IBM Support

MustGather: Collecting data for ISAM Client problems on IBM DataPower Gateway Appliance

Question & Answer


Question

What diagnostic information should be collected for ISAM (IBM Security Access Manager) client problems on IBM DataPower Gateway Appliance?

Answer

The following information describes the documentation needed by IBM support to investigate this problem scenario.

1. ISAM version on the ISAM server

2. GSKit version of the Policy Server

3. ISAM configuration file
WebGUI -> Access Manager Client -> 'Main' tab

4. ISAM SSL Key file (.kdb) and Key Stash file (.sth)
WebGUI -> Access Manager Client -> 'Main' tab


5. Start ISAM and LDAP logs on DataPower:
WebGUI -> Access Manager Client -> 'Trace Logging' tab

  • Enable Access Manager Tracing: ON

Trace File: <isam.client.log>
Trace File Entries: 100000
Trace Format: Text
Trace Component: *:*.9

  • Enable Tracing for LDAP: ON

Trace File for LDAP: <isam.ldap.log>
Trace File Size for LDAP: 100000
Trace Level for LDAP: 65535

* The files are written to temporary:///<ISAM-client-name>/


6. Create debug log target
Application Domain -> Log Target -> Add

  • Name: isam-client-pmr
    Target Type: File
    Log Format: Text
    Timestamp: zulu
    Log Size: 30000
    File Name: logtemp:///ISAM.debug.log
    Rotations: 3
    Event Subscription Tab -> Add -> Event Category: all
    Min Event Priority: debug
    Apply

7. Set log level to debug

Application domain -> Control Panel -> Troubleshooting -> Log Level = Debug -> Set Log Level


8. Start packet capture, filtered on the ISAM server and LDAP server ports
(from default domain only)
Control Panel -> Troubleshooting -> Packet Capture Section

  • Interface Type: All Interfaces
    Mode: Continuous
    Maximum size: 20000
    Maximum Packet Size: 9000
    Filter Expression: port xxx or port yyy (where xxx is the port number of the ISAM server and yyy is the port number of the LDAP server)
       Log SSL Key = ON
       click 'Start Packet Capture'
 

9. Recreate the issue.  If the ISAM client will not come up, simply disable and enable the ISAM client to recreate the error.

10. Generate the error-report

Troubleshooting -> Reporting section -> click 'Generate Error Report'

11. Download the error-report, packet capture, sslkeyfile, ISAM, LDAP and debug logs
- temporary:///error-report
- temporary:///capture.pcap
- logtemp:///sslkeyfile.log
- temporary:///<ISAM-client-name>/
- logtemp:///ISAM.debug.log

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"ARM Category":[{"code":"a8m50000000CdoxAAC","label":"DataPower-\u003ESecurity (SE)-\u003EISAM"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 July 2022

UID

swg21410245

Page Feedback