Identity & Security Management Cool Solutions

IT TechTalk at BrainShare 2010

mattclayton — Mon, 23 Nov 2009 13:29:13 -0700

One of the most popular and attended events at BrainShare is back! IT Tech Talk (formerly known as "Meet the Experts") will take place Wednesday night from 6:30 - 9:30 p.m. As always, you'll be able to mingle with our product engineers giving you an opportunity to discuss current and future product features and technologies. Heavy hors d'oeuvres and an open bar will be available.

Cool Solutions

How to Configure Access Gateway Embedded Service Provider to Reduce Access Gateway Load and Improve Performance

ncashell — Mon, 23 Nov 2009 11:01:01 -0700

Introduction:

The goal of the following document is to explain how to improve the Linux Access Gateway server performance and stability by including all attributes referenced by protected resource policies in a SAML assertion sent at authentication time.

In large production environments, it is commonplace to overload the Access Gateway to the point where utilization and server performance are negatively impacted. This document describes how attribute maps and SAML assertions can be used to significantly reduce traffic between Novell Access Manager Identity Servers and Access Gateways.

By understanding and taking advantage of some enhancements to Access Manager beginning with the release of 3.1 Support Pack 1 Interim Release 2, a lot of unnecessary work can be offloaded from the Access Gateway, improving performance, stability and the user experience.

Background information:

The Access Gateway (AG) is responsible for

Protecting web applications/services based on their distinct URLs
Providing required attributes to allow single sign on to back end applications/services.

Protection of such services often requires authentication. Because authentication is done at the Identity Server (IDS), the Access Gateway must be able to communicate with this IDS server to receive the authentication details. Such authentication details are sent via a SAML assertion.

The protection of services also requires authorization or single sign on decisions. Attributes required in the decision making process must be retrieved from the IDS, over what is called the SOAP back channel.

One can already design a solution leveraging roles (http://www.novell.com/documentation/novellaccessmanager31/policies/data/b995x1b.html) but there are many setups that require additional LDAP attributes.

Communication flow:

Although the AG host may have multiple proxy services defined, only ONE of those services hosts the Embedded Service Provider (ESP, and also known as the federation service) used to talk to the IDS via the SOAP back channel. Typically, the first reverse proxy/proxy service is used to host the federation service (via a reserved path of /nesp) although this is configurable. Any time the IDS needs to be invoked for authentication or policy evaluation, the user session details are always sent to the federation service (ESP) on the AG first before being redirected to the IDS. This AG federation service knows how to generate the required federation messages to send to the IDS.

When the AG proxy needs to execute a locally enabled policy (Identity Injection, Form Fill, or Authorization) the following steps are executed

The AG proxy sends a SOAP request to its local ESP to evaluate the policy.
If the ESP has all required identity information already cached, then the policy is evaluated locally and the response is returned to the proxy.
If the ESP does not have the information cached, it will query the authoritative ESP (the AG ESP that was originally involved in authenticating the user and so establishing the user session). If this is NOT a clustered environment, then this step is omitted. This query of the authoritative ESP involves:
1. Identifying which ESP in the cluster holds the user session details
2. Proxy'ing the SOAP request to the authoritative ESP to try and evaluate the information required to satisfy the policy
If the authoritative ESP has the required identity information, then it is returned to allow the policy to be evaluated. If not, then the initial ESP will query an IDS.
If the IDS has the user information already cached, then it is returned. If not, and the IDS is not authoritative for this user session then the same process used by the ESP is used to locate the IDS holding the user session. The IDS then , and then sends the SOAP request to that authoritative IDS.
As with the ESP communication above, this latter step is omitted if not in a clustered environment.
If the authoritative IDS does not have the identity information already cached, then it will make an LDAP call to retrieve the required information from the user store and return it.
As can be seen, the overhead (especially in clustered environments) of constantly communicating over the SOAP back channel during authentication and policy evaluation can have a major impact on performance.

Typical issues seen in clustered environments include ESP CPU utilization going very high, Tomcat running out of threads, LDAP server overloading, data read timeout during the proxy'ing of requests to the authoritative ESP/IDS servers.

Performance improvement options:

In order to mitigate such overhead, administrators should consider the benefits of identifying the attributes required by all ESP policies and including them in SAML assertions sent between the IDS and ESP at authentication time. The assertion includes authentication statements (about the subject that it is authenticating) as well as attribute statements (attributes about the user). The attributes from this attribute statement will be cached at the ESP and used locally when evaluating policies. The end result is an elimination of the requests to the IDS to retrieve user attributes required to satisfy the policy.

The following guidelines, when configured correctly, will result in a huge reduction in traffic over the SOAP back channel. This resulting traffic reduction will generate a corresponding performance increase on the AG servers.

Identify all attributes required on all policies enabled for each protected resource.
Identify all policies that are enabled on each defined protected resource. Go through each of these policies and note the attributes that are required by this policy. In the following example, a single policy is enabled on one protected resource. Although this may not be realistic, this exercise will show how to verify that the policy requires the following attributes: all user roles, LDAP cn, LDAP roomNumber, LDAP mail and LDAP title attributes.

Click to view.
Define an attribute set that will contain all attributes required by the AG enabled policies.
After identifying all the required attributes from the previous step, the administrator must go to the 'Shared Settings' tab on the IDP configuration and define a new attribute set. After creating a new attribute set and giving it a logical name, add each attribute required by clicking the new option. In this example there will be 5 entries: all roles, LDAP cn, LDAP roomNumber, LDAP mail and LDAP title attributes.

Note that the local attribute must include the attribute that the IDS will evaluate. There is an option to define the remote attribute name, but this is ignored for communications between IDS and ESP.

Click to view.
Select the AG or AG cluster configuration where the newly defined Attribute Set will be used
Go to the IDS configuration, and select the 'Liberty' tab. Under 'Trusted Providers', there will be a link to the AG cluster configuration name. If there is no AG cluster configuration, the IP address of the AG server will appear under this 'Trusted Providers' link.

Click to view.
Add the newly defined Attribute Set to the Liberty relationship between IDS and selected ESP.
After selecting the Trusted AG Service provider, select the attribute set defined in step 2 from the drop down menu. Once the attribute set is selected, the list of attributes from that Attribute set will appear on the right hand side of the screen. These are the attributes available for selection. Select each attribute and make sure that it moves across to the 'Send with Authentication' menu. Doing this will force the attributes to be resolved at authentication time, so that they are sent with the subject details in the SAML assertion.

Click to view.
Define the attribute refresh rate on the policy
When using LDAP attributes in an Identity Injection or Form Fill policy, the option to define a refresh rate exists. This refresh rate determines how often the AG proxy must go back to the ESP to determine whether the data is valid or stale. For performance purposes it is recommended that the 'Session' setting be defined, so that we only retrieve the attributes once during the session lifetime. Although no requests will go back over the back channel to the IDS server, it will reduce communication between the AG proxy and the ESP.

Click to view.
Injecting IDS user name and password to back end Web server
If the policy requires that the credential profile username and password be sent across to the back end Web server, the attribute map created above must include the credential profile details. Unlike regular LDAP attributes in the above example, these credential profile attributes MUST be mapped to a 'Remote Attribute' name. Note that this remote attribute name is case sensitive. The three credential profile attributes that need to be mapped are as follows:

Click to view.

When defining the attributes to send to the back end Liberty ESP, we will only need to send the UserName and userPassword. The userDN may be left in the available list as it is already sent over in a SAML assertion by default at authentication time.

Click to view.

Validating configuration

Before rolling out the changes in production, there are a number of simple tests that an administrator can perform to confirm that no unnecessary SOAP back channel requests are being made from the ESP to the IDS server when policies are being evaluated.

Turn on verbose logging at IDS server temporarily: Select the Identity Provider configuration tab in the Administration Console and click 'Logging'. Under 'Component File Logger' set the following components to verbose : Application, Liberty, Web Service Provider and Consumer.

Click to view.

Access a policy enabled protected resources on the AG and check the ESP and IDS log files. Look at the output of the catalina.out file on both the IDS/ESP servers

The catalina.out file includes all debug information, assuming the above IDP log settings are enabled. This file is located in /var/opt/novell/tomcat5/logs/ on both IDP/ESP servers. Navigating these log files in debug mode can be confusing to say the least, so key entries have been identified to look for, and which server and log file they are found in.

Verify that the SAML assertion sent at authentication time includes the AttributeStatement containing all defined attributes. This can be done by searching the catalina.out file on either the IDP or ESP for the "AttributeStatement" string. When a user authenticates to the above example setup, the output shown on both IDP/ESP servers is the following:

<saml:AttributeStatement>
                  <saml:Subject>
                     <saml:NameIdentifier Format="urn:liberty:iff:nameid:one-time" NameQualifier="https://lag129.lab.novell.com:443/nesp/idff/
metadata">
                      9xVBI/rKBwt4wLXim82945nMv+yYyrjmOFkNFg==
                     </saml:NameIdentifier>
                     <saml:SubjectConfirmation>
                        <saml:ConfirmationMethod>
                         urn:oasis:names:tc:SAML:1.0:cm:artifact
                        </saml:ConfirmationMethod>
                     </saml:SubjectConfirmation>
                  </saml:Subject>
                  <saml:Attribute AttributeName="ldapcn" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion">
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                   </saml:Attribute>
                  <saml:Attribute AttributeName="ldapmail" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion">
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                  </saml:Attribute>
                  <saml:Attribute AttributeName="userRoles" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion">
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                  </saml:Attribute>
                  <saml:Attribute AttributeName="title" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion">
                     <saml:AttributeValue>
                      XX
                     </saml:AttributeValue>
                   </saml:Attribute>
                  <saml:Attribute AttributeName="roomnum" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion">
                     <saml:AttributeValue>

When examining the log entry, note the following:

Some attributes are multivalued (such as the userRoles attribute ), and will therefore have multiple "AttributeValue" entries.

