IBM Security Verify

 View Only
  • 1.  ISVA Runtime trace.log and message.log

    Posted Wed August 10, 2022 07:59 AM
    Hi,

    In the trace.log and the message.log I see the following message being logged:

    [8/10/22, 9:40:27:886 CEST] 0000180c id=00000000 .apache.cxf.binding.soap.interceptor.SoapActionInInterceptor I boi = [BindingOperationInfo: {http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityTokenCollection] action = null message = {SOAPAction=null, org.apache.cxf.message.MessageFIXED_PARAMETER_ORDER=false, http.base.path=https://localhost/TrustServerWST13, HTTP.REQUEST=com.ibm.ws.webcontainer40.srt.SRTServletRequest40@44748af0, org.apache.cxf.transport.Destination=org.apache.cxf.transport.servlet.ServletDestination@30de029c, HTTP.CONFIG=Servlet->com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet
    getClassName->com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet
    getName->com.tivoli.am.fim.sts.jaxws.providers.WST13TrustServiceProvider
    mapping->/services/RequestSecurityToken
    loadOnStartupWeight->-1
    getInitParameters->null or empty init parametersisAsyncSupported->false
    getDescription->null
    , javax.xml.ws.reference.parameters=[], org.apache.cxf.binding.soap.SoapVersion=org.apache.cxf.binding.soap.Soap11@67edc554, org.apache.cxf.message.Message.QUERY_STRING=null, javax.xml.ws.wsdl.operation={http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityTokenCollection, javax.xml.ws.wsdl.service={http://docs.oasis-open.org/ws-sx/ws-trust/200512}SecurityTokenServiceWST13, org.apache.cxf.security.transport.TLSSessionInfo=org.apache.cxf.security.transport.TLSSessionInfo@5892a7bf, org.apache.cxf.message.Message.ENCODING=UTF-8, HTTP.CONTEXT=com.ibm.ws.webcontainer40.facade.ServletContextFacade40@9c40d668, Content-Type=text/xml; charset=UTF-8, org.apache.cxf.security.SecurityContext=org.apache.cxf.transport.http.AbstractHTTPDestination$2@1534e462, org.apache.cxf.message.Message.PROTOCOL_HEADERS={Authorization=[Basic ***], Content-Length=[3852], content-type=[text/xml; charset=UTF-8], Cookie=[LtpaToken2=ijDcQCp1rD/v0O8jZnAZ7bAR/MGGj+Po4rgMg5UvXgaggzywaeydGFdYF8ptwhdRJDNRNsoZLadM1XwbKPJGKqRKJB0sWTcvVErtu9XnR2RiQelgwP/BkWLyK2QmvGF18bEjkpfebipJJopIS0GTIs+8Og2euL0zWWFQ3zcQE2gFUnbErBJSoUHMSvOHQhmlWR9Ezr38SxBnegu2MJNcp3ikNKbyxY1cJWy3km5TI1iLmS9hoUR3GoOYNwZLWm1eBzp3UVjVc32pl9PWJUbTxJNlsjcDLEgYKnPxYwOw27xZMg0ORRI21uEeGsTHLtxA], Host=[localhost:443]}, org.apache.cxf.request.url=https://localhost/TrustServerWST13/services/RequestSecurityToken, Accept=null, org.apache.cxf.request.uri=/TrustServerWST13/services/RequestSecurityToken, org.apache.cxf.binding.soap.saaj.SAAJInInterceptor.BODY_DONE=true, org.apache.cxf.service.model.MessageInfo=[MessageInfo INPUT: {http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityTokenCollectionRequest], org.apache.cxf.message.Message.PATH_INFO=/TrustServerWST13/services/RequestSecurityTokennull, org.apache.cxf.transport.https.CertConstraints=null, com.tivoli.am.fim.trust.addressing.WSARequestConsumerHandler.Namespace=null, HTTP.RESPONSE=com.ibm.ws.webcontainer40.srt.SRTServletResponse40@1c07500e, org.apache.cxf.headers.Header.list=[org.apache.cxf.binding.soap.SoapHeader@474b5e1b], org.apache.cxf.request.method=POST, org.apache.cxf.staxutils.W3CDOMStreamWriter=<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SOAP-ENV:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://ibm.com/2004/01/itfim/base64encode" ValueType="http://ibm.com/2004/01/itfim/ivcred">BAKs3DCCBo8MADCCBokwggaFAgIQAzBkMCowHgIErT684AIDANVkAgIR6gICALUCAU4EBgBQVqRyawwIcGF1bHRlc3QwNjA0MB4CBLijZtwCAkzNAgIR6gICAJ8CAgDWBAYAUFakcmsMEmFwaS1hdXRvbWF0ZWQtdGVzdAIBATCCBhQwggYQMB4MCmFrb3NudW1iZXIwEDAOAgEEDAc3MTAzNjYxBAAwKgwHYXRfaGFzaDAfMB0CAQQMFmRXTUtaRjMxVWFISHJ4azFYYUdJSHcEADAkDANhdWQwHTAbAgEEDBRERVZFVnVPa0RsWHZHT1FTUVF4cwQAMCIMFEFVVEhFTlRJQ0FUSU9OX0xFVkVMMAowCAIBBAwBMQQAMBsMCmF1dGhvcml6ZWQwDTALAgEEDARUUlVFBAAwOAwXQVpOX0NSRURfQVVUSE5NRUNIX0lORk8wHTAbAgEEDBRPQXV0aCBBdXRoZW50aWNhdGlvbgQAMCcMEkFaTl9DUkVEX0FVVEhaTl9JRDARMA8CAQQMCHBhdWx0ZXN0BAAwLwwYQVpOX0NSRURfQVVUSF9FUE9DSF9USU1FMBMwEQIBBAwKMTY2MDExNzIyNwQAMCYMFEFaTl9DUkVEX0FVVEhfTUVUSE9EMA4wDAIBBAwFb2F1dGgEADA4DBVBWk5fQ1JFRF9CUk9XU0VSX0lORk8wHzAdAgEEDBZweXRob24tcmVxdWVzdHMvMi4xMC4wBAAwLgwPQVpOX0NSRURfR1JPVVBTMBswGQIBBAwSYXBpLWF1dG9tYXRlZC10ZXN0BAAwVAwbQVpOX0NSRURfR1JPVVBfUkVHSVNUUllfSURTMDUwMwIBBAwsY249YXBpLWF1dG9tYXRlZC10ZXN0LG91PWdyb3VwcyxvPWFlZ29uLGM9bmwEADBFDBRBWk5fQ1JFRF9HUk9VUF9VVUlEUzAtMCsCAQQMJGI4YTM2NmRjLTRjY2QtMTFlYS05ZmQ2LTAwNTA1NmE0NzI2YgQAMCYMEkFaTl9DUkVEX0lQX0ZBTUlMWTAQMA4CAQQMB0FGX0lORVQEADApDBBBWk5fQ1JFRF9NRUNIX0lEMBUwEwIBBAwMSVZfTERBUF9WMy4wBAAwMwwcQVpOX0NSRURfTkVUV09SS19BRERSRVNTX0JJTjATMBECAQQMCjB4MGEyNjUzZmUEADA1DBxBWk5fQ1JFRF9ORVRXT1JLX0FERFJFU1NfU1RSMBUwEwIBBAwMMTAuMzguODMuMjU0BAAwLQwZQVpOX0NSRURfUFJJTkNJUEFMX0RPTUFJTjAQMA4CAQQMB0RlZmF1bHQEADAsDBdBWk5fQ1JFRF9QUklOQ0lQQUxfTkFNRTARMA8CAQQMCHBhdWx0ZXN0BAAwSAwXQVpOX0NSRURfUFJJTkNJUEFMX1VVSUQwLTArAgEEDCRhZDNlYmNlMC1kNTY0LTExZWEtYjU0ZS0wMDUwNTZhNDcyNmIEADAtDBFBWk5fQ1JFRF9RT1BfSU5GTzAYMBYCAQQMD1NTSzogVExTVjEyOiA5QwQAMEMMFEFaTl9DUkVEX1JFR0lTVFJZX0lEMCswKQIBBAwidWlkPXBhdWx0ZXN0LG91PWFkbWluLG89YWVnb24sYz1ubAQAMCcMEEFaTl9DUkVEX1ZFUlNJT04wEzARAgEEDAoweDAwMDAxMDAzBAAwGgwDZXhwMBMwEQIBBAwKMTY2MDExODM2NwQAMCgMB2V4cGlyZXMwHTAbAgEEDBQyMDIyLTA4LTEwVDA5OjU5OjI3WgQAMCUMBmdyb3VwczAbMBkCAQQMEmFwaS1hdXRvbWF0ZWQtdGVzdAQAMBoMA2lhdDATMBECAQQMCjE2NjAxMTcyMjcEADAoDANpc3MwITAfAgEEDBhodHRwczovL3d3dy5kZXYuYWVnb24ubmwEADATDAVsZXZlbDAKMAgCAQQMATAEADAtDBh0YWd2YWx1ZV9sb2dpbl91c2VyX25hbWUwETAPAgEEDAhwYXVsdGVzdAQAMDYMJHRhZ3ZhbHVlX21heF9jb25jdXJyZW50X3dlYl9zZXNzaW9uczAOMAwCAQQMBXVuc2V0BAAwRwwWdGFndmFsdWVfc2Vzc2lvbl9pbmRleDAtMCsCAQQMJGI0MGExZTljLTE4N2YtMTFlZC1hNWExLTAwNTA1NmE0NzI2YgQAMB0MCHVzZXJuYW1lMBEwDwIBBAwIcGF1bHRlc3QEAA==</wsse:BinarySecurityToken></wsse:Security></SOAP-ENV:Header>
    <SOAP-ENV:Body>
    <ns1:RequestSecurityTokenCollection xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"><wsa:Address>http://customer/junction/jwt</wsa:Address><wsa:ServiceName>internal</wsa:ServiceName></wsa:EndpointReference></wsp:AppliesTo><wst:Issuer><wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">amwebrte-sts-client</wsa:Address></wst:Issuer><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wst:Claims Dialect="urn:ibm:names:ITFIM"><itfim:FIMClaims xmlns:itfim="urn:ibm:names:ITFIM" NumberOfTokens="1"></itfim:FIMClaims></wst:Claims><TokenType xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:ietf:params:oauth:token-type:jwt</TokenType></wst:RequestSecurityToken></ns1:RequestSecurityTokenCollection>
    </SOAP-ENV:Body></SOAP-ENV:Envelope>, org.apache.cxf.async.post.response.dispatch=true, org.apache.cxf.message.Message.IN_INTERCEPTORS=[org.apache.cxf.transport.https.CertConstraintsInterceptor@1fcc6382], HTTP_CONTEXT_MATCH_STRATEGY=stem, http.service.redirection=null, org.apache.cxf.message.Message.BASE_PATH=/TrustServerWST13/services/RequestSecurityToken/services/RequestSecurityToken, javax.xml.ws.wsdl.port={http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken, org.apache.cxf.configuration.security.AuthorizationPolicy=org.apache.cxf.configuration.security.AuthorizationPolicy@43ccf74e, javax.xml.ws.wsdl.interface={http://docs.oasis-open.org/ws-sx/ws-trust/200512}SecurityTokenServiceWST13, javax.xml.ws.wsdl.description=/WEB-INF/wsdl/ws-trust-13.wsdl, org.apache.cxf.jaxws.context.WrappedMessageContext.SCOPES={com.tivoli.am.fim.trust.addressing.WSARequestConsumerHandler.Namespace=HANDLER}}

