IBM Security Verify

Hello

We made this observation about 1 year ago and then forget to investigate it further but this week the same behavior was made in our Production environment.

It seems that beginning with ISAM Virtual Appliance (V8 or V9, we are running 9) that the below messages logged normally in webseald server log file are no longer reported:

DPWWA2025W    IBM Security Access Manager WebSEAL has lost contact with junction server: %s (0x38cf07e9)     
DPWWA2026W    IBM Security Access Manager WebSEAL has regained contact with junction (%s) server: %s (0x38cf07ea)     

We have had an incident this week because we could not detect that a junction state changed from "up" to "down". This is because we cannot trace in our logs the message DPWWA2025W. The root cause of the incident of course is a human manual error but it all comes down to the delay it took us to realize the problem and fix it. The lack of the usual messages contributed to worsen the incident duration.

We did see another message more detailed "DPWAD0411E  The TCP/IP host information could not be determined from the server hostname: someservername.  Ensure that the server hostname is correct and that the domain name server is functioning correctly" appearing in the webseal server logs which we could opt to track also in the future but I can image other cause than this particular one for a junction to go down.

Before I open a support case, just want to know if there was any conscious effort not to log those 2 events anymore?

Thanks in advanced for your comments/responses.

Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

(T) 855.646.8228, x 86667 | (M) 450.223.9537

sylvain.gilbert@intact.net | www.intactfc.com

Hello

We made this observation about 1 year ago and then forget to investigate it further but this week the same behavior was made in our Production environment.

It seems that beginning with ISAM Virtual Appliance (V8 or V9, we are running 9) that the below messages logged normally in webseald server log file are no longer reported:

DPWWA2025W    IBM Security Access Manager WebSEAL has lost contact with junction server: %s (0x38cf07e9)     
DPWWA2026W    IBM Security Access Manager WebSEAL has regained contact with junction (%s) server: %s (0x38cf07ea)     

We have had an incident this week because we could not detect that a junction state changed from "up" to "down". This is because we cannot trace in our logs the message DPWWA2025W. The root cause of the incident of course is a human manual error but it all comes down to the delay it took us to realize the problem and fix it. The lack of the usual messages contributed to worsen the incident duration.

We did see another message more detailed "DPWAD0411E  The TCP/IP host information could not be determined from the server hostname: someservername.  Ensure that the server hostname is correct and that the domain name server is functioning correctly" appearing in the webseal server logs which we could opt to track also in the future but I can image other cause than this particular one for a junction to go down.

Before I open a support case, just want to know if there was any conscious effort not to log those 2 events anymore?

Thanks in advanced for your comments/responses.

Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

(T) 855.646.8228, x 86667 | (M) 450.223.9537

sylvain.gilbert@intact.net | www.intactfc.com

Hi Nick

After consulting the group, I have opened a support case.

After the initial opening of the case, I was able to identify that those expected messages are indeed reported when letting WebSEAL do the usual logging in its local default file (default config).

This is something we don't do in our environment because instead we direct all logs in near real time to our SIEM solutions via rsyslog. No logs are maintained on our Appliances.

So already now we have a distinction that this is probably not an issue of ISAM V7 vs ISAM V9 but more vs local file logging vs remote syslog logging.

I have yet to perform a packet trace to determine if those 2 syslog messages are at least leaving the Appliance or not at all.

Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

(T) 855.646.8228, x 86667 | (M) 450.223.9537

sylvain.gilbert@intact.net | www.intactfc.com

Hello

We made this observation about 1 year ago and then forget to investigate it further but this week the same behavior was made in our Production environment.

It seems that beginning with ISAM Virtual Appliance (V8 or V9, we are running 9) that the below messages logged normally in webseald server log file are no longer reported:

DPWWA2025W    IBM Security Access Manager WebSEAL has lost contact with junction server: %s (0x38cf07e9)     
DPWWA2026W    IBM Security Access Manager WebSEAL has regained contact with junction (%s) server: %s (0x38cf07ea)     

We have had an incident this week because we could not detect that a junction state changed from "up" to "down". This is because we cannot trace in our logs the message DPWWA2025W. The root cause of the incident of course is a human manual error but it all comes down to the delay it took us to realize the problem and fix it. The lack of the usual messages contributed to worsen the incident duration.

We did see another message more detailed "DPWAD0411E  The TCP/IP host information could not be determined from the server hostname: someservername.  Ensure that the server hostname is correct and that the domain name server is functioning correctly" appearing in the webseal server logs which we could opt to track also in the future but I can image other cause than this particular one for a junction to go down.

Before I open a support case, just want to know if there was any conscious effort not to log those 2 events anymore?

Thanks in advanced for your comments/responses.

Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

(T) 855.646.8228, x 86667 | (M) 450.223.9537

sylvain.gilbert@intact.net | www.intactfc.com