What's new in OOo 2.3 Finn Blucher Project Support Engineer [email protected].
IChain ® 2.3 troubleshooting tools and tips Neil Cashell iChain WWS engineer Novell, Inc....
-
Upload
ginger-porter -
Category
Documents
-
view
220 -
download
0
Transcript of IChain ® 2.3 troubleshooting tools and tips Neil Cashell iChain WWS engineer Novell, Inc....
iChain® 2.3 troubleshooting tools and tips
Neil CashelliChain WWS engineerNovell, [email protected]
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
Presentation Outline
General iChain® 2.3 troubleshooting toolsNew iChain components (proxy authentication, Citrix SSO, OLAC, Rewriter, WebDAV, Xtier)
• Specific troubleshooting tools• Common issues
© March 9, 2004 Novell Inc.5
Generic iChain Troubleshooting Tools
© March 9, 2004 Novell Inc.6
LSEARCH.NLM from NDK
Bind done for all requests
• http://developer.novell.com/ndk/cldap.htm
Generic iChain Troubleshooting Tools
LDAP browser•http://www.iit.edu/~gawojar/ldap/
•Export configuration to file•Confirm LDAP search strings
© March 9, 2004 Novell Inc.7
iChain Proxy GUI
• Home->Health status for details of services running
• Monitor TAB gives services and stats information - Services running (rewriter display) - Disk space info, CPU utilization, cache hit ratio
• access ACLCHECK and Proxy logs via MONITOR TAB• can ping remote applications
Generic iChain Troubleshooting Tools (cont.)
© March 9, 2004 Novell Inc.8
iChain Proxy Console and Logger Screens
• Communication error messages printed here • Debug options modified to write here (SB, Nsure Audit, NPKIT)• Activation Related Debugging Info (Display ISO Object Info)
• Very useful in knowing what activation information (including evaluation period ending) the Proxy has read from the ISO.
• If it cannot read the ISO object then it would give TreeName=Not Resolved and/or Tree GUID=Invalid (problem with filtered replica, DirXML, referrals)
Generic iChain Troubleshooting Tools (cont.)
© March 9, 2004 Novell Inc.9
TCPCON• Connectivity specific tool (ICMP, TCP issues)
• Active TCP listeners LDAP profile errors
• _TCP/_IP console command tools
Logs from authentication servers• DSTRACE.NLM for LDAP (view DS trace traffic for
object/attribute resolution - +LDAP/+TIME/FILE=ON)
• ‘Radius debug ON’ trace from Radius server
Generic iChain Troubleshooting Tools (cont.)
© March 9, 2004 Novell Inc.10
Browser tools• ieHTTPHeaders -
http://www.blunck.info/ieHTTPHeaders.html• Mozilla “Live HTTP Headers” plug-in
Generic iChain Troubleshooting Tools (cont.)
© March 9, 2004 Novell Inc.11
Network layout information• Firewalls/L4 may pose Connectivity/State problems
LAN analyzer (Sniffer, Ethereal, tcpdump, pktscan)• Trace traffic between proxy and auth server• Trace traffic between browser and proxy server• Trace traffic between proxy and origin server
• Check out TUT230 for remote debugging with PKTSCAN
Generic iChain Troubleshooting Tools (cont.)
© March 9, 2004 Novell Inc.12
iChain Components “Proxy Authentication”
© March 9, 2004 Novell Inc.13
Proxy Troubleshooting Tools
© March 9, 2004 Novell Inc.14
Proxy Troubleshooting Tools
Internet browser• Useful for importing and viewing certificate attribs• Mozilla/IE ‘Live HTTP Headers’ plug in
Proxy load line switches• -ri (remove IP address check on cookie)• -cc (clear cache at startup)• -cs (enable secure cookies)• -cv (cookie mode – 24 or 40 bit)• -gzip (compressed data to browser – default 1)
© March 9, 2004 Novell Inc.15
Proxy Troubleshooting Tools
Proxy Console -> IAgent console
© March 9, 2004 Novell Inc.16
Proxy Troubleshooting Tools
Ethereal (free, decodes SSL headers, filters TCP stream)
© March 9, 2004 Novell Inc.17
- Initialization problems
Proxy Troubleshooting Steps
- SSL Handshake Problems
- Authentication server problems
© March 9, 2004 Novell Inc.18
Failed to get ISO information over LDAP• Get authentication <prof_name> returns valid parameters
• Ping <ldap_srvr_addr:port> from iChain command line interface
• Check interpacket delay times between LDAP request/responses - LDAP Server overloaded and may require addition of threads
• Check is LDAP over SSL setup – may be a cert issue
• Add delay to appstart.ncf before Proxy loads
Proxy Initialization Problems
19
© March 9, 2004 Novell Inc.20
Login page not displayed• Failure at this level most often indicates an SSL/PKI issue - Verify is authentication over HTTP is alright - If not check Cert timestamps, CRL information
- Look closely at the SSL diagnostic screens on the iChain Proxy server and try and check for SSL handshake errors
- Trace client to proxy connection and verify, after the first redirect, - That you see cert chains being transferred
- That the iChain Proxy doesn’t have time set in the future (Non US!)
