encryption with an MD5 MAC’

Internet Explorer debug WININET.DLL – Ability to decode SSL traffic

• Proxy debug logs Requires a debug installation of iChain

Proxy Troubleshooting Steps

Proxy Troubleshooting Steps

• Verify configuration (basic) ISO PR attributes set for authentication (mode) Proxy authentication profile configured LDAP server allows clear text passwords IP address/Port combination for authentication

server up via PING SSL Certificate assigned to proxy server

Proxy Initialization Problems

• “Proxy Failed to Get ISO Object From Proxy Server” or “Invalid authentication information” error in Proxycfg

Ping <ldap_srvr_addr:port> from ICS Java console Get authentication LDAP returns valid parameters

• Very LDAP request/responses (DSTRACE) for 81/85 errors Verify LDAP TCP connections exist in the established state in

TCPCON->Protocols Information->TCP Connections Check interpacket delay times between LDAP

request/responses• LDAP Server overloaded and may require addition of threads

– On NetWare® (display configuration: LDAP DISPLAY CONFIG)» LDAP MAXIMUM THREADS= changes the threads default

– On Unix» Daemon parameter (check man pages)

Proxy Initialization Problems (cont.)

• If LDAP over SSL enabled, try without SSL and verify if certificate-related problem

• Check for service errors in health screen of ICS GUI

Service failure error detected

Proxy Authentication Problems (cont.)

• Access granted to users that should NOT have access

ISO protected resource mode (public mode setup)


• Login page not displayed Failure at this level would indicate an SSL/PKI

issue• Look closely at the SSL diagnostic screens on the

iChain Proxy server and try and check for SSL handshake errors

• Trace client to proxy connection and verify, after the first redirect, – That you see cert chains being transferred– That the ICS box doesn’t have time set in the future (Non

US)


• Login page not displayed Failure at this level would indicate an SSL/PKI

issue• Trace proxy and CRL server (if CDP attribute for CRLs

enabled) and verify CRL downloaded– Time issues could occur here too. Look for two entries

that look like 010309154821Z—this translates to a year of 01, a month of 03, a day of 09, a time of 15:48 and 21 seconds—The first date listed is the creation date of the CRL, the second date is effectively the expiry

• Try using another browser type to see if the problem is unique to one type of browser

• Try and generate another certificate with small key size and see if the SSL handshake succeeds

Proxy Authentication Problems (Certificate Timing Issue)


• Login page not displayed Verify if login page customized (java scripts)

• Revert to original and retest• Check with multiple browsers to see if issue exists

Verify is authentication over HTTP works fine• Confirmation of SSL certificate issue

– ICS box has newer timestamp– Old certificate expired– CRL communication invalid– Corrupt certificates


• Login page displayed but authentication fails Verify the authentication profile settings Verify the authentication server is active via PING Verify that login page hasn’t been customized Verify that no intermediate device stripping cookies Verify browser is sending the correct credentials when

POSTing information to the iChain Proxy server• No encryption on browser required• Check authentication server logs (DSTRACE, Radius) to see

if user being validated


• Login page displayed but authentication fails

Problem with customized pages• No LDAP request sent to authentication server• Login page missing required attributes• Attributes correct but out of order• Browser failures


• Login page displayed but authentication fails Verify accelerator name and cookie domain (IE

issue)• Case sensitivity

Verify that browser accepts and gets cookies• ‘Warn me before accepting cookies’ on Netscape->Edit-

>Preferences->Advanced• ‘Allow cookies that are stored on your computer’ in IE-

>Tools->Internet Options->Security->Custom Level• Verify cookie sending valid (Opera TID #10063326)

Verify if all authentication profiles have problems• e.g., Try authenticating based on email address in LDAP


• Login page displayed but authentication fails

Verify whether or not it is possible to login to the directory using the users credentials• Password management servlet enabled

– Case sensitive java servlet

Verify if user authentication information available in Proxy Console’s iAgent screen


• LDAP problems LDAP profile has valid BIND username/password

• Must have Read (not just browse!) rights to DS no LDAP request sent in trace

• Stale LDAP handles at firewall/L4 switch• Max. LDAP handles reached and active

– 30 handles allocated—LDAP error 81 if all handles in use LDAP Server slow to respond to requests (need more

threads)– On NetWare display configuration: LDAP DISPLAY CONFIG)

» LDAP MAXIMUM THREADS= changes the threads default– On UNIX

» Daemon parameter (check man pages)


• Radius problems Radius profile has valid radius secret with DAS

object Radius server listening on UDP port 1812/1645 Radius server has a valid DAS profile setup

• Radius client is valid ICS address Radius debug commands show no errors LAN trace shows successful RADIUS response

• Timeout issues

Proxy Case StudyHTTP 403 Forbidden error:

“Your browser must support cookies.”