For security purposes, the "AttributeValue" includes an XX string and not the appropriate value

Verify that the attribute statement is processed correctly and that the attribute values are added to the local cache. This is visible from the catalina.out file on the ESP, where a separate entry should exist for each attribute added. The one below shows the mail attribute being added to an internal ESP structure.

<amLogEntry> 2009-09-30T11:10:25Z DEBUG NIDS WSC:
Method: WSCCacheAlreadyReadCache.add
Thread: http-127.0.0.1-8080-Processor22
Added WSCCacheAlreadyReadCacheSet:
NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~2
2mail~22~5D </amLogEntry>

Identify a AG policy referencing the required attributes and note the policy ID. This step involves looking through the /var/log/ics_dyn.log file on the Linux Access Gateway (LAG) when the LOG_LEVEL setting in /etc/laglogs.conf entry is set to 7 (default is 5). Search for the URL where the Identity Injection policy is enabled and locate the 'Sending eval' string. This includes an eval request and policyID that we can search for in the ESP to confirm that the data has been retrieved from local cache. The snippet below shows an eval request number of 2641 and a policyID of "57M81710-NL1N-L610-O816-54MM7N558146". We can specifically see the LAG sending a SOAP request to the ESP, and whether or not a response was obtained.

Sep 30 12:12:28 lag129 : AM#504506000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#591E1B49DACAF72693531BCA
5C3FF802: AMEVENTID#410: IdInjection enabled for  the protected resource
:
Sep 30 12:12:28 lag129 : AM#504506000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#591E1B49DACAF72693531BCA
5C3FF802: AMEVENTID#410: II:a5304b64 Sending EVAL Request 2641 policyId 57M81710-NL1N-L610-O816-54MM7N5
58146
Sep 30 12:12:28 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#7079: proce
ssSoapRequests - size 2 processed 1, deleted 0 (0, conFail 0 conTimeout 0) 0 (0)
Sep 30 12:12:28 lag129 : AM#504515000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#0: Connection Established with peer 127.0.0.1:8080 (src 127.0.0.1:0)
Sep 30 12:12:28 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#2641: sentsoapRequest 2641  app a91de4c8  II
Sep 30 12:12:28 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#0: AMEVENTID#2641: backchannel receivedResp (app   a91de4c8  II )   (2641)[seg:0xa4b87430:0xa59355a0:1248]
Sep 30 12:12:28 lag129 : AM#504506000: AMDEVICEID#ag-7AA324FFCBA4D4E: AMAUTHID#591E1B49DACAF72693531BCA
5C3FF802: AMEVENTID#410: Received response for IdInjection EVAL request

Confirm that the ESP received the request, and returned the response from cache. Failure to see these steps probably indicates that the ESP has had to contact the IDS to retrieve the requested information. This is done by searching the catalina.out on the ESP for the policyID or EVAL number. When the policy is found, verify that the attributes we are requesting are filled from cache. The snippet below shows the LDAP cn attribute being retrieved from cache.

<amLogEntry> 2009-09-30T11:12:28Z VERBOSE NIDS Application: AM#501101020: AMDEVICEID#esp-7AA324FFCBA4D4ED: NXPESID#2641:  <?xml version="1.0"
encoding="UTF-8"?><Evaluate PolicyId="57M81710-NL1N-L610-O816-54MM7N558146" Verbose="on">
                                <ContextDataElement Enum="2551" Value="591E1B49DACAF72693531BCA5C3FF802"/>
                        </Evaluate> </amLogEntry>

<amLogEntry> 2009-09-30T11:12:28Z INFO NIDS Application: AM#501101050: AMDEVICEID#esp-7AA324FFCBA4D4ED: PolicyID#57M81710-NL1N-L610-O816-54MM7
N558146: NXPESID#2641:  Evaluating policy </amLogEntry>

:
:

<amLogEntry> 2009-09-30T11:12:28Z DEBUG NIDS WSC:
Method: WSC.fillFromCache
Thread: http-127.0.0.1-8080-Processor21
Processing set: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22cn~22~5D </amLogEntry>

<amLogEntry> 2009-09-30T11:12:28Z DEBUG NIDS WSC:
Method: WSC.fillFromCache
Thread: http-127.0.0.1-8080-Processor21
Request filled from WSC Already Read Cache! </amLogEntry>

<amLogEntry> 2009-09-30T11:12:28Z INFO NIDS WSP: AM#500103001: AMDEVICEID#esp-7AA324FFCBA4D4ED: AMAUTHID#591E1B49DACAF72693531BCA5C3FF802:  Fi
lled the user attribute request from data already in the web service consumer cache. </amLogEntry>

<amLogEntry> 2009-09-30T11:12:28Z INFO NIDS Application: AM#501101056: AMDEVICEID#esp-7AA324FFCBA4D4ED: AMAUTHID#591E1B49DACAF72693531BCA5C3FF
802: PolicyID#57M81710-NL1N-L610-O816-54MM7N558146: NXPESID#2641:  Data retrieval ok:  from cached String[] value </amLogEntry>

After validating this information, ensure that all log levels are set back to the default.

Cool Solutions

Omni Adds Web-based Management for M+Guardian and M+Archive to eControl

Omni-TS — Wed, 18 Nov 2009 14:58:54 -0700

Start: 25 Nov 2009 - 3:30pm

Timezone: US/Eastern

Messaging Architects customers can now use eControl to quickly and easily delegate M+Guardian and M+Archive management, provisioning and auditing tasks to non-technical users. No administrator rights required. Designed for non-technical front-line staff, all actions are written to an audit file. eControl also provides support for eDirectory, GroupWise, ZENworks, Microsoft Terminal Server, Active Directory and Exchange management from a single web interface.

When: Wednesday, November 25th, 3:30 p.m. Eastern Time (17:00 UTC)

What You Will Learn:

How to replace ConsoleOne, iManager, MMC and Task Pads with a much simpler web application that was designed with the non-technical end-user in mind.

How to quickly and easily delegate routine M+Guardian and M+Archive management and auditing tasks to non-technical users in your environment (e.g., service desk staff, email compliance administrators, HR staff, security department, line managers and junior administrators).

How to enhance the efficiency and effectiveness of your user and email lifecycle management processes.

How to free up your senior IT staff from managing routine, yet time-consuming M+ Guardian, M+Archive tasks.

How to decentralize the administration of eDirectory, GroupWise, Active Directory, Exchange, ZENworks, Microsoft Terminal Server, M+Guardian and M+Archive to regional offices without losing any control.

Contact Omni at sales@omni-ts.com or +1.780.423.4200 for more information on eControl.

For more information on the new M+Guardian and M+Archive modules for eControl, contact Messaging Architects at sales@messagingarchitects.com or 1-514-392-9220.

Cool Solutions

JavaScript Base64-Encoding Binary Data in IDM (a.k.a using Java and JavaScript within the IDM engine)

aburgemeister — Wed, 18 Nov 2009 11:30:30 -0700

Base64-encoding data is found in places all over the IT world and in home users' systems as well. Being able to encode data in Java or ECMAScript/JavaScript can be valuable when those are the languages available to you. This sample shows how to convert from one format to another and eventually encode data for use within a directory like eDirectory.

In a recent article I mentioned the possibilities of ECMAScript/Javascript within Java for scripting within Java applications or just for your own system. While working on an issue recently the need to convert a string of characters representing binary to a Base64-encoded representation of that binary value was manifest. As the issue was for use within Novell Identity Manager the following was able to be used to accept the string of binary and then convert it to a valid Base64-encoded value. The same could be done within any application with access to the com.novell.xml.util package (or a suitable replacement to do the Base64-encoding) and a Rhino implementation to run the rest of the conversion code from string to binary. ECMAScript/JavaScript Development Without a Web Browser

<code interpreter="rhino">
function b64encbinstring(binstring) {
	importPackage(java.io);
	importPackage(java.lang);
	importPackage(Packages.com.novell.xml.util);
	var mylong0 = java.lang.Long.parseLong(binstring, 2);
	var bos = new java.io.ByteArrayOutputStream();
	var dos = new java.io.DataOutputStream(bos);
	dos.writeLong(mylong0);
	dos.flush();
	var bytedata = bos.toByteArray();
	var base64c = new Packages.com.novell.xml.util.Base64Codec();
	var base64string=new Packages.java.lang.String(base64c.encode(bytedata, (8-Math.ceil(binstring.length/8)), Math.ceil(binstring.length/8), false));
	return base64string;
}

b64encbinstring('00101010110111100001010101000101101');    //Line to Base64-encode a string of zeros and ones and return the appropriate string.
</quote>

This may not be the most-elegant method of doing what is needed but it was something that otherwise would have required custom Java code to do the same compiled into the application in one way or another. If somebody can condense the code above to make is simpler or avoid unnecessary steps please feel free to do so in the comments section.