Proxy SSL Handshake Problems
© March 9, 2004 Novell Inc.21
Proxy SSL Handshake Problems (certificate timing issue)
© March 9, 2004 Novell Inc.22
Proxy Authentication Problems (cont.)
Login page displayed but authentication fails
•Verify that login page hasn’t been customized400 Bad Request error message• Verify that no intermediate device stripping cookies• Verify browser is sending the correct credentials when POSTing information to the iChain Proxy server - Browser tools to view HTTP headers - Check authentication server logs (DSTRACE, Radius) to see if user being validated
© March 9, 2004 Novell Inc.23
Proxy Authentication Problems (cont.)
Login page displayed but authentication fails
• 403 Browser does not support cookies - Verify accelerator name and cookie domain (IE issue)
- Verify if transparent proxy in path
• Session Broker enabled - Mixed iChain 2.2 and 2.3 environment (cookie sizes) - same authentication profile names - Intermediate devices (firewalls) resetting connections
© March 9, 2004 Novell Inc.24
Proxy Authentication Problems (cont.)
Login page displayed but authentication fails
• LDAP search (multi attribute) resolves correctly
POST context=default&username=admin&[email protected]&password=novell
• ANDing of profile information incorrect
• Ldaprad/ldapcert profiles– Authtype == FieldName
• Forced LDAP on token auth
© March 9, 2004 Novell Inc.25
Proxy Authentication Problems (cont.)
LDAP problems• LDAP profile has valid BIND username/password - Must have Read (not just browse!) rights to DS
• LDAP server - responds to requests (DSTRACE +LDAP switch) - Slow interpacket delay time (LAN TRACE, DSTRACE +TIME)
• indexing required when setting up conplex searches
Radius Problems• ‘Radius debug on’ commands show no errors• Changes between 2.2 and 2.3
• ldaprad profile replaces SET commands• LAN trace shows successful RADIUS response - Timeout issues
© March 9, 2004 Novell Inc.26
Proxy Authentication Problems (cont.)
Mutual Authentication problems• Trusted root container includes client cert CA and intermediate certificates• Certificate error checkbox enabled to return more detailed information• LDAP server responds to requests (DSTRACE +PKIA +TIME switch) • Debug NPKIT.NLM (shipped as NPKIT.DBG)
• Cert 1 -- Step 3 -- Revocation checking• Cert num 1 Starting revocation check• ERROR: Cert num 1 No CRL DP's so invalid
• Cert 2 -- Step 2 -- General certificate checks• Basic Constraints: Cert num 2 is a CA• Cert num 2 This is the Root Certificate.
• Cert 2 -- Step 3 -- Revocation checking• Cert num 2 Starting revocation check• Cert num 2 number of CRL DP's is 1• 1 Distribution Point: ldap://151.155.164.163:389/cn%3DCA%2C o%3DNovell• --- Entering checkForValidCRL -- ldap://151.155.164.163:389/cn%3DCA%2C o%3DNovell• node type NPKIx509CRL_crlType• node type NPKIx509CRL_OnlyCACertsType• Current time:402A1175 Wed Feb 11 11:26:45 2004• nextUpdateTime:402924FA Tue Feb 10 18:37:46 2004 ERROR: CRL has expired.• --- Exiting checkForValidCRL with ccode = -1258
© March 9, 2004 Novell Inc.27
Proxy Authentication Problems (cont.)
Mutual Authentication problems
• check CDP attributes on client and intermediate certificate (points to an LDAP or HTTP CRL server)
• View and check CRL attributes from browser• Check if certs (Equifax) have the option
without any LDAP or HTTP server specified– enable the mapx500crltoldap set
command• check if client certs have an AIA attribute
• don’t need to enable ocspconfiguredsource/URL
• Check OCSP server log files• check if disablerevocationchecks disabled
© March 9, 2004 Novell Inc.28
Proxy Authentication Problems (cont.)