403 Forbidden Error

• iChain 2.0 setup to accelerate secured PR Browser hits Proxy and prompted to authenticate After entering credentials, gets above 403 error

• Disabled aclcheck (restricted PR) but 403 errors still sent

• Verified LDAP traffic generated• Enabled browser option to prompt when accepting

cookies– Cookies were being set

• checked Proxy Console->IAgent screen • Checked PROXYCFG/Proxy Console screens for errors

403 Forbidden Error (cont.)

• Analyze network layout Suspect L4 switch

• Moved browser to bypass L4 switch and no error– Took good set of traces

• Put browser back to original position– Took good set of traces– Trace showed that the original requests for page went to

one ICS server, and next request to another ICS server; L4 switch was redirecting requests



• Enabled IP hashing option on L4 switch Forces a map of incoming client session to

destination IP address Note that enabling session broker in this

scenario will fail because the SB kicks in after a successful authentication has taken place

iChain Components“Session Broker”

SessionBroker (SB) Interfaces



SessionBroker Interfaces

• PROXY.NLM Stores session broker profile information Calls SB code during authentication phase

• Winsock modules Winsock APIs used for connectivity between ICS

and SB servers

• SB.NLM SB server listening on TCP 5001 on both primary

and secondary

SessionBroker Interfaces (cont.)

• LDAPSDK.NLM Generate LDAP request for ISO SB attributes

• iChainPrimarySessionIPAddress• iChainSecondarySessionIPAddress• iChainMasterProxyIPAddress

SessionBroker Flow Control

SessionBroker Flow Control (cont.)

• Initialization—LDAP request sent to ISO object to extract SB attributes

• Proxy authentication phase iagent locates entry in database

• yes => allow request through• no => ICS server sends message to primary SB server

SB primary server locates entry in database• YES => allow request through• NO => force authentication

SessionBroker Flow Control (cont.)

• When user successfully authenticated to ICS server, primary SB updated with

• Authentication profile type• Authorization basic HTTP header• Username• Cookie domain

• Primary SB server returns a hash key for subsequent requests

SessionBroker (SB) specific Troubleshooting Tools

SB Troubleshooting Tools

• TCPCON Procotol Information -> TCP -> TCP Connections

• TCP port 5001 listening

• Unencrypted SessionBroker sessions createnullsessionbrokerkey when generating SB

key Allows legible trace information to be obtained

• SB command line parameters -n => no encryption -d => verbose information

SB Troubleshooting Tools (cont.)

• Session broker debug screen

SessionBroker Troubleshooting Steps

SessionBroker Troubleshooting Steps

• Verify configuration (basic) sessionbroker keys exist and installed Set authentication sessionbrokerenabled SB.NLM loaded with no errors

• ISO attributes found Authentication with no SB works fine Third party L4 switches in network layout

SessionBroker Initialization Problems

• “Unable to initialize the Session Broker” Regenerate keys and verify ok

• SESSION.DAT file exists on floppy Memory errors on ICS server (NBMALERT) Verify TCP connections 5100 listening in

TCPCON->Protocols->TCP Connections• Check the SB debug screen for read or write errors

– recv() failed: error <errno>

SessionBroker Problems

• SB Authentication issues Multiple ICS servers in SB domain must have

authentication profile with same name• Shared data on TCP 5001

Connectivity issues between ICS and SB servers• No set/get traffic completed

L4 switches redirecting authentication traffic between ICS boxes

SessionBroker Case Study

Slow login when SB-enabled

Case Study: Slow Login When SB-Enabled

• Problem scenario Friday: iChain 2.0 setup with SB enabled—all ok Monday: Users complain of slow logins (15

mins)• Credentials valid but delay getting Web page to show

• Network layout 2 Proxy servers in parallel Browsers pointing to secondary SB (SB-S)

server Primary SB server not running services

SB Case Study—Network Layout


• Verified Different workstations gave problem Different browsers (IE, Netscape) showed same

issue Cookie prompt enabled showed we received cookie iAgent console screen showed User authenticated

with correct information• => authenticated to local iagent database

Ping to port 5001 on SB-P failed

• Took traces…


• Solution Re-connect SB-P to the network SB-S was processing authentication requests

and trying to update the primary• Request sent to SB-P with user’s authentication

information• Response with hash key never arrives• Request resent 12 times with increasing

retransmission timeouts => waited ~20 mins for TCP RST to occur

iChain Components“ACLCHECK”