Cool Solutions

Error Codes of the eDirectory Driver for Identity Manager - Part 1

geoffc — Wed, 18 Nov 2009 10:50:22 -0700

Identity Manager eDirectory Driver error messages:

Table of Contents:

Introduction
Error Codes:

Introduction

Novell Identity Manager supports many different drivers. Each one has its own set of subtleties that are unique to the connected system.

This to me, is one of the more interesting parts of working with Identity Manager. Not only do you need to know and understand eDirectory (the underlying data store for all your objects), Identity Manager itself and its components (things like DirXML Script, XSLT, XPATH, etc) but you also need to learn a fair bit about each connected system.

More amusing is that the level at which you need to learn the connected system is quite deep into the system internals, and interesting, but also mostly useless in the day to day operations of that system. For example, an end user could care less about how certificates in Lotus Notes are used with Domino servers. Well for Identity Manager this is a huge deal, and of critical importance. In the case of the SAP HR driver, you need to know a lot about how iDOC's are written, parsed, and used that most SAP HR users and administrators would not even know existed.

With each connected system that comes into your experience, you have to learn more and more about it. Each system has its own set of specific error messages, some are analogous to others (669 in eDir, LDAP 49, subtype 52e in Active Directory for bad password attempts), while others are unique not only to the specific driver but the specific usage case.

On the one hand, I would love if Novell could document all these possible errors. But in reality, the vast majority being connected system specific, ought to be documented in the general case by the connected system vendor. However, that never really works out all that well.

To try and help Novell along, I have been collecting, annotating, and publishing articles on the various different error codes and cases I have run into in the real world.

For the Active Directory driver you can read:

For the JDBC driver you can read:

I have a bunch more collected that I am working on adding comments and explanations to for the eDirectory driver (this article), more Active Directory errors, more JDBC errors, SAP HR driver errors, Group Wise driver errors, and more. Now I just need to find the time to finish writing them all up and submitting them.

You can see my personal collection of articles at: http://wiki.novell.com/index.php/Geoffrey_Carman%27s_personal_collection

They are sorted by topic, and the name of the article usually indicates the topic. I find this view easier than my author page at Cool Solutions: http://www.novell.com/communities/user/555/track

I highly recommend that if you happen to working with a new driver, that you keep a good text editor open (I use TextPag, but others like NotePad++ or even Gedit in SLED) and when you see an error in Dstrace, copy and paste it into the text file. Once you figure out what happened, write down enough details to remind yourself of the cause, and then the resolution so that you can share it like this with other people. This way, everyone benefits as the next time they do a Google search for the error string they can find an article that talks about the error.

If you are not aware of how to troubleshoot Identity Manager drivers, then I highly recommend you read the following set of articles. First David Gersic's truly excellent walk through series of what all the 'things' or steps in the Identity Manager process (as visualized by the fishbone diagram in iManager or Designer):

That will get you up to speed on what is supposed to be happening under the covers. Then you need to look at what actually happened under the covers by watching the event happen in Dstrace. To get up to speed on reading Dstrace, the best article I have ever read on the topic is by Fernando Frietas, a support engineer in Novell Technical Services: Capturing and Reading Novell Identity Manager Traces

Forget about the logs, you need to read the Dstrace output. To see all the ways you can read Dstrace, you could try this shorter article: The Many Faces of DSTRACE

Finally, if you are having issues, have looked at the trace, and cannot see a problem, or you have searched and read about your specific issue and it is still not working for you, then you should consider posting in the Novell Support Forums at http://forums.novell.com or via a news reader at nntp://forums.novell.com and there is a really nice and active forum that many people read and post too, novell.support.identity-manager.engine-drivers

Now with that basic introduction complete, lets get into some error codes and what is going with them:

Error Codes:

Activation Expired:

DirXML Log Event -------------------
     Driver:   \WATTS-LAB-IDV\Watts\Drivers\IDM\eDirectory
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9075) Shutting down because DirXML engine evaluation period has expired. Activation is required for further use.

This is a pretty generic error, and worth mentioning in an eDirectory specific error list, since it is actually the engine, not the driver per se that has expired.

When you install Identity Manager, you get a 90 day license for free, after which you have to activate it. You use iManager, and when you look at the Identity Manager Overview, and select a driver set, you should see a warning that the engine or driver is not activated yet. You then go to Novell's Customer Center to get the base 64 encoded activation credential to paste into the iManager Activation option. In this case, it was our lab, and we forgot to actually activate it, before time ran out on us. Oops.

783 Errors:

DirXML Log Event -------------------
Status: Error
Message: Code(-9067) Error while initializing drivers: VR Driver Interface Module not loaded (-783)
15:12:30 9E62D5E0 Drvrs: Error initializing DirXML: com.novell.nds.dhutil.DSErr: VR Driver Interface Module not loaded (-783)
   at com.novell.nds.dirxml.engine.MiscDS.translateException(MiscDS.java:472)
   at com.novell.nds.dirxml.engine.MiscDS.setDriverState(MiscDS.java:196)
   at com.novell.nds.dirxml.engine.DirXML.initializeDrivers(DirXML.java:673)
   at com.novell.nds.dirxml.engine.DirXML.access$500(DirXML.java:42)
   at com.novell.nds.dirxml.engine.DirXML$DriverStarter.run(DirXML.java:924)
   at java.lang.Thread.run(Thread.java:534)
Caused by: novell.jclient.JCException: request -783 ERR_VRDIM_NOT_INITIALIZED
   at novell.jclient.JClient.request(Native Method)
   at novell.jclient.JClient.ndsRequest(JClient.java:1197)
   at com.novell.nds.dirxml.engine.MiscDS.setDriverState(MiscDS.java:181)
   ... 4 more

The 783 error code has a number of possible causes. VRDIM could really not be loaded. Then the trick is to figure out why. Maybe someone unloaded it? Maybe you installed the wrong version? We ran into that last case where a patch had an eDir 8.7.3 version and an eDir 8.8 version of the patch, and we installed the wrong RPM on SLES and started getting crazy errors like this.

Once you assign a driver set to a server, it will then start auto loading vrdim, and dxevent as soon as eDirectory starts on that server. (On Netware it is an NLM, a DLM on Windows, and an .so file on the Unix flavours).

15:23:25 8D0093E0 DirXML:
DirXML Log Event -------------------
Driver: \ACME-META\CIM\DirXML\Active Directory (acme.corp)
Status: Error
Message: (-9947) Client request for invalid state transition from 0 to 3.
15:23:31 84793400 DirXML:
DirXML Log Event -------------------
Driver: \ACME-META\CIM\DirXML\Active Directory (acme.corp)
Status: Error
Message: (-9947) Client request for invalid state transition from 1 to 1.

However, in this case, we had a different problem, that manifested itself with the initial 783 and then further errors like this, as we tried to start drivers.

DirXML Log Event -------------------
Status: Error
Message: Code(-9140) Error processing DirXML sub-verb DSVR_GET_DRIVER_STATS: com.novell.nds.dhutil.DSErr: no such entry (-601)
   at com.novell.nds.dirxml.engine.cache.DriverCache.getTransactionStats(Native Method)
   at com.novell.nds.dirxml.engine.verb.GetDriverStats.version0(GetDriverStats.java:249)
   at com.novell.nds.dirxml.engine.verb.GetDriverStats.processSubVerb(GetDriverStats.java:178)
   at com.novell.nds.dirxml.engine.verb.DirXMLVerbs$GetVerbHandler.processVerb(DirXMLVerbs.java:530)
   at com.novell.nds.dhutil.VerbProcessor$HandlerThread.run(VerbProcessor.java:507)
   at java.lang.Thread.run(Thread.java:534)
   
   
Module DXEVENT.NLM load status OK                                               
Loading module DXLDAP.NLM                                                       
  DirXML Event Handler for Novell Directory Services 3.5.1                      
  Version 3.05.10   September 18, 2007                                          
  Copyright 1999-2007 Novell, Inc.  All rights reserved.  Patents Pending.      
SERVER-5.70-918: Loader cannot find public symbol: NLDAPSetResponseBer for module DXLDAP.NLM                                                                    
SERVER-5.70-918: Loader cannot find public symbol: NLDAPGetBerFromHandle for module DXLDAP.NLM                                                                  
SERVER-5.70-918: Loader cannot find public symbol: NLDAPSendResult for module DXLDAP.NLM                                                                        
SERVER-5.70-918: Loader cannot find public symbol: NLDAPGetContext for module DXLDAP.NLM                                                                        
SERVER-5.70-918: Loader cannot find public symbol: NLDAPBerAlloc for module DXLDAP.NLM                                                                          
SERVER-5.70-918: Loader cannot find public symbol: NLDAPBerFree for module DXLDAP.NLM                                                                           
SERVER-5.70-918: Loader cannot find public symbol: NLDAPBerPrintf for module DXLDAP.NLM                                                                         
SERVER-5.70-918: Loader cannot find public symbol: NLDAPBerScanf for module DXLDAP.NLM                                                                          
SERVER-5.70-918: Loader cannot find public symbol: NLDAPFree for module DXLDAP.NLM                                                                              
SERVER-5.70-918: Loader cannot find public symbol: NLDAPIsSecureConnection for module DXLDAP.NLM                                                                
  Error processing External Records.                                            
  Module DXLDAP.NLM NOT loaded                                                  
Module DXLDAP.NLM load status UNRESOLVED

Here we saw that DXEVENT.NLM file on Netware would not load as it could not find some symbols it needed from the DXLDAP.NLM

But the actual root cause was one step further down, which we found as DIRXML.NLM (VRDIM for Netware) loaded.