Back end application problems
• Authentication header invalid• OLAC not passing correct credentials
• Protected resource change• iChain servlets can check OLAC/Auth headers
© March 9, 2004 Novell Inc.29
iChain Components “Citrix SSO”/FormFill
© March 9, 2004 Novell Inc.30
Citrix SSO Troubleshooting Tools
© March 9, 2004 Novell Inc.31
Citrix SSO Troubleshooting Tools
Proxy Console -> Display services screen• Check what links are being rewritten
© March 9, 2004 Novell Inc.32
Citrix SSO Troubleshooting Tools
SSO Debug screen Check formfill status
© March 9, 2004 Novell Inc.33
Citrix SSO Troubleshooting Tools
Rewritten ICA file• Save the ICA file to confirm entries rewritten
© March 9, 2004 Novell Inc.34
1
Citrix SSO Authentication Flow
ICA Client
Web Browser
Secure Web Server
Production MetaFrame
Farm
XML Service
Nfuse Portal
Firewall 1 Firewall 2
DMZ
3
4
6
7
2
3
4
5
7
6
© March 9, 2004 Novell Inc.35
Citrix SSO Troubleshooting Tools
LAN traces
iChain to LDAP if SSO to Citrix serveriChain to browser communication
Verify rewrite of ICA pageVerify the CONNECT sent to Metaframe ProxyVerify the 407 Proxy author. required sent back
Realm is “iChain-ICA”Verify Connection established
iChain to Web serverApplication info sent back correctlyCookies existNo Errors from back end servers
© March 9, 2004 Novell Inc.36
FormFill Troubleshooting Tools
BuildFormFillScript.jsp•http://www.novell.com/coolsolutions/icmag/features/tips/t_ichain_form_fill_script_generator_ic.html
LDAP Browser/ConsoleOne•Confirm ISO and user “iChainFormFillCrib” attributes
Browser ‘View->Source’•View info submitted by browser and login page details
LAN traces•iChain to LDAP and browser communication
Updated Documentation•Understand all options
© March 9, 2004 Novell Inc.37
• tunnelauthforica = Yes for Citrix/MF server• SSO to login fails - profile URL doesn't
match• Client connecting thru forward proxy fails
• ICA client ignore browser proxy settings• No spaces in between 'address=' in script• ICHAIN-TOKEN=<timeout> added to
formfill script (CONNECT requests failing)• Load balanced servers -> specified twice!• Disable 'keep-alive' for VIP ports 80/443
Common Citrix SSO Problems and tips
© March 9, 2004 Novell Inc.38
•remove POST/ from FormFill profile to only fill (no submit) - Check for Javascript TAGs/methods in login page
• Simplify profile to one variable if possible - Use test profile written to confirm
• Verify if multiple <form> tags exist• Verify iChainFormFillCrib or LDAP attribute
sent/received- Verify DSTRACE +LDAP settings show valid response- verify LAN trace for LDAP communication
• Verify schema extensions (secret store - tid 10090219)• Load SSO.NLM /d /l and view debug/logger screen info
Common FormFill Problems and tips
© March 9, 2004 Novell Inc.39
Miscellaneous Issues
© March 9, 2004 Novell Inc.40
Miscellaneous Issues
• Rewriter
• Rewriter.sam file• Proxy Console->Display services• Multiple accelerators cannot have same althostname/port! • [Exclude] option to turn off rewriting for links• <!--NOVELL_REWRITER_OFF/{ON}--> tag to turn off/on
rewriting of portions of HTML data• [Javascript Variables] can be used to overwrite Javascript
variables containing URL references• [Alias Host Names] extended to rewrite non DNS
hostnames, schemes, ports and links– Can be used to add additional paths to pbmh setup
© March 9, 2004 Novell Inc.41
Miscellaneous Issues
• XTier Integration and NW65 interoperability• Must have NetIdentity client (X-NovInet header)• NetIdentity client IE browser must have a Trusted
Root certificate for the iChain accelerator AND the NetStorage server in its Trusted Root certificate store
• SSL certificate used by the NetStorage server must have a Subject Name matching iChain DNS accelerator for NetStorage (can include wildcard certificates)
• XTier Realm is case sensitive!• Problems with NNLS (Linux)
© March 9, 2004 Novell Inc.42
Miscellaneous Issues
• WebDAV• Tunnel WebDAV methods through but must note
rewriter requirements• Cannot delete mails when SSLizer enabled and OWA
server running over HTTP• OWA/Outlook in PBMH setup requires rewriter
changes
– Different paths, Javascript variables• OWA requires alt hostname to be same as DNS name
– Outlook 2003 does not!
© March 9, 2004 Novell Inc.43
Miscellaneous iChain Issues
TroubleshootingiChain access
control issues - 10080500
Troubleshooting iChain activation
issues - 10080226
TroubleshootingiChain authentication
issues - 10080271
TroubleshootingiChain OLAC issues -
10080620
Troubleshooting iChain installation issues - 10068257
Configuring formfill to SSO to other Novell
products - 10078054
© March 9, 2004 Novell Inc.44
Summary
iChain troubleshooting tools• More than enough!
iChain troubleshooting steps• Follow flow and identify broken interface
© March 9, 2004 Novell Inc.46
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.