4.8 Managing Server Health

You can monitor all of the components hosted by a server and quickly isolate and correct server issues. The system displays statuses (green, yellow, white, or red) for the Access Manager components. Health information can be accessed at the following places:

This section discusses the following topics:

4.8.1 Health States

The Health page displays the current status of the server. The following states are possible:

Icon

Description

A green status indicates that the server has not detected any problems.

A green status with a yellow diamond indicates that the server has not detected any problems but the configuration isn’t completely up-to-date because commands are pending.

A green status with a red x indicates that the server has not detected any problems but that the configuration might not be what you want because one or more commands have failed.

A red status with a bar indicates that the server has been stopped.

A white status with disconnected bars indicates that the server is not communicating with the Administration Console.

A yellow status indicates that the server might be functioning sub-optimally because of configuration discrepancies.

A yellow status with a question mark indicates that the server has not been configured.

A red status with an x indicates that the server configuration might be incomplete or wrong, that a dependent service in not running or functional, or that the server is having a runtime problem.

4.8.2 Monitoring the Health of an Access Gateway

To view detailed health status information of an Access Gateway:

  1. In the Administration Console, click Devices > Access Gateways > [Name of Server] > Health.

    The status icon is followed by a description that explains the significance of the current state. For more information about these icons, see Section 4.8.1, Health States.

  2. To ensure that the information is current, select one of the following:

    • Click Refresh to refresh the page with the latest health available from the Administration Console.

    • Click Update from Server to send a request to the Access Gateway to update its status information. If you have made changes that affect the health of the Access Gateway, select this option. Otherwise, it can take up to five minutes for the health status to change.

  3. Examine the Services Detail section that displays the status of each service. For an Access Gateway, this includes information such as the following:

  4. Click Close.

Service Categories of the Access Gateway Appliance

Service Category

If Not Healthy

Time: Indicates the type of time configuration. Time must be configured so that it remains synchronized with the other servers in the configuration (Identity Server, SSL VPN server, J2EE Agent, Web servers, etc.).

See Section 2.6, Setting the Date and Time.

Gateway: Specifies the type of routing that is configured for the gateway.

See Section 2.9.2, Viewing and Modifying Gateway Settings.

DNS: Specifies whether the domain name server has been configured

Displays the IP address of the each configured DNS server and when the server last responded.

See Section 2.9.3, Viewing and Modifying DNS Settings.

Services: Indicates the general health of all configured services.

Displays messages about the health of the reverse proxy, the back end Web servers, and internal services (the SOAP back channel and the communication module).

Address: Indicates whether an IP address has been configured for the reverse proxy to listen on. This is required for the Access Gateway to function.

See Section 1.1.1, Creating a Proxy Service.

Embedded Service Provider Communication: Indicates whether the Embedded Service Provider can communicate with the Identity Server.

Restart the Embedded Service Provider. If restarting the Embedded Service Provider fails, try restarting Tomcat.

L4 and Cache: The L4 status indicates whether the Linux Access Gateway is responding to health checks from the L4 switch. The number increments with each health check for which the Access Gateway does not send a response.

  • When it reaches 13, the health is changed to yellow.

  • When it reaches 31, the health is changed to red.

If the Access Gateway recovers and starts responding, the health turns green after 20 seconds and the unresponsive count is reset to 0.

To fix the problem if it does not resolve itself, restart the Access Gateway.

The cache status indicates the current number of delayed cache requests and whether enough memory is available to process new requests.

  • When this number reaches 101, the health is changed to yellow.

  • When this number reaches 151, the health changes to red. To solve the problem, you need to restart the Linux Access Gateway.

Restart the Linux Access Gateway by entering the following commands:

/etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start

Embedded Service Provider Configuration: Indicates whether the Access Gateway has been configured to trust an Identity Server and whether that configuration has been applied.

At least one Identity Server must be configured and set up as a trusted authentication source for the Access Gateway.

A green status indicates that a configuration has been applied; it does not indicate that it is a functioning configuration.

See Configuring an Identity Server in the Novell Access Manager 3.1 SP2 Identity Server Guide for information on configuring an Identity Server.

See Section 1.1, Managing Reverse Proxies and Authentication for information on assigning an Identity Server configuration to the Access Gateway.

Configuration Datastore: Indicates whether the configuration datastore is functioning correctly.

Restore the configuration datastore. See Repairing the Configuration Datastore in the Novell Access Manager 3.1 SP2 Administration Console Guide.

Clustering: Indicates whether all the cluster members are active and processing requests.

Restart the cluster members that are not active or remove them from the cluster.

Signing, Encryption and SSL Connector Keys: Indicates whether these keystores contain valid a key.