Loading module DIRXML.NLM                                                       
  Novell Identity Manager 3.5.1                                                 
  Version 3.05.10   September 18, 2007                                          
  Copyright 1999-2007 Novell, Inc.  All rights reserved.  Patents Pending.      
  Auto-Loading Module JCLNT.NLM                                                 
  Auto-loading module JCLNT.NLM                                                 
  NetWare JClient-Native (Build 1.5.1279)                                       
  Version 1.05   September 19, 2007                                             
  Copyright 1999 Novell, Inc.  All rights reserved.                             
  Auto-Loading Module JCLNTR.NLM                                                
  Auto-loading module JCLNTR.NLM                                                
  NetWare JClient-Native Resources (Build 1.5.1279)                             
  Version 1.05   September 19, 2007                                             
  Copyright 1999 Novell, Inc.  All rights reserved.                             
Module JCLNTR.NLM load status OK                                                
Module JCLNT.NLM load status OK                                                 
Module DIRXML.NLM load status OK                                                
Novell Audit Platform Agent: Failing primary connection for application DirXML. 
Loading module DHUTILJ.NLM

The Audit connection had a problem. When you install Identity Manager you can choose to install the Audit components or not. They are useful if you are collecting the events to something. Used to be Audit 2.0 but that has since been replaced with Sentinel 6.x or Identity Audit. Both can collect events from the Novell Audit collectors.

14:05:56 B8824140 DirXML:
DirXML Log Event -------------------
Status: Error
Message: (-9983) An error occurred while logging to Novell Audit: failed, 11 (0xb).

DSTrace showed an error connecting to Novell Audit.

Looking back at the server console for errors, and we saw:

Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Novell Audit Platform Agent: ACK Failure for Driver\%s\Subscriber
Loading module LCACHE.NLM
Nsure Audit Platform Cache Module (Build 55)
Version 2.00.02 September 26, 2008
(c)2003-2006 Novell, Inc. All Rights Reserved.
Module LCACHE.NLM load status OK
Novell Audit Cache: Log Cache Dir : sys:/etc/logcache
Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Novell Audit Platform Agent: ACK Failure for Driver\%s\Subscriber
SERVER-5.70-151: Unable to find load file SYS:/SYSTEM/LCACHE.NLM
Novell Audit Platform Agent: Failed to connect to cache for application DirXML,
DISABLING cache mode.
Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Novell Audit Platform Agent: All log channels have failed. Stopping logging of events for application DirXML.
Loading module AUDITEXT.NLM
Novell Nsure Audit Schema Tool
Version 2.00.02 September 26, 2008
(c)2003-2006 Novell, Inc. All Rights Reserved.
Auto-Loading Module NWSNUT.NLM
Auto-loading module NWSNUT.NLM
NetWare NLM Utility User Interface
Version 7.00.01 October 26, 2005
Copyright 1989-2005 Novell, Inc. All rights reserved.
Module NWSNUT.NLM load status OK
Auto-Loading Module MDB.NLM
Auto-loading module MDB.NLM
Multiple Directory Database (Build )
Version 2.00.02 June 28, 2006
(c)2003-2006 Novell, Inc. All Rights Reserved.
Module MDB.NLM load status OK
Loading module MDBDS.NLM
Module AUDITEXT.NLM load status OK
MDB eDirectory Driver (Build )
Version 2.00.02 June 28, 2006
(c)2003-2006 Novell, Inc. All Rights Reserved.
Module MDBDS.NLM load status OK
MDBDriver 'mdbds.nlm

Here we can see all sorts of issues with connecting to the Audit server.

14:32:16 85029380 Drvrs: DirXML starting.
14:32:16 85029380 Drvrs: Unable to load Novell Audit LogEvent module: failed, -5984 (0xffffe8a0)
14:32:26 867841E0 Drvrs: DirXML engine thread starting.

Finally we renamed logevent.nlm and we could start the engine up. Since this was a lab anyway, we did not care, as we did not actually have anywhere for the Audit components to log too. We never did track down what the actual cause was, but the progression of trace and logs above is nice, as it shows each step of the failure, and how a high level 783 error bubbled up from a much more low level problem of logevent.nlm being unable to connect to a secure logging server.

611 Illegal Containment error:

[05/05/09 17:19:54.742]:eDirectory ST:  
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.1.4427">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <move class-name="User" dest-dn="\ACME-LAB-LDAP\corp\acme\asiapac\Japan\tgwuser3" dest-entry-id="33907" event-id="m
ta-gwlab#20090505211924#1#2">
      <association>{AAF66FC2-236A-2c4d-949C-AAF66FC2236A}</association>
      <parent dest-dn="\ACME-LAB-LDAP\corp\acme\asiapac\Japan\tgwuser3"/>
    </move>
  </input>
</nds>
[05/05/09 17:19:54.744]:eDirectory ST:  Pumping XDS to eDirectory.
[05/05/09 17:19:54.744]:eDirectory ST:  Performing operation move for \ACME-LAB-LDAP\corp\acme\asiapac\Japan\tgwuser3.
[05/05/09 17:19:54.745]:eDirectory ST:  Moving entry \ACME-LAB-LDAP\corp\acme\asiapac\Japan\tgwuser3 to \ACME-LAB-LDAP
\corp\acme\asiapac\Japan\tgwuser3.
[05/05/09 17:19:54.753]:eDirectory ST:  Processing returned document.
[05/05/09 17:19:54.753]:eDirectory ST:  Processing operation <status> for .
[05/05/09 17:19:54.753]:eDirectory ST:  
DirXML Log Event -------------------
     Driver:   \ACME-LAB-LDAP\acme\Drivers\IDM\eDirectory
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9010) An exception occurred: novell.jclient.JCException: moveEntry -611 ERR_ILLEGAL_CONTAINMENT

In this case I was trying to automate a move based on some attribute changing, like L (Location) changing, means move the user to a different container. But in this trace sample it is trying to move a User object into a User object. That won't work! Its illegal for a User to contain another user. I.e. Users are not usually containers (except in dumbo implementations like one of the PBX/VOIP phone vendors did, where they made users that contained objects with settings, and I think I recall seeing a forum post where Citrix might try adding objects to store configuration settings on users as well). What I should have done was used ParseDN to chop off the user CN from the target DN, (i.e. Specify the container I wanted to move the user into, not the destination complete path). In this case, since the DN is the same for the source user and the destination path, it would actually return a -606 Object already exists if I had tried.

I really did need to fix that rule, this was just my first draft, not really thought through try at it.

609 Illegal attribute error:

[05/07/09 12:51:36.748]:eDirectory ST:  
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.1.4427">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <modify class-name="User" dest-dn="\ACME-LAB-LDAP\corp\acme\americas\West\AMES\Users\tatert" dest-entry-id="33780" event-id="mta-gwlab#20090507165136#1#3">
      <association>{38D65D96-C456-824d-3988-38D65D96C456}</association>
      <modify-attr attr-name="acmeCrossDomainMoveReset">
        <remove-all-values/>
        <add-value>
          <value>\ACME-LAB-LDAP\corp\acme\emea\France\Fried\tatert</value>
        </add-value>
      </modify-attr>
    </modify>
  </input>
</nds>
[05/07/09 12:51:36.765]:eDirectory ST:  Pumping XDS to eDirectory.
[05/07/09 12:51:36.765]:eDirectory ST:  Performing operation modify for \ACME-LAB-LDAP\corp\acme\americas\West\AMES\Users\tatert.
[05/07/09 12:51:36.767]:eDirectory ST:  Modifying entry \ACME-LAB-LDAP\corp\acme\americas\West\AMES\Users\tatert.
[05/07/09 12:51:36.806]:eDirectory ST:  Processing returned document.
[05/07/09 12:51:36.806]:eDirectory ST:  Processing operation <status> for .
[05/07/09 12:51:36.806]:eDirectory ST:  
DirXML Log Event -------------------
     Driver:   \ACME-LAB-LDAP\acme\Drivers\IDM\eDirectory
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
[05/07/09 12:51:36.838]:eDirectory ST:  Direct command from policy result
[05/07/09 12:51:36.838]:eDirectory ST:  
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.1.4427">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status event-id="mta-gwlab#20090507165136#1#3" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
      <module>eDirectory</module>
      <object-dn></object-dn>
      <component>Subscriber</component>
    </status>
  </output>
</nds>

In this case, I was trying to manage three connected Active Directory domains, syncing into a single flat eDirectory based Identity Vault. Moves within domains were mapped into changes of the DirXML-ADContext attribute, and then when it hit the eDirectory to eDirectory driver that change of the attribute DirXML-ADContext became a move event.

