Opening binary file catalinaout matches
This chapter contains an alphabetical listing of the commands that are specific to Cisco Secure ACS 5. The following modes are available with these commands:. Use the EXEC mode system-level configure command to access configuration mode. Each of the commands in this chapter is opening binary file catalinaout matches by a brief description of its use, command syntax, usage guidelines, and one or more examples.
Note If an error occurs in any command usage, use the debug command to determine the cause of the error. This section describes disk space management for the purpose of managing logs that you can view or download from the ACS CLI and includes:.
Table describes the disk space allocated for each set of log files. Log files in ACS are managed using various utilities, such as logrotate, log4j, and log4cxx. The log files are numbered and rolled over based on a configured maximum file size. Once a log opening binary file catalinaout matches touches the configured limit, the data is rolled over to another file.
This file is renamed in the XXX. For instance, the default maximum file size for log files that logrotate manages is 5 MB. When a log file for example, acsupgrade. With every 5-MB increase in file size, the latest file is renamed as acsupgrade. Logrotate stores up to 10 log files at a given time.
The latest log information, however, is always stored in acsupgrade. In ACS, logrotate runs as an hourly kron job and verifies the disk space allocated for the log files. Table Log File Rotation. For detailed information on logging in ACS 5. Each EXEC command includes a brief description of its use, command syntax, usage guidelines, and sample output.
Table lists the EXEC commands that this section describes. Defines the local debug logging level for the ACS components. Exports configuration data from an ACS local store to a remote repository. Restores the file contents of a specific repository from the backup. Shows the debug log level status for subsystems enabled or disabled. Displays information about the software version of the system.
Starts or stops the adclient process of an ACS server. Starts or stops the database process of an ACS server. Starts or stops the management process of an ACS server. Starts or stops the runtime process of an ACS server.
Starts or stops the view-logprocessor process of an ACS server. Starts or stops the view-alertmanager process of an ACS server. Starts or stops the view-collector process of an ACS server. Starts or stops the view-database process of an ACS server. Starts or stops the view-jobmanager process of an ACS server. The ACS processes may fail to start or stop in the following opening binary file catalinaout matches.
Where proc-name refers to opening binary file catalinaout matches specific view process that you attempted to start. Where proc-name refers to opening binary file catalinaout matches specific view process that you attempted to stop.
Name of the backup file. This can be a maximum of alphanumeric characters. Location where files should be backed up to. This can be a maximum of 30 alphanumeric characters. Performs a backup of ACS data and places the backup in a repository. Note Before you use this command, you may want to create an NFS staging area as a temporary location to perform your backup packaging, because backing up opening binary file catalinaout matches requires a lot of disk space.
For more information, see backup-staging-url. When you are using the acs backup command, the backup files include:. ACS again prompts for a confirmation of the encryption password. You can use the show backup history command to display the backup operations and determine whether they succeeded. If the backup fails, you may be able to use the show logging command or the show acs-logs command if you are backing up ACS logs to view troubleshooting information.
Failures in the ACS aspect of the backup are clearly described on the terminal. If you use this command on a secondary ACS, no backup occurs. After you use this command, a time stamp is opening binary file catalinaout matches to the end of the backup-name filename, to enable periodic backups. For more information, see acs restore. Configures a Network File System NFS location that backup and restore operations will use as a staging area to package and unpackage backup files. Schedules one or more Command Scheduler commands to run at a specific date and time or a recurring level.
Enters the repository submode for configuration of backups. Shows the debug log-level status for subsystems enabled or disabled. Displays the available backup files located on a specific repository. You must have privileges to enter ACS configuration mode, and you must supply the username and the password that you use to log in to the ACS web interface. The default username and password to access the ACS web interface are acsadmin and defaultand the first time you log in to the web interface, you will be prompted to change the default password.
It is recommended that opening binary file catalinaout matches do so for security reasons. You can change your password opening binary file catalinaout matches the first time only by logging into the web interface.
You will also be prompted to install the license. Note You cannot delete the default acsadmin user. You can, however, create other users with admin privileges from the web interface. After resetting your password and installing a valid license, use the default username acsadmin and changed password, or the username and password for a newly created admin user, to access the ACS CLI in the ACS Configuration mode. Up to six users can access the ACS Configuration mode at a time; six users equal six sessions.
When one of the six sessions ends, you must wait up to five minutes for the session to be available to another user. After you provide valid login credentials, ACS prompts you to change your password for any of the following reasons:. When ACS prompts you to opening binary file catalinaout matches your password, enter your old password, then a new password conforming to the password policyand confirm your new password repeat the new password that you specified.