ACLCHECK Interfaces



ACLCHECK Interfaces

• PROXY.NLM Stores profile information Calls authorization code after authentication

• ACLCHECK.NLM Process URL requests for matches with rules Generates LDAP queries into eDirectory

• eDirectory Repository for configuration info Repository for rule objects and protected

resources

ACLCHECK Flow Control

PROXY: verifies the PR mode is secured, the user is authenticated and URL not /RegNewUser/ or /servlet/DocumentServlet/—If true call ACLCHECK• Pass authenticated user, and the URL being accessed

ACLCHECK• Checks hash table for hit

– Match found => return allow; else

• Gets RO DN from user container object attribute (brdsrvRule attribute) via LDAP – LDAP config info taken from ACLCHECK authentication profile

• Read rules from the RO– Get URL and apply to settings

ACLCHECK Flow Control (cont.)

• Compare URL in rule Match found => allow; else

• Find the RO for the users containers community (if /M enabled)– Get and process rules for each community and apply them to URL;

if no match found• Find the RO for the users groups, users group’s communities,

user itself and finally the communities the user belongs to Check for each of them and first one to allow will allow the

access and other rules will not be checked If none matches, then access for this user is “deny”

• At any stage where a match is found, check exceptions for a block

ACLCHECK Specific Troubleshooting Tools

ACLCHECK Troubleshooting Tools

• ACLCHECK logs Console.log output with /D1 enabled (debug ==

/D4)• No output => no aclcheck

• LSEARCH LDAP client from SDK Does a bind for every request

• DSTRACE.NLM View DS trace traffic for object/attribute

resolution

ACLCHECK Troubleshooting Steps

ACLCHECK Troubleshooting Steps

• Verify configuration (basic) ISO PR mode set for authorization (secured

only) NDS Rule Objects applied correctly ACLCHECK profile configured LDAP server allows clear text passwords LDAP mappings exists for attributes

ACLCHECK Initialization Problems

Check for “ACL: ACLCHECK Failed to Get ISO Object From Proxy Server” error on system console• ‘Get authentication aclcheck’ returns valid LDAP

parameters• ping <ldap_srvr_addr:port> from ICS Java console• Verify lsearch command works• Verify TCP LDAP connections exist in the ‘established’

state in TCPCON->Protocols->TCP Connections• Very LDAP incoming/outgoing requests on LDAP server

– DSTRACE +LDAP, +TIME enabled– Check LAN trace for LDAP errors 81, or 85

ACLCHECK Rule Processing Problems

• Users granted access that should NOT have access

ISO protected resource mode (public/restricted) Stale cache entry User a member of group, community that has

access User accessing /servlet/DocumentServlet/ or

/RegNewUser/ URLs ACLCHECK /D1 shows rule granting access

ACLCHECK Rule Processing Problems (cont.)

• 403 forbidden errors ISO protected Resource granted for full path Rule Object exists granting user rights to URL

• Verify rule objects in DS• Verify user member of group, organization unit or

community with rights Check if rule exception blocks access ACLCHECK /M loaded for iChain 1.5

compatibility

ACLCHECK Rule ProcessingProblems (cont.)

• 403 forbidden errors Check for stale cache entries

• Refresh ACLCHECK cache through GUI• Load ACLCHECK /F <refresh_time>

Memory issues (cannot update hash table) Radius server failing to return the FDN

• Error "Status : 403 Forbidden. Description : User Name Mismatch."

ACLCHECK Rule Processing Problems (cont.)

• LDAP problems LDAP profile has valid BIND username/password Stale LDAP handles

• Lsearch application works• L4/firewall switch resetting ‘valid’ sessions• Max. LDAP handles reached (use /C<no_of_handles>)

Debug ACLCHECK /D4 errors Slow LDAP response due to overload—inc.

threads– On NetWare—LDAP MAXIMUM THREADS=– On UNIX—Daemon parameter (check man pages)

ACLCHECK Case Study

403 Forbidden Error:

“Organizational policies prohibit access to this page”

ACLCHECK Case Study—403 Errors

• iChain 2.0 setup for authentication/authorization FW-1 firewall exists between Proxy and LDAP servers All working fine

• Following morning users reporting 403 errors after authentication

• Verified No changes to setup (DS timestamps, current.nas)

• LDAP authentication profile existed, eDirectory objects unchanged

Ping to LDAP server successful

ACLCHECK Case Study—403 Errors (cont.)