However, moves between Active Directory domains was a concern, that would be hard to handle, so I added a flag attribute, when I detected that error case of acmeCrossDomainMoveReset to store where the user was, when it suddenly appears in the new domain.

However, I had created the attribute as part of an auxiliary class, that the user did not yet have. Usually the engine will try and add the attribute, but in this case it had not. Seems like if you add an attribute on a destination eDirectory, then the engine will add the needed auxiliary classes as appropriate. However when writing back to the source eDirectory, looks like you need to manage that yourself and add it to the object. Once that was done, this worked.

Without the auxiliary class, the attribute is Illegal, since it is not part of any classes for the target object.

Insufficient rights:

[05/07/09 13:08:08.106]:Generic Null ST:Driver object has insufficient rights to read \ACME-LDAP\corp\acme\emea\France\Fried\tatert#acmeCrossDomainMoveReset.

I forget this one so often! When you import or deploy a new driver, you have to set security equals for the driver object, so that it has sufficient rights to operate (Read and Write) within the directory. If you do not do that, you often see nothing, since it does not have rights to even see the event, or else when you try to write out a value, you get an error as above.

Nice clear error. Unfortunately being a single line long, it often gets buried in mountains of trace, and can be hard to find or track down.

You can use iManager or Designer to add Security equivalence for the driver, or you can just set the Security Equals attribute on the driver object directly via ConsoleOne or via an LDAP tool.

In this particular case, what happened was in the lab, to be lazy we set Security Equals on the driver set, and thus all the drivers inherited that right from their parent object, the driver set. But when we deployed to production, we forgot to set the equivalence on the driver as was needed.

Bad DN in destination DN:

<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.1.4427">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status event-id="AMERICAS-AD##121360cbf4d##1" level="error">Code(-9172) Error in CN=CN=Query Smithers,OU=Users,OU=SMITH,OU=East,DC=americas,DC=acme,DC=corp : An invalid DN '{1}' is specified: DN does not conform to the format required by the current context.<application>DirXML</application>
      <module>eDirectory</module>
      <object-dn>\ACME-LAB-IDV\Watts\Users\qsmith (corp\acme\americas\East\SMITH\Users\qsmith)</object-dn>
      <component>Publisher</component>
    </status>
  </output>
</nds>

This was triggered by a change in the DirXML-ADContext on the eDirectory side, sending into an Active Directory driver (which is why I had included it in this article, though really it is an Active Directory driver error, but lets not get picky, ok?)

If you look at the DN in the error message, you will see it is CN=CN= which is clearly wrong. When using ParseDN, there are a number of options. You can read more in these articles:

In this case, when you convert from source to destination format (the default if you change nothing) if the source is eDirectory, then there will not be a fully qualified name version (the CN=This,OU=that,o=there and so on, rather it will be \there\that\This) which also applies if you are using ParseDN start of -1 and length of 1 to get the objects name. In the LDAP case, you would get CN=This whereas in an eDirectory case you would end up with just This. So depending on your source and destination, remember to set the conversion types correctly. In this case, I had rebuilt the DN by hand in Policy, so I had pre-prended a CN= before the local variable where I had the object name resulting from the ParseDN token. Thus I ended up with an extra CN=.

Thats it for now, stay tuned for part 2 of this article where I work through even more errors I ran into in the real world, using the eDirectory driver for Identity Manager.

Cool Solutions

Deep Dive at BrainShare 2010

mattclayton — Tue, 17 Nov 2009 14:22:03 -0700

This year Novell is enhancing and expanding two of the most popular attractions at BrainShare - the Installation and Migration Depot and Novell Advanced Technical Training (ATT). Diving Deep is all about helping you take advantage of more in-depth, hands-on technical training opportunities that can have an immediate impact on how you do your job. Swim on over to this new Connection Magazine article to read more: http://bit.ly/bsdeepdive

ZENworks Cool Solutions

Session Voting Begins Today!

mattclayton — Mon, 16 Nov 2009 11:15:58 -0700

The time has come to begin voting on the session proposals for BrainShare 2010 in Salt Lake City. Voting will be open from now until December 4th, 2009 (5:00 PM MST). Please take the time to review the proposed sessions and vote for the sessions you believe will be of most value to you and the other conference attendees.

To access session voting go to http://bit.ly/bssessionvoting and create an account, if you do not already have one created. Please take the time to vote on each session as your votes will help to determine the sessions that will be presented at BrainShare 2010.

ZENworks Cool Solutions

DSImport - Win32 Tool to Update eDirectory from CSV Files

wschreiber — Fri, 13 Nov 2009 10:57:19 -0700

DSImport: eDirectory CSV Import Tool

DSImport allows you to process information from CSV files to ...

import new objects
modify existing objects
delete existing objects
compare with existing objects

Usage:

Tab "Info"

Show this short overview
Get Updates
Use the link to my web site to check for updates and get the most recent version

Tab "Tree & Context"

Select the tree and container
In the tree view, choose a tree and container as a base for your CSV operation
This is especially important if your CSV does not contain the full DNs, but only CNs or short object names
The right panel shows default settings for your CSV - choose the settings that best fit your CSV contents

Tab "CSV -> eDirectory"

Click "Load CSV" to read your CSV and check the result in the CSV grid.
Nothing will be sent to eDirectory at this stage.
If the columns do not match the way you want your data structured, change the settings (see above) and reload the file
Check the comments on "Using the correct CSV file structure" below.
Excluding specified colums/attributes from the operation
If you would like to exclude selected columns from being imported into eDirectory, click on the CSV grid column header.
Selected columns are green, unselected columns are displayed red.
Operating on individual objects
You may right-click on an object in the CSV grid to perform an action (add, delete, modify) on an individual object CSV line
Editing CSV grid data
Double-clicking into a grid cell allows you to edit the contents of a data cell.
NB: the change will be temporary and will NOT change the imported files

Tab "Results"

Check the results screen for logging and error information.
You may use right-click to clear or save the list

Using the correct CSV file structure

The first CSV line should typically contain the eDirectory names of the attributes
The first column should be the CN or the DN of the objects
Lines starting with '#' are treated as comments and will be ignored

Freeware written by Wolfgang Schreiber

File Owner: Dr. Wolfgang Schreiber
Email: wstools@WolfgangSchreiber.de
Date: 2009/11

Platforms: Windows Win9x/WinNT/Win2k/WinXP

Revision history:
2009/11 First release

Cool Solutions

ECMAScript/JavaScript Development Without a Web Browser

aburgemeister — Thu, 12 Nov 2009 16:10:32 -0700

Have you ever been coding Java and suddenly wanted to do something using loosely-typed variables or worked out an issue with a little less Java-ness? Have you ever wanted to take advantage of the familiarity people have with some languages (ECMAScript/JavaScript) while still using something that is not a web browser as an environment? Have you ever wanted to debug your JavaScript without refreshing a web page and your cache that just won't seem to ever refresh properly for you? This and more will be covered today with practical examples in both the Novell Identity Manager (IDM) and Novell Sentinel applications plus any other Java-based applications that you may have around your own environment.

I think it may be prudent to review briefly what everything we'll be discussing really is. For example, the title mentions ECMAScript and JavaScript together almost as if they are the same thing; that is actually a nice little coincidence as they are the same thing. ECMAScript is the proper name for the language standard as approved by (you guessed it) ECMA but JavaScript is the common name of the language that we all know and love. JavaScript has the word 'Java' in it but another common clarification is that JavaScript is not, in any way, directly related to Java. It is not meant to be a way to script Java and has no ties to the Java language with regard to data types, interpreters, etc. That it is very similar to Java syntactically is completely unrelated to its name; it is as much similar to C++, PHP or other C-ish languages. So as a recap ECMAScript is JavaScript and neither is related to the language and binaries from Sun known as 'Java'.

Another notable term used throughout this document will be 'Rhino' which does not refer to the large mammal with horns on its head but rather to the Mozilla project which makes a JavaScript interpreter available within a Java environment. At some point later I'll also mention Eclipse, the open source Integrated Development Environment (IDE) originally from IBM. Finally the 'Aptana' plugins for Eclipse make the IDE a bit more friendly. They are not required for anything specifically to work but they are recommended when doing Sentinel SDK development which is largely based on JavaScript. All of these tools and technologies are (in some form or another) free for use and most if not all are also open source.

I'm using a few examples from other sites I found online in preparing this which you may want to review for second opinions and clarifications on the topics covered herein. I'll try to mention them as I borrow from them but they include W3Schools, Jo Edkins' JavaScript tutorial, and the Rhino project page. Later as we get into IDM and Sentinel-specific tasks we'll be doing things that may reference the Sentinel SDK specifically.

In the introduction I mentioned a few reasons for going into browser-less JavaScript. Despite my disclaimer earlier that JavaScript and Java are not related (that is true: they are not) they can be used together thanks to the project known as Rhino. Rhino comes in the form of a JAR file which can be added to a Java application's classpath statement. Once there then the ability to run JavaScript code within Java (with some limitations) is present and makes up the rest of this document. There are some notable differences between JavaScript in a browser and JavaScript within Rhino that will be obvious to anybody who has used JavaScript before.

