How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I enable message level debugging for install and upgrade issues with AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on enabling message level debug logging in the application web container; this is useful if you are experiencing install or upgrade issues with AM as you cannot enable message level debugging in AM until it is installed. Application web container debugging is also useful for startup issues and access failure issues (permissions).


1 reader recommends this article

Enabling Message level debugging in the web application container

You can enable Message level debugging in the web application container if you are experiencing issues during the install or upgrade process by setting the following JVM properties:

-Dcom.iplanet.services.debug.level=message -Dcom.iplanet.services.debug.directory=WRITABLE_DIRECTORY

where WRITABLE_DIRECTORY should be replaced with the path to an existing directory such as /tmp/openam.

Note

You must remove these JVM parameters and the WRITABLE_DIRECTORY once you have successfully configured AM and then restart the web application container. If you do not do this, your AM debug logs will be diverted to the WRITABLE_DIRECTORY instead of the standard debug directory.

Example using Apache Tomcat™ web container

You would enable Message level debugging by specifying CATALINA_OPTS settings in the setenv.sh file (typically located in the /tomcat/bin/ directory). If this file doesn't exist, you should create it in the same directory as the catalina.sh file (also typically located in the /tomcat/bin/ directory).

To enable Message level debugging, with output to the /tmp/openam directory:

  1. Add the following line to the setenv.sh file: export CATALINA_OPTS="-Dcom.iplanet.services.debug.level=message -Dcom.iplanet.services.debug.directory=/tmp/openam"
  2. Restart the web container.

Once you have successfully configured AM, reverse these changes as follows:

  1. Remove the following line from the setenv.sh file: export CATALINA_OPTS="-Dcom.iplanet.services.debug.level=message -Dcom.iplanet.services.debug.directory=/tmp/openam"
  2. Delete the /tmp/openam log directory. 
  3. Restart the web container.

Enabling debugging for access failures in the web application container

You can enable debugging in the web application container if you are experiencing issues with access (permissions) by adding the following JVM property:

-Djava.security.debug=access,failure

For the Tomcat web container, you would add this in the same way as detailed above, that is, add the following line to the setenv.sh file and restart the web container:

export CATALINA_OPTS="-Djava.security.debug=access,failure"

The output from this debugging is shown in the console and will give a failure rule that needs adding to the Java® Permissions list. Add the identified permission and repeat; keeping adding permissions and repeating until you have resolved all the access failures.

See Also

How do I collect all the data required for troubleshooting AM and Agents (All versions)?

How do I collect JVM data for troubleshooting AM (All versions)?

The java.security.debug System Property

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.