    I've checked my trace settings, this is the only trace setting defined in 'Runtime tracing':
    com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils=ALL

    The caller seems the be the easuser

    Does anyone know why this message is being logged in both logfiles?
    Is it possible to suppress this message, in either one or both?

    Thank you in advance for your feedbacks.

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------


  • 2.  RE: ISVA Runtime trace.log and message.log

    Posted Thu August 11, 2022 01:47 AM

    I'm going to hazard a guess at this, but I may be off base, so take this answer as uncomitted :)

    This appears to be a "INFO" level message, which cannot be suppressed. In tracing and serviceability there are essentially 6 levels of output:


    FINEST
    FINER
    FINE
    INFO
    WARNING
    ERROR

    The first 3 are tracing levels, should only appear in trace.log, and you can usually see a 1, 2, or 3 following the classname in the trace output. 

    The latter three are "messages", and appear in both messages.log and trace.log, and have an I, W, or E indicator after the classname. The default trace string is "*=info", and I don't think it is possible to go coarser than this and suppress any INFO, WARNING or ERROR messages from appearing in the messages.log or trace.log output (if tracing is enabled). In this case it looks like "I" appears just after .apache.cxf.binding.soap.interceptor.SoapActionInInterceptor in the output, which makes me think it is INFO level messages output.

    You could try something like this as your tracing string and see if it helps:

    org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor=WARNING:tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils=ALL


    Like I said above - I don't know if this will work because I though INFO, WARNING and ERROR were always enabled for everything, but it won't hurt to try.

    Now I cannot tell you why that appears, but I strongly suspect its a developer coding error (likely in the underlying Apache library that ISVA developers cannot change) using INFO level messages when they should have been using one of the tracing levels. Again, I'm not certain - this is just a suspicion.

    I would suggest you open a case for it, and allow the support process to figure it out at the next level of detail.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 3.  RE: ISVA Runtime trace.log and message.log

    Posted Mon August 15, 2022 04:21 AM
    Hi Shane,

    You are my hero!

    I've added your suggestion to my trace settings:
    org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor=WARNING
    This cleaned-up the trace.log
    The message still appears in the message.log, which is kinda expected, I'll create a case with support for this.

    Thanks!

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------