First, there is no Document Object Model (DOM) with which to interact. For example, 'document.write("stuff");' completely fails because there is (by default) no 'document' object. Other little debugging tricks like using 'alert' also fail. On the good side, though, there is the ability to run JavaScript interactively which can be nice for quick development and immediate feedback on simple problems with syntax or other runtime issues (invalid objects, methods, etc.). Instead of adding an alert statement a developer can simply use the print() method and put the data to be printed in there and see it without refreshing a browser or saving a file. I also mentioned the possibility of using what is essentially becoming a commodity programming language; everybody who has done basic web development has come across JavaScript and likely written a little bit. The syntax is familiar and examples of ways to do many things are plentiful. JavaScript is at the heart of AJAX and large frameworks such as the Google Web Toolkit (GWT). Needing to hire a ten-year-veteran of a proprietary programming language is not necessary for simple development work.

Let's dive right in. I've debated putting the JavaScript stuff before/after the Rhino stuff and have decided to put JavaScript first as that is what this is primarily about. If you want to get the Rhino side of things setup it is trivial and will be covered below so jump down, get that, then come back to walk through everything on your own computer as you read it. I will be separating out code examples so it should be easy to read this then setup the environment, and just run code like crazy later on. First the basics of JavaScript are similar to other programming languages you may have used. There are operators similar to those you have probably used before, variables, conditionals, loops, and JavaScript is also object-oriented. Unlike Java and some other languages the variables can change data types or be treated as different data types very easily. In the case of the Rhino implementation of JavaScript any classes available to the Java environment running Rhino are also available within JavaScript as will be shown later.

Variable declaration takes place with a string representing the variable which is made up of alphanumeric characters plus underscores (A-Za-z0-9_) and variables must start with a non-numeric from what I've found. Unlike some other languages like Perl or PHP there is no character preceding a variable to mark it as a variable. A variable has a scope that can be either limited by using the 'var' keyword or it can be a globally-scoped variable by simply declaring and instantiating the variable without the 'var' keyword. Declaring a variable just means telling the interpreter that the variable exists; initializing the variable means not only telling the interpreter that the variable exists but that it should also have a value which is then set into the variable. Declaring a scoped variable of 'myusername' and initializing it to have the value 'ab' all in one command would look like the following:

var myUserName = 'ab';   //Declare 'myUserName' and set it to the string value 'ab'.

var myAge = 30;    //Declare the 'myAge' variable and initialize it to the numeric value 30.

var isCool = true;    //Declare and initialize isCool to the boolean value true.

Note in the examples above that the first one included single-quotes around the value 'ab' while the second did not have quotes around numerics. Like many languages quotation marks should be used around strings but are not needed for numeric or boolean data types. Something else potentially of note is the use of comments at the end of the line. Like in Java, C and other languages single-line comments start with two slashes (sometimes known redundantly as forward-slashes) and comment out the line from the point of the two slashes until the next line starts. Multi-line variables are also similar to C where they start with /* and end with */ and everything in between is a comment. Also note the use of whitespace. Between keywords and variables ('var' and 'myUserName') whitespace must exist, but around the equal sign and between the semicolon and the comments the whitespace is optional and just there for readability. This bring up another point: newlines are not there to end a line or a statement in most cases as semicolons do that. In the example above newlines were needed to end the comments but otherwise the three variable initializations could look like the following and have exactly the same outcome:

var myUserName='ab';var myAge=30;var isCool=true;

Moving along it is possible to declare but not initialize a variable by simply using the 'var' keyword with the variable name (or names) and then a semicolon to end the line. The three variables above could be declared in the following way though they would all be null:

var myUserName, myAge, isCool;    //Declare but do not initialize explicitly.

In many languages declaring a variable without initializing it sets the value to a null value or a similar default and JavaScript is no exception to that convention. Because I was taught to always initialize variables when declaring them (to keep from getting frustrated when using languages that do not automatically initialize variables for you, such as C++) all of the examples here will declare and initialize variables and I encourage that behavior as it is a good practice overall.

So we have variables, let's do a little bit with them (I recommend having them set for these examples as it is more fun than using uninitialized variables). First, let's do the basic printing stuff:

print('Hello World!');   //Basic Hello World program... a one-line in JavaScript; doing this in a browser would simply replace the 'print' section with 'alert'.
print(myUserName);  //Print whatever is currently in the myUserName variable.  Notice there are no quotes around the characters that make up the variable.
print(myAge);        //Print '30' to the screen.
print(myUserName + ' ' + myAge);    //Print 'ab 30' by concatenating myUserName's value with a single space and then with myAge's value.
print('It is a true statement that ' + myUserName + ', who is age ' + myAge + ', has an isCool variable set to ' + isCool + '.');

Okay we have beat these variables and printing commands to death and it all seems to work. Let's play with operators besides the assignment operator (also known as the equals sign). So far we have just set variables to a value and that is it. It is time to change the values. You have already seen that '+' can join strings (concatenate) together but it is also available for arithmetic when numeric types are used exclusively:

myAge = myAge + 3;   //myAge should now be 33 if it was 30 before
myAge += 3;    //Functionally equivalent to the line above, but shorter.  myAge is now 36.
myAge /= 12;   //Divide myAge by twelve and set the result back into myAge... should be 3 now.
myAge *= 12;   //Multiply myAge by twelve and set the result back into myAge... should be 36 again.
--myAge;   //Decrement the value of myAge by one and set it then returning the value (35);
myAge--;   //Return the value of myAge and THEN decrement it by one so the NEXT time myAge is called it will show the value of 34.
myAge++;   //Increment the value of myAge after returning the current value (34).
++myAge;   //Increment the value of myAge and return the value (36);
myAge = 0XFF;   //Set myAge equal to 0XFF which is a hexadecimal representation of the decimal number we all know and love as 255;
myAge = 3.00e2;   //Use scientific notation to set myAge to 300.

Most of these examples apply to just about any programming language you can find so let's move over to Arrays. An array is a set of multiple values all available via a single variable name. The different values are accessed individually by using an index or an offset from the variable name itself. For example the zeroth offset [0] from 'myFavoriteThings' will be 'pianos' while the first offset [1] will be books. See below for the code examples:

var myFavoriteThings = ['piano', 'book'];   //Initialize the myFavoriteThings array with two values.
var myFavoriteThings = new Array('piano', 'book');    //Functionally equivalent to the previous initialization of the array.
print(myFavoriteThings[0]);   //Print 'piano'
print(myFavoriteThings[1]);   //Print 'book'
print(myFavoriteThings[2]);   //Print 'undefined' since this index does not reference anything that is as of yet defined in the array.

Something nice about a few of these languages is that Arrays are defined as 'sparse' arrays meaning that they only allocate memory for elements which have data in them. For example you could define an array with ninety-nine slots (places, indexes, offsets, whatever) for strings but only those indexes which were populated would actually take up space. The arrays in JavaScript (and other languages too) are also variable in size allowing you to add or remove elements on the fly without redefining the array's size in a static way which is very nice.

Another note that always makes me happy is that JavaScript arrays are naturally 'associative' arrays which means that the index does not always need to be just a simple integer but can be a 'key' which then has a 'value' referred-to by the key. Initializing an associative array is a little different but still simple to understand; notice the use of the braces around the key/value pairs instead of brackets around the values alone:

var myFavoriteThings = {'instrument':'piano', 'media':'book'};
print(myFavoriteThings['instrument']);   //Prints 'piano'.
print(myFavoriteThings['media']);   //Prints 'books'.

The initialization sets up the associative array (Perl programmers will recognize the term 'hash' meaning the same thing) of myFavoriteThings with a key of 'instrument' which refers to the value 'piano' and the key 'media' which refers to the value 'book'. Just to mention a quick example about multi-dimensional arrays JavaScript supports these as well and the syntax just nests what we have already learned to provide the functionality. This gets confusing for beginners so touching on this is probably all I'll do:

var myPets = {'cats':['rosco', 'tiger'], 'horses':['mikey', 'shasta']};    //Initialize the myPets associative array with a 'cats' key referring to an array of names of cats, and a 'horses' key referring to an array of names of horses.
print(myPets['cats'][0]);    //Prints 'rosco';
print(myPets['horses'][1]);     //Prints 'shasta';

With the basics of variables, arrays, and operators under our belt we can start doing fun things like conditionals and loops. The basic conditional executes code based on conditions that are checked. For example writing code to tease somebody for being "old" is trivial:

if(myAge > 29) {    //Check for the variable 'myAge' being greater-than the numeric value 29.
  print('Oh boy you sure are old....');    //Print a message
} else if (myAge > 25) {
  print('The joys of middle age... hopefully you are no longer dumb and acting like it but are still not too old either.');    //If the previous if statements haven't matched try this one.
} else {    //If the previous if statements did not match then the 'else' branch is used instead, assuming an else branch exists that is....
  print('Whippersnapper!  Get off my lawn.');
}

For a lot of possibilities for a single 'if' statement sometimes a 'switch' or 'case' statement is advantageous.

myResponse = 'optimistic';
switch(myResponse) {
  case 'pessimistic':
    //do something here for pessimistic responses
    break;   //skip to the end
  case 'optimistic':
    //do something here for optimistic responses
    break;   //skip to the end
  default:
    //Do whatever you want here for those times the previous cases were not met.
    break;
}

