Chapter 6. Auditing and troubleshooting 231
The pdweb.snoop component traces HTTP traffic. This component logs the
HTTP headers and the message body for requests and responses. The
pdweb.snoop component has the following subcomponents:
pdweb.snoop.client The trace subcomponent to trace data that is sent
between WebSEAL and clients.
pdweb.snoop.jct The trace subcomponent to trace data that is sent
between WebSEAL and junctions.
If you want to trace only the message headers, use the pdweb.debug
The following command invokes the trace utility for the pdweb.snoop component
at level 9 and directs the output to a file:
pdadmin> server task webseald-instance trace set pdweb.snoop 9 \
6.3.6 Diagnostic utilities
Many of the commands, tools, scripts, and daemons associated with Tivoli
Access Manager are installed under the installation directory in the /bin and /sbin
subdirectories. The one exception is the Tivoli XML Log Viewer. This viewer is
installed separately and, by default, resides in its own directory.
Tivoli XML Log Viewer
The C-based components of Tivoli Access Manager support the generation of
message and trace information in a common XML format. This format is known
as the Tivoli XML log format and is used by a number of Tivoli applications.
A Java-based log viewer application is provided that allows these messages and
traces to be filtered in a number of ways, including by time window, severity,
thread ID, and component. Information that is produced by different products can
be analyzed and converted into ASCII or HTML that use the Tivoli XML Log
This log viewer is not installed as part of any Tivoli Access Manager installation.
You must explicitly install the Tivoli XML Log Viewer. Because the InstallShield
MultiPlatform installation program and the Tivoli XML Log Viewer are both Java
applications, a JRE must be installed prior to installing and using the viewer. The
Note: Java-language-based Tivoli Access Manager components and
applications cannot produce messages or traces in the Tivoli XML log format.
232 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
same JRE that is used by Tivoli Access Manager can be used for the Tivoli XML
Log Viewer. If a different JRE is used, that JRE must be at version 1.2.2 or later.
The XMLFILE, XMLSTDERR, and XMLSTDOUT formats in the routing file are
used to produce XML message logs and XML trace logs.
Using Tivoli XML Log Viewer
To run the Tivoli XML Log Viewer, use the viewer script and specify the name of
one or more XML files. Output is directed to STDOUT in either HTML or text
format. The output can be redirected to a file for viewing with a Web browser or
For example, to create an HTML file containing all of the messages from the
policy and authorization servers sorted into chronological sequence, enter the
viewer msg__pdmgrd.xml msg__pdacld.xml > msg_19Oct2003_report.html
To display the messages from the Policy Server in text format, do the following:
viewer -s text msg__pdmgrd.xm
Gathering version information
This section describes tools used to determine the version of the various
components and products that can be installed in a Tivoli Access Manager
Tivoli Access Manager
The pdversion command displays a list of Tivoli Access Manager components
and indicates the version number for any component that is installed on the
IBM Global Security Kit
Secure Sockets Layer (SSL) communication in Tivoli Access Manager is
provided by the Global Security Kit (GSKit). Each version of Tivoli Access
Manager potentially provides a different level of GSKit. In addition, updates to
GSKit might be applied as a result of applying fix packs or other service. To
determine the version of GSKit that is installed, use the gsk7ver command.
The Tivoli Directory Server client is used by Tivoli Access Manager to
communicate with any LDAP user registry, not just with Tivoli Directory Server.
The client is not needed if Microsoft Active Directory or Lotus Domino server is
being used as the Tivoli Access Manager user registry. The Tivoli Directory