InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.4: Tracing SAS

5.7.4: Tracing SAS

The Secure Association Service (SAS) uses a messaging model, so for every SAS request, there is a response. In a distributed environment, where a client can call a server, which can then act as a client and call another server, solving security-related problems often requires tracing multiple servers simultaneously.

Frequently, these servers reside on the same machine; the interaction between an administrative server and an application server is often where problems arise. The administrative server includes a component called the security server, which performs authentication work, and messages are frequently exchanged between the application server and the administrative server during authentication. Furthermore, the administrative server stores authorization information in a repository, so authorization requests result in additional traffic between the administrative server and the application server.

Collecting information about SAS messages is often crucial for debugging security problems, and SAS provides a set of properties that govern the collection of SAS messages, including the types of messages and the destination of the collected messages. These properties are set in the property file used by each server; this is typically the sas.server.props file.

The SAS message and trace logging facility captures information about the following different types of events:

  • Activity: indicates that a specific event has occurred
  • Error: indicates that a run-time problem has occurred and suggests a potential solution
  • Exception: indicates that a run-time problem has occurred and prints a corresponding stack trace
  • Trace: tracks the path through the code so that, when an error occurs, you can determine the events preceding it

This behavior is determined by the value of the com.ibm.CORBA.securityTraceLevel property.

The value of the com.ibm.CORBA.securityDebug property is used to determine whether the collected messages can be displayed on the standard output stream.

In addition, you can selectively send the messages for each type of event to a file. For each type of event, you set an output-mode property. The output mode determines determines where the messages collected for the event, for example, activity, are collected. You can use any of the following output modes:

  • File: output goes to the destination set in the com.ibm.CORBA.securityTraceOutput property, and a new file is created after each server restart.
  • Fileappend: output goes to the destination in the com.ibm.CORBA.securityTraceOutput property, and new output is appended after each server restart.
  • Console: output is redirected to the standard output stream.
  • Both: output is redirected to both the standard output stream and to the destination set in the com.ibm.CORBA.securityTraceOutput property, and a new file is created after each server restart.
  • None: no output occurs.
The output mode is set for each type of trace event. Each of these properties can take any of the output modes as values:
  • com.ibm.CORBA.securityActivityOutputMode
  • com.ibm.CORBA.securityErrorsOutputMode
  • com.ibm.CORBA.securityExceptionsOutputMode
  • com.ibm.CORBA.securityTraceOutputMode

To send all trace messages to the standard output stream, use the following settings:

com.ibm.CORBA.securityDebug=console
com.ibm.CORBA.securityTraceLevel=intermediate

Go to previous article: ORB SSL Configuration Go to next article: SAS properties

 

 
Go to previous article: ORB SSL Configuration Go to next article: SAS properties