After conditionals are understood loops seem like a good place to venture next. We'll go over the 'for' and 'while' loops briefly. The 'for' loop starts out and typically sets an initial value for a counter/iterator, then sets a condition for how long the loop should run, and finally ends with a statement about how to increment the counter or iterator. All of the code within the braces is then run as long as the condition within the definition of the 'for' loop is true:

//Setup ctr0 to the value 0 and loop while ctr0 is less-than 10 incrementing it by one (++ctr0) at the start of each iteration.
var factorial = 1;
for(var ctr0 = 0; ctr0 < 10; ++ctr0) {
  print(ctr0);    //Print the current version of the ctr0 variable
  if(ctr0 != 0) {
    factorial *= ctr0;
  }
}
print(factorial);

The loop above combines a loop and a conditional as well. It initializes ctr0 to 0 and then loops while that variable is less-than 10, incrementing it by one every iteration. Inside the loop it prints the value of ctr0 and also, if the ctr0 value is not equal to 0, multiples it by the current 'factorial' variable (which was originally initialized to 1) and after the entire loop is completed prints out the factorial. This functionally is a little script that, with a lot of extra stuff, gives us the value for 9! or nine factorial (the product of all integers from one to nine) or 362880. Another kind of loop is the while loop which leaves control of counters or iterators to you and just loops while the user-defined condition at the beginning is true:

//Another factorial generator, though this one stops when the product reaches a certain value rather than when the factors reach a certain value.
var ctr0 = 1;
var factorial = 1;
while(factorial < 320000) {
  factorial *= ctr0;
  ++ctr0;
}
print(factorial);

Another type of loop that is very handy is one that loops through values of an object. Remember those arrays? What if you wanted to print everything in an array? Turns out that is also quite easy:

//Print all of the pet types.
for(var onePet in myPets) {
  print(onePet);
}

Note that if you still have the multi-dimensional array setup from above this only prints the keys for the first array and does not go into the nested arrays or other data structures. This is typically useful as you could easily get into those now by nesting another loop within the first loop that went through all of the values for any object found during this loop's iteration.

//Print all of the pet types and then the pets.
for(var firstElement in myPets) {    //Loop through all of the types of pets as those are the keys for the myPets associative array (hash).
  print(firstElement);   //Print this type of pet.
  for(var secondElement in myPets[firstElement]) {    //Loop through the keys of the nested arrays of the top arrays to get the names of the type of pet through which we are currently looping.
    print('  ' + myPets[firstElement][secondElement]);    //Print a couple spaces and then the name of the current pet.
  }
}

So with very little code we can get a list of everything within nested associative arrays.

After about ten minutes of programming (if that) you will probably find that you do the same things over and over. For example you probably print a lot, you may want to handle data types or objects in certain ways, or whatever. In programming exists a concept of functions or methods which take parameters (typically) and return a value or some output after doing a specific bit of processing on the available data. This is useful as it encourages data reuse so you are not writing the same ten lines of code thousands of times in a program or script and then having to modify all of those thousands of instances the second you determine that you have a glitch in your logic or a change to what your code does because of new requirements. Creating a method (function) in JavaScript is easy and it acts a lot like a variable. A method has a keyword ('function') followed by a name (myFunction) and then data which are used within the method. In the case of the method the code is also executed when the method is called but otherwise methods are very similar to variables:

//Define a method named addTwoNums which, when sent two values, adds them together and returns the result.
function addTwoNums(num0, num1) {
  return num0 + num1;
}

The sample method above could be called like the following, which I expect would end up printing the value 25 to the screen:

print(addTwoNums(18, 7));   //Print the sum of 18 and 7 to the screen.
print(addTwoNums(12345, 678910));   //Print the sum of '12345' and '678910' which is 691255.
print(addTwoNums(myUserName + ' has isCool set to ', isCool));   //Concatenates because of loose interpretation of data types in JavaScript and the overloaded '+' operator which also concatenates data.

Another benefit of using methods/functions is you can describe complicated code in a simple fashion. As an example it is easier to name a method something about returning a random integer from zero to four billion and change than it is to figure out what the code does sometimes:

//Method to get a random integer from zero to 2^32.
function getRandomInteger() {
  return (Math.floor((Math.random()*(Math.pow(2, 32)))));
}

print(getRandomInteger());

Finally this is a nice introduction to objects. In the previous example I made three calls to something called 'Math' which is a math object in JavaScript that is just waiting to be used for fun things that otherwise are not always fun to code. Specifically I used Math.floor() (round to the next integer below the value passed into the method), Math.random() (returns a decimal number between zero and one) and Math.pow() which is used for getting the results of one number taken to some power (two to the third power, for example, is eight). The Math object also returns results for things like pi (3.14159...) and other numbers that are fairly constant in the universe. It includes ways to calculate the sine, cosine, and other geometric things. Objects, in the software sense, are instances of certain classes and therefore take on the attributes and methods of those classes. The Math object exists to provide calculated results to the programmer as shown in the previous example. In JavaScript it is possible to create classes for your own purposes. A common class example is the 'Person' class. Instance variables often include things like eye color, first name, government identification number, e-mail address, etc. Instantiating an object named 'johnSmith' of the Person class could then have the variables set with data specific to John Smith. Benefits of doing so mean the ability to contain all of the attributes related to a single object all in one place instead of trying to maintain different arrays of the data for the object.

One thing that is interesting about variables in JavaScript is that you do not need to declare them as a specific object type (class) all of the time for them to be treated like a certain class. As an example any old string variable can immediately use the methods of the String class. Consider the following example where a simple string is created out of thin air but then the method toUpperCase() is usable to return the string all in upper case and the length attribute is usable to return the length of the string::

var myUserName = 'ab';    //Initialize the variable.
print(myUserName.toUpperCase() + ' is ' + myUserName.length + ' characters long.');    //Print a sentence showing the string all in upper case and the length of the string.

Other methods of the String class including the indexOf() method which returns the offset of a given substring. The match() method also lets the programmer test if the string matches a given pattern known as a regular expression. Some examples follow:

print('b' is found in the myUserName variable at index ' + myUserName.indexOf('b'));    //Print a sentence along with the offset of the 'b' character.
print('"b" will be replaced by " qwerty" as a result of this example');
print(myUserName.replace('b', ' qwerty'));   //Replace 'b' with ' qwerty' and print the resulting 'a qwerty' but do not set myUserName to this new value.

As another example of a built-in object we have the Date object which, as you probably guessed, deals with date and time functions. With this we can get the current time as it is set in different timezones around the world, in different formats (two and four-digit years for example), and other different ways. A date object can be set to the current date (and is by default) but can also be set to another arbitrary point in time. By comparing a Date object initialized before an operation and then after the operation is completed the time taken to perform the operation can be ascertained. As an example I'll create a Date object, count for a while, then create another Date object, and compare them to see the number of milliseconds between them:

var ctr0 = 0;
var myDate0 = new Date();      //Create an object to help timing a counter from zero to some number specified in the for loop.
for(ctr0 = 0; ctr0 < 1000000; ++ctr0) { }
var myDate1 = new Date();      //Create an object at the completion of the counting operation.
print('Counting took ' + (myDate1 - myDate0) + ' milliseconds.');   //Print the time taken in milliseconds.

The resulting text on my laptop was 'Counting took 139 milliseconds.' Some other basic calls to the Date object will show month, day, hear, hours, day of the year, seconds since 1970-01-01, etc. One really neat property of JavaScript objects is the ability to convert them back to the source which created them. For example the following examples show the code to create the myDate0 and myDate1 objects above:

print(myDate0.toSource());    //Show the source of the myDate0 object.
print(myDate1.toSource());    //Show the source of the myDate1 object.
print(Date().toSource());    //Show the source of a new Date object as it would be created right now.

The result of the three commands above (for me right now) follows:

(new Date(1257391274428))
(new Date(1257391274567))
(new String("Wed Nov 04 2009 20:31:03 GMT-0700 (MST)"))

One value here is that an object could be saved out to a string and read in by another script or a later incarnation of the same script. It also aids in learning about the objects' creation as well as seeing how the objects are currently setup. Also remember all of those Daylight Savings Time perils that crop up every year or so, or maybe every few months? Creating a Date object that is powered by Java and therefore knows everything Java knows (as updated by tzupdater) is trivial and seeing what the time is per that Java invocation does not require coding anything in pure Java then compiling and running. Just create a date object and see what the time is relative to GMT, or see how the date object looks in its source to see if the current time is inside the range of dates for daylight savings time (MDT for Mountain Daylight Time) or outside that range (MST for Mountain Standard Time). As any old Java implementation can be used to load the Rhino environment in which we do all of this current stuff checking one Java implementation and then another is trivial.