If you fail to change your password when you are requested to, you cannot log in to ACS Opening binary file catalinaout matches mode. If the new password does not conform with the password policy, ACS displays the password policy details as shown in the previous example. Optional Specify one opening binary file catalinaout matches the interfaces, to enable or disable that specific interface alone.
Cisco recommends that you disable these interfaces. Indicates whether the ACS configuration web interface is enabled or disabled. Name of the run-time core file or JVM opening binary file catalinaout matches log.
You can use up to alphanumeric characters to specify the filename. To view the list of available run-time core files and JVM core logs, use show acs-cores command. To view the list of available run-time core files and JVM core logs, use the show acs-cores command. To delete the latest run-time core file or JVM core log, use the acs delete core command. Name of the patch, which always has the. Location where files should installed from or removed to. If you use the acs reset-config command to reset your ACS to the factory default configuration, any configurations you have performed are lost; however, the appliance settings such as network settings and backup repositories are not affected.
ACS does not need to be running when you use this command. Resets an application configuration to factory defaults. To reset any administrator account password to its default setting, use the acs reset-password command in EXEC mode. Username of the administrator account whose password needs to be reset. This command resets the specified ACS administrator password to its default setting default and enables the account if it is a recovery account.
If the administrator account is not a recovery account, then you need to enable the account manually. Resetting this password does not affect other ACS administrators. You cannot use this command on a secondary ACS node. After you use this command, you must access your primary ACS node via the web interface and change the password. If you use the default password for the web interface default to access the ACS Configuration mode which requires you to provide the web interface username and passwordthe login fails and the system prompts you to change the default password.
Opening binary file catalinaout matches of backup file. A time stamp in the format - yymmdd-hhMM. For example, if you type dailyBackup as the filename, the resulting file may be named dailyBackup Location opening binary file catalinaout matches files should be restored from. The restoration is performed from a temporary directory the repository. If you are restoring an primary ACS node configuration to a secondary, you must configure the secondary to local mode before you use this command deregister from the primary node.
For information about Identity Server logging, see Section You can use the following tools Linux and open source to troubleshoot network problems:. Displays information related to open ports on your server.
Allows you to change the default ports and to the standard ports 80 and for HTTP traffic. Netcat is useful for checking connectivity with the user store. A command line tool for monitoring network traffic. Captures and displays packet headers and matches them against a set of criteria.
Lets you export configuration information to a file, and to confirm that Access Manager objects and attribute values are valid in an AccessManagerContainer. A number of open source versions are available from the Internet. The Identity Server is the identity provider for other Access Manager components. Access Gateways has Embedded Service Providers. When a device is imported into the Administration Console and an Identity Server configuration is selected for them, a trusted relationship is established with the Identity Server by using test certificates.
Metadata is used for establishing trusted relationships. The metadata exchanged between service providers and identity providers contains public key certificates, key descriptors for message signing, a URL for the SSO service, a URL for the SLO single logout service, and so on. If users are receiving either of these errors when they attempt to log in, verify the following:. Certificates in the Required Trust Stores. If you change the base URL of the Identity Provider, all service providers, including Embedded Service Providers, need to be updated so that they use the new metadata:.
Embedded Service Provider Metadata. The following steps explain how to force the Access Gateway to re-import the metadata of the Identity Server.
For more information, see Section 3. When the service provider tries to access the metadata on the identity provider, it sends the request to the hostname defined in the base URL configuration of the Identity Server.
Scan through the document and notice the multiple references to https: You should see lines similar to the following:. To test that it is resolvable, send a ping command with the hostname of the Identity Server. For example, from the Access Gateway:. The same is true for the Identity Server. It must be able to resolve the hostname of the Access Gateway. To view the metadata, enter the displayed URL.
Scan through the document and notice the multiple references to the hostname of the Access Gateway. You should see lines similar to the following. In these lines, the hostname is ag1. To test that the Identity Server can resolve the hostname of the Access Gateway, send a ping command with the hostname of the Access Gateway. For example, from the Identity Server:. Not only must the certificate be assigned to the appropriate device, but the subject name of the device certificate must match the hostname of the device it is assigned to.
If the names do not match, you need to either create a certificate that matches or import one that matches. For information about how to create a certificate for the Identity Server, see Section Read the alias name of the server certificate, then click the Server Certificate icon. Verify that the Subject name of the server certificate matches the published DNS name of the proxy service of the Access Gateway. To view sample log entries that are logged to the catalina. Ensure that the issuers of the Identity Server and Embedded Service Provider certificates are added to the appropriate trusted root containers.