• Verified LSEARCH worked DSTRACE (+LDAP) showed no incoming LDAP

requests TCPCON showed no established LDAP sessions LAN trace showed outgoing request with TCP RSTs

responses from L4 switch ACLCHECK /D4 showed LDAP error 81 returned

• Occurs when no LDAP handles available to make request Everything works with no firewall between LDAP

and Proxy servers

ACLCHECK Case Study—403 Errors (cont.)

• Problem: FW-1 firewall timing out idle connections after 60 minutes

ACLCHECK LDAP handles were all stale

• Solved the problem by Disabling the idle_timeout timer on firewall, or Applying new ACLCHECK from IC20FP1.EXE

• added logic to detect and handle LDAP 81/85 errors

iChain Components“Object Level Access Control”

OLAC Interfaces



OLAC Interfaces

• PROXY.NLM• OACINT.NLM

shim to java application

• OACJAVA.NCF ldap, oac jar files jnet, jcert, jsse if SSL-enabled

• PROXYCFG.NLM

OLAC Flow Control

• Browser tries to accesses URL thru proxy Proxy authenticated and authorizes (if enabled)

• Proxy calls OACINT• OACINT talks to OACJAVA to retrieve values

OACJava generates LDAP requests and caches response

• OACJAVA sends response to Proxy Proxy checks if ICHAIN_UID and or ICHAIN_PWD is used

• Yes => replace values in authorization header• No => write query string and authorization header and forward

to origin server

OLAC Troubleshooting Tools

OLAC Troubleshooting Tools

• Sys:\Trace.txt file tracermedia.properties settings Note performance degradation due to swing

• Proxycfg debug screen LDAP profile errors reported here

• E.g., readiChainStringAttributebyLDAP failed

• Java -showxxx<threadID> output• Third party LDAP providers• Decoding Servlets from authentication Server

CD

OLAC Troubleshooting Steps

OLAC Troubleshooting Steps

• Verify configuration (basic) LDAP server allows clear text passwords LDAP mappings exists for attributes ACLCHECK profile configured Forward authentication information to web

server Debug OAC switches enabled

OLAC Troubleshooting Steps (cont.)

• Common OACINT errors reported• No attributes returned for user cn=ncashell,o=novell,

resource my_web_server• ConnectToOAC failed: could not connect to OAC server:

Error xx• SendMessageToOAC failed: could not connect to OAC server

Tests• Increase java app mem size (java -Xms64m -Xmx128m)• Increase number of worker threads• Check ticks count (<270) for requests in OACINT

– LDAP server performance issue (increase LDAP threads)

• Try different LDAP provider• Check state of sockets, threads, memory with JAVA -SHOW


• Common LDAP related errors reported• “Unable to connect to any ldap server to read ISO

information”• “Could not locate any LDAP profile”• “Failed to connect to any of %d LDAPservers”

Tests• ACLCHECK profile information valid• OACINT debug output

– tracerfilter.properties—change DEBUG 0 to 5– tracermedia.properties—log info to text file


• Common OACJAVA errors• java.net.ConnectException (invalid port)• illegalMonitorState (out of worker threads)• java.lang.NumberFormatException (1.5 oac.properties)

Tests• iChainProtectedResource ISO attribute valid• oac.properties tuning issue• Provider issue• JVM issue (JAVA -SHOW)• LDAP server issue

– Performance - LDAP interpacket delay time– Resolution - DSTRACE errors (+LDAP, +TIME)


• Verify parameters seen with servlets Check that correct request/response

combination seen in oacjava debug screen• Check LDAP server for valid attributes (ldap browser,

dstrace)• Check LDAP server connectivity issues (L4 switch)• Check trace from ICS to LDAP and origin server for TCP

issues

OLAC Case StudyDuplicate Parameter Passed

OLAC Case Study

• Backend Web application authenticated user based on LDAP CN

OLAC setup to return users CN

• Users accessing application after authenticating to iChain received login error

• Verified• OACINT and OACJAVA initialized correctly• Problem not load/performance related• Servlets return valid credentials

Problem User Had Following Profile

ISO OLAC Parameters

OLAC Case Study

• ‘Other Name’ field in eDirectory is returned as a CN object via LDAP

• Application parsed last CN returned which was the user ‘Other Name’ rather than CN

Modified application to accept first CN in string

iChain Components“FormFill”

FormFill Interfaces



FormFill Interfaces

• PROXY.NLM FilterFramework (FF) model

• SSO.NLM Interface into Proxy FilterFrameWork via

callbacks

• eDirectory ISO object attributes User attributes (Novell SecretStore®)

FormFill Interfaces (cont.)