So now we have a basic overview of the JavaScript language it is probably a good idea to talk about how to do this outside a browser finally. It's time to show off the Rhino environment in which all of these examples are currently running. In order to get Rhino working on your system one simply needs a Java runtime installed (chances are one is already there, but if not get one from http://java.sun.com/ or your system's favorite installation source) and then the JAR file from the Rhino project that provides the desired functionality. With Java (including the 'java' executable in your user's PATH) and the JAR in place the following command should get things going for you.

java -jar /path/to/js.jar
Rhino 1.7 release 2 2009 03 22
js>

As you can see the prompt is now changed; here we can type or paste input and have it executed in realtime. As an example of both the input and the output:

js> var ctr0 = 0;
js> var myDate0 = new Date();      //Create an object to help timing a counter from zero to some number specified in the for loop.
js> for(ctr0 = 0; ctr0 < 1000000; ++ctr0) { }
js> var myDate1 = new Date();      //Create an object at the completion of the counting operation.
js> print('Counting took ' + (myDate1 - myDate0) + ' milliseconds.');   //Print the time taken in milliseconds.
Counting took 823 milliseconds.

To get start call the help() method which should help provide some built-in commands that will help over time. I have called it in the example below to give some idea of the output and options available by default besides what was covered above:

js> help()

Command                Description
=======                ===========
help()                 Display usage and help messages.
defineClass(className) Define an extension using the Java class
                       named with the string argument.
                       Uses ScriptableObject.defineClass().
load(["foo.js", ...])  Load JavaScript source files named by
                       string arguments.
loadClass(className)   Load a class named by a string argument.
                       The class must be a script compiled to a
                       class file.
print([expr ...])      Evaluate and print expressions.
quit()                 Quit the shell.
version([number])      Get or set the JavaScript version number.
gc()                   Runs the garbage collector.
spawn(arg)             Evaluate function or script name on a new thread
sync(function)         Creates a synchronized version of the function,
                       where the synchronization object is "this"
readFile(fileName [, encoding])
                       Returns the content of the file as a string.
                       Encoding of the string can be optionally specified.
readUrl(url [, encoding])
                       Similar to readFile, reads the contents of the url.
runCommand(name ...)   Runs a specified shell command. Additional arguments are
                       passed to the command
seal(args ...)         Seals the supplied objects
toint32(arg)           Converts the argument into a 32-bit integer
serialize(obj, fileName)
                      Serializes an object and saves it to a file
deserialize(fileName)  Reconstructs a serialized object
environment            Returns the current environment object
history                Displays the shell command history

Some of the these you should know already, such as print(). Another that will stand out to Java aficionados is gc() which lets you call the Garbage Collector to force memory to be cleaned up. quit() is also useful; you MUST have the () (parentheses) at the end of all of these including quit() in order to invoke the method or else you will simply get the definition (code) of the method back which isn't that help when trying to close your JS environment. Also included is readURL which goes out and reads the URL given to it and returns whatever it finds there to your screen which could include remote JS code, XML for parsing, or anything else like that. The following command, for example, pulls Google's homepage HTML into the googleHTML variable:

var googleHTML = readUrl('http://www.google.com/');

The load() method will also read in local files as JS code so you can include functions from other files to keep your files modular and flexible. Also recall that this entire environment is running within Java so we still have access to any classes available via Java as long as the JRE can call them and they are defined within JS. Making other classes available is simply a matter of modifying the calling JRE's classpath statement to include the paths to relevant classes. The 'java' command accepts the '-cp' parameter followed by a colon-delimited list of paths to classes. Once that is done the JS environment must still be told to make those packages available in one way or another. The following are examples that should work assuming that the necessary JAR files are present for the non-native Java classes:

importPackage(java.lang);   //Import the java.lang package so classes within this package are available.

importPackage(Packages.com.novell.xml.util);    //Import the com.novell.xml.util package; notice Packages must lead the actual package when the package itself is not a part of the java.* hierarchy of packages.

Once these are executed the following commands also work taking advantage of native Java within the JavaScript:

var mylong0 = java.lang.Long.parseLong(binstring, 2);
var base64c = new Packages.com.novell.xml.util.Base64Codec();

With that the wide world of Java is instantly available in a scripting fashion. Notice that 'mylong0' and 'base64c' are declared as one type or another in JavaScript though they refer to specific objects of certain classes in Java. As you have probably noticed the second command in either of the two preceding code blocks are using a class that comes from Novell. The reason for this is that these are part of the Novell Identity Manager set of classes. Originally when I was told how to use Rhino it was in the context of IDM which supports ECMASCript along with the more traditional DirXML/IDM policy and XSLT. A quick little shell script pulls in all of IDM's basic classes and launches the Rhino shell in one quick step. That script's code follows:

<code interpreter='/bin/bash' scriptfile='~/bin/dxrhino'>
#Script from development to load in the IDM environment for rhino testing.  Requires
#rlwrap as well.  Takes one value (JavaScript I believe) as a parameter.
PATH=/opt/novell/eDirectory/lib/nds-modules/jre/bin:$PATH

CP=
for i in /opt/novell/eDirectory/lib/dirxml/classes/*.jar
do
    CP=$CP:$i
done
rlwrap java -cp $CP com.novell.soa.script.mozilla.javascript.tools.shell.Main "$@"
</code>

Notice that the PATH and CP variables are set to include a root-based installation of eDirectory's IDM engine classes. These can be modified to suit your needs. The most-important part is that a valid Java environment is used (which PATH helps with above) and that the JAR files are included (as loaded in via CP above). One other note is that rlwrap is included on that line where Java is called; among possible other things this lets the up-arrow key work properly to move back to previous commands entered in Rhino. If this is not there it is likely that you will experience garbage characters at the JS prompt when trying to use the up arrow to go to previous commands. rlwrap is trivial to add to the system even if it is from source so I would add it to any system that will be used even remotely. My compiled build shows version 0.30 in case that helps.

In a later article I'll be discussing some in-depth uses of this technology both within the Novell Identity Manager and Novell Sentinel-based products along with other little scripts that can now be easily created using JS and Java. If you have not done so by this point set up what has been discussed and see what potential uses apply to your own environment. The environment is painless to setup and works reliably thanks to Java.

Workgroup Cool Solutions

How to stop Novell Audit LCache process gracefully...

hmahantesh — Thu, 12 Nov 2009 11:47:41 -0700

Why should I stop LCache?

When you change any configuration properties or configurable options in the Platform Agent's configuration property (logevent.conf/cfg) file, you have to stop and start LCache. This you have to do because both the Platform Agent and LCache read the configuration property file only once at the time of starting / loading. If a user wants his changes made in the logevent.conf file to be in place, he has to stop and start the LCache process. The same thing applies to the Platform Agent as well.

How to stop LCache?

With the Platform Agent it is very easy if a user wants to stop (unload) PA. He just needs to stop the logging application. It will unload the Platform Agent (logevent library) also, because the Platform Agent is just a shared library. But this is little different with LCache. Because LCache is a process which will be started by the Platform Agent library when it is loaded by any logging applications (whenever somebody makes a call to the Platform Agent's exposed API – LogOpen). The Platform Agent will start LCache every time it is loaded by any logging application but there is no program or script or command to stop LCache manually. The Platform Agent checks if the LCache process is running or not. If the LCache process is already running, the Platform Agent just establishes a connection to it and starts sending information. If the LCache process is not running, the Platform Agent will start it and then establishe a connection for sending events.

In the case of Linux (SLES-9 and 10) with eDirectory, whenever eDirectory is stopped the LCache process also will be stopped. In Linux, though the application is not taking any care to stop their child process, OS will by default provides this facility but this is not true with Solaris. When the Platform Agent is loaded by eDirectory, PA also will become the part of eDirectory and hence when PA starts (forks) LCache, it will become the child process of eDirectory (If you kill (kill -9) LCache process while eDirectory is running you will get defunct process of LCache). But in case of Solaris even if you stop eDirectory, the LCache process will not be stopped. LCache process still continues running independently. The Platform Agent will not be loaded (used) only by eDirectory, there are so many applications which uses Platform Agent. Unlike an eDirectory on Linux (SLES), when you stop eDirectory, the LCache process will not be stopped on Solaris OS.

Ideally the logging application has to stop its child processes also while it is going down or stopping. But some applications like IDM's Remote Loader and eDirectory on Solaris, does not stop the LCache process. In such cases, the user may want to stop the LCache process manually and gracefully not abruptly which may cause some data loss. The LCache process can be gracefully stopped by sending a TERM signal to running LCache process. In LCache code, the SIGTERM signal is handled to shut down the LCache process gracefully.

$ kill -TERM 'pgrep lcache'

kill -15 'pgrep lcache'

$ kill -SIGTERM 'pgrep lcache'

NOTE: 'pgrep lcache' will get you the pid of running LCache process. You can replace 'pgrep lcache' with the running LCache process id also.

Even though many Platform Agents are using LCache for sending the events on every client machine, only one process of the LCache will be running. Unlike the Platform Agent, every logging application will have their own copy of the Platform Agent (library).

The above command sends the SIGTERM signal to the running LCache process. When LCache gets the SIGTERM signal, it will close all the handles of the Platform Agent and then stops LCache gracefully without any data loss.

Please note that if the LCache is started inside eDirectory, then the user will not be able to send any signals to the LCache process. Because eDirectory has blocked all the signals and the same signal mask will be inherited to its child processes.

Currently LCache will become the child process of logging applications (like eDirectory) from which the LCache process is started. To avoid the problem of stopping the logging application (eDirectory in Linux) to stop the LCache process and inheriting signal mask which stops LCache receiving any signals. There is an enhancement going on to make LCache, an independent process and also the signal (SIGTERM) will be handled irrespective of whoever starts it.

Cool Solutions