When the server certificates are sent from the identity provider to the service provider client, and from the service provider to the identity provider client, the client needs to be able to validate the certificates. Part of the validation process is to confirm that the server certificate has been signed by a trusted source.
By default, well known external trusted certificates are bundled with Access Manager. You can view this list here: If the issuer of server certificate is not present in the External Trusted Root list, the import the issuers of the server certificate intermediate and trusted roots into the correct trusted root stores:. For more information, see Section If you are using external certificates, the trusted root certificate might not be the same, and there might be intermediate certificates that need to be imported.
Determine the issuer of the Identity Server certificate and the Embedded Service Provider certificate:. Click the name of the Identity Server certificate, note the name of the Issuer, then click Close. Conditional If you do not know the names of these certificates, see Certificate Names. In the Trusted Roots section, scan for a certificate subject that matches the issuer of the Embedded Service Provider certificate, then click its name. If the Issuer has the same name as the Subject name, then this certificate is the root certificate.
If the Issuer has a different name than the Subject name, the certificate is an intermediate certificate in the chain. Click Closeand ensure that another certificate in the trust store is the root certificate. In the Trusted Roots section, scan for a certificate subject that matches the issuer of the Identity Server certificate, then click its name. Optional If you have clustered your Identity Servers and Access Gateways and you are concerned that not all members of the cluster are using the correct trusted root certificates, you can re-push the certificates to the cluster members.
Check the command status of each device to ensure that the certificate was pushed to the device. You can enable Identity Server logging to dump more verbose Liberty information to the catalina.
After enabling and applying the changes, duplicate the issue once more to add specific details to the log file for the issue. If the error is the error, look at the log file on the Embedded Service Provider for the error code. If the error is the error, look at the log file on the Identity Server for the error code. On Linux, look at the catalina. Conditional To view the log files on the device, change to the log directory.
Below are a few typical entries illustrating the most common problems. They are from the catalina. In the following entries, the Embedded Service Provider cannot resolve the idpcluster. When the trusted roots are not imported into the appropriate trusted root containers, a certificate exception is thrown and an untrusted certificate message is logged.
When the certificate has an invalid subject name, the handshake fails. In the log entries below, the Embedded Service Provider is requesting metadata from the Identity Server. The server certificate name does not match, so the Embedded Service Provider is unable to authenticate and get the metadata necessary to establish the trusted relationship.
To test whether the metadata is available for download, enter the metadata URL of the identity provider and service provider. If the DNS name of the identity provider is idpcluster. Because the Access Gateway Appliance does not have a graphical interface, you need to use the curl command to test whether the Access Gateway Appliance can access the metadata of the Identity Server.
If the published DNS name of service provider is www. Delete the auto-generated certificate and manually re-create the server certificate, making sure that it is added to the relevant devices and stores. Authentication Classes and Duplicate Common Names. General Authentication Troubleshooting Tips. Mutual Authentication Troubleshooting Tips.
Browser Hangs in an Authentication Redirect. If users have the same common name and exist in different containers under the same authentication search base, one or more attributes in addition to the common name must be configured for authentication to uniquely identify the user. You can set up an authentication class to handle duplicate common names. The JSP property value needs to be the name of a new. The value of this attribute does not include the. For example, if you create a new.
For more information about creating custom login pages that prompt for more than username and password, see Customizing the Identity Server Login Page. In the user store logs, confirm that the request arrived. Check for internal errors. If you have created an admin user for the user store, ensure that the user has sufficient rights to find the users in the specified the search contexts. Check the user store health and replica layout.
Check the properties of the class and method. Ensure that the authentication contract matches the base URL scheme. For example, check to see if SSL is used across all components. If authentication is taking up to a minute per user, verify that your DNS server has been enabled for reverse lookups.
If your DNS server is not enabled for reverse lookups, it takes 10 seconds for this request to fail before the Identity Server can continue with the authentication request. For more information about the ports that must be open when a firewall separates the user store from other Access Manager components, see Setting Up Firewalls in the NetIQ Access Manager 4.
If your LDAP user store is large, ensure that the search contexts are as specific as possible to avoid searching the entire tree for a user. Most errors that occur during federation occur because of time synchronization problems between servers. Ensure that all of your servers involved with federation have their time synchronized within one minute. When the user denies consent to federate after clicking a Liberty link and logging in at the identity provider, the system displays an error page.