• LDAPSDK.NLM Pull formfill parameters from ISO object

• SSCLD.NLM SecretStore LDAP client

• NILE/PKI Certificate management if secure LDAP-enabled

FormFill Flow Control

• Initialization requires Generation of LDAP pool of handles

• Using authentication profile for LDAP Use LDAP to read FormFill ISO attributes

• Reading of FormFill profile• SecretStore enabled

• Proxy processing Request passed to filter framework code at

various stages where SSO filter created

FormFill Flow Control

FormFill Flow Control (cont.)

• SSO Processing• Verify POST HTTP method (no support for GET)• Find URL policy that matches the given URL

– INITIAL: Parse POST data» Get and remember list of attributes from form» Check if "don't remember this form" action in profile» Write out modified user data (LDAP request or local cache)» Forward data to origin server

– SUBSEQUENT: Get user data from LDAP» Get actions to be performed» build redirect request to browser with form attributes

FormFill Troubleshooting Tools

FormFill Troubleshooting Tools

• LDAP Browser/ConsoleOne®

Confirm ISO FormFill attribute (profile, SecretStore) User “iChainFormFillCrib” attribute

• ‘FFichain refresh rule’ server console command• iChain server console screens for SecretStore

SSL stack and server screens • Use to check the state of the LDAP SSL sessions

handshake

• LAN traces Most useful troubleshooting tool

FormFill Troubleshooting Tools (cont.)

• Proxy System Console -> SSO screen (debug build only)

FormFill Troubleshooting Steps

FormFill Troubleshooting Steps

• Verify configuration (basic) LDAP server allows clear text passwords Proxy authentication profile configured and correct Ping IP address/Port combination for LDAP server ISO attributes set for formfill (profile, SSO) SSL Certificate imported to proxy server (SS only) Login form includes java script?

• Only support HTML forms in current release HTML page must POST credentials (no GET support)

Common FormFill Problems

• Non-SecretStore problems FormFill profile matching HTML information Remove POST/ from FormFill profile to only fill Simplify profile to one variable if possible

• Use test profile written to confirm (available from support) Verify iChainFormFillCrib attribute created Verify DSTRACE +LDAP setting show valid

responses Verify LAN trace

• Confirm redirects and LDAP communication Apply debug SSO.NLM and view debug screen

Common FormFill Problems (cont.)

• SecretStore problems Verify all works fine without SecretStore Verify LDAP over SSL authenticates fine

• Import trusted root• Timestamp issues with certificates

Delete user iChainFormFillCrib attribute Enable DSTRACE logs with +LDAP, +TIME

FormFill Case StudyAuthentication Failure to Web

Application

Authentication Failure to Web Application

• Problem: Back-end application, using FormFill feature to authenticate, continuously prompting user to enter credentials for external users

Form Fill POSTing NULLs for external users; worked fine for internal users

• Network layout BM Server proxy’ing internal users to iChain Gauntlet firewall proxy’ing external users to

iChain

Authentication Failure to Web Application (cont.)


• Troubleshooting Removed SecretStore setup—also failed Removed POST/ entry from Profile—showed

blanks Looked at DSTRACE +LDAP info from LDAP

server• Updating entries correctly

Got a trace of working/non working scenarios• Saw that the POST header and data split thru gauntlet




• SSO.NLM expected POST header and data to be in the same packet

Didn’t find POST data so assumed and wrote NULL• iChainFormFillCrib attribute existed but without data

• New SSO.NLM in IC20FP3.EXE fixes problem

Miscellaneous Issues

Miscellaneous iChain Issues

• Troubleshooting iChain installation issues—10068257

• Troubleshooting Mutual authentication issues— 10066648

• Custom rewriter issues—10066908• External rewriter issues—10068222

Summary

• Proxy interfaces Inputs and outputs from all dependent modules Flow of information through iChain

• Proxy troubleshooting tools More than enough

• Proxy troubleshooting steps Follow flow and identify broken interface

Documents

Www.novell.com Avoiding the Top iChain ® Technical Support Issues Neil Cashell Technical Support Engineer Novell, Inc. [email protected] Shane Johns