Click Access Gateways > Edit > Service Provider Certificates and replace any missing or expired keys.

System Incoming and Outgoing HTTP Requests: Appears when throughput is slow. This health check monitors incoming HTTP requests, outgoing HTTP requests on the SOAP back channel, and HTTP proxy requests to cluster members. If one or more requests remain in the queue for over 2 minutes, this health check appears.

Verify that all members of the cluster have sufficient bandwidth to handle requests. If a cluster member is going down, the problem resolves itself as other members of the cluster are informed that the member is down.

If a cluster member is slow because it doesn’t have enough physical resources (speed or memory) to handle the load, upgrade the hardware.

TCP Listener(s): Indicates whether the listening port for the Embedded Service Provider is healthy.

Restart the Access Gateway.

Embedded Service Provider’s Trusted Identity Provider: Indicates whether the configuration that the Access Gateway trusts has been configured to contain at least one Identity Server.

Modify the Identity Server configuration and add an Identity Server. See Assigning an Identity Server to a Cluster Configuration in theNovell Access Manager 3.1 SP2 Identity Server Guide.

Configure the Access Gateway to trust an Identity Server configuration. See Section 1.1, Managing Reverse Proxies and Authentication.

Audit Logging Server: Indicates whether the audit agent is functioning and able to log events to the auditing server.

Auditing must be enabled on the Identity Server to activate this health check (click Devices > Identity Servers > Edit > Logging).

Check the network connection between the Identity Server and the auditing server.

See “Troubleshooting Novell Audit”.

Service Categories of the Access Gateway Service

Service Category

If Not Healthy

Reverse Proxy - <Proxy Service Name>: Indicates the general health of all configured proxy services. A separate row is created for each proxy service.

Check the health of the Web server.

AGM - Configuration: Indicates whether all configuration changes have been applied.

Do the following:

  • To re-push the current configuration, click Auditing > Troubleshooting, select the gateway from the list of the Current Access Gateway Configurations, then click Re-push Current Configuration.

  • To revert to last applied configuration, click Devices > Access Gateways > Edit, then click Revert.

If these options do not fix the problem, view the Apache error.log file to discover the cause. The file is located in the following directory:

Linux: /var/log/novell-apache2/

Windows: \Program Files\Novell\apache\logs\

TCP Listener - <IP Address:Port>: Indicates whether the Access Gateway Service is listening on the specified port. A separate row is created for each port the Gateway Service is configured to listen on.

Restart the Apache service.

ApacheGateway.log: Appears when the Access Gateway Service is not healthy. It displays the latest error from the Apache error.log file.

For more information about the problem, view the error.log file in the following directory:

Linux: /var/log/novell-apache2/

Windows: \Program Files\Novell\apache\logs\

Embedded Service Provider Configuration: Indicates whether the Access Gateway has been configured to trust an Identity Server and whether that configuration has been applied.

At least one Identity Server must be configured and set up as a trusted authentication source for the Access Gateway.

A green status indicates that a configuration has been applied; it does not indicate that it is a functioning configuration.

See Configuring an Identity Server in the Novell Access Manager 3.1 SP2 Identity Server Guide for information on configuring an Identity Server.

See Section 1.1, Managing Reverse Proxies and Authentication for information on assigning an Identity Server configuration to the Access Gateway.

Configuration Datastore: Indicates whether the configuration datastore is functioning correctly.

Restore the configuration datastore. See Repairing the Configuration Datastore in the Novell Access Manager 3.1 SP2 Administration Console Guide.

Clustering: Indicates whether all the cluster members are active and processing requests.

Restart the cluster members that are not active or remove them from the cluster.

Signing, Encryption and SSL Connector Keys: Indicates whether these keystores contain a valid key.

Click Access Gateways > Edit > Service Provider Certificates and replace any missing or expired keys.

System Incoming and Outgoing HTTP Requests: Appears when throughput is slow. This health check monitors incoming HTTP requests, outgoing HTTP requests on the SOAP back channel, and HTTP proxy requests to cluster members. If one or more requests remain in the queue for over 2 minutes, this health check appears.

Verify that all members of the cluster have sufficient bandwidth to handle requests. If a cluster member is going down, the problem resolves itself as other members of the cluster are informed that the member is down.

If a cluster member is slow because it doesn’t have enough physical resources (speed or memory) to handle the load, upgrade the hardware.

TCP Listener(s): Indicates whether the listening port for the Embedded Service Provider is healthy.

Restart the Access Gateway.

Embedded Service Provider’s Trusted Identity Provider: Indicates whether the configuration that the Access Gateway trusts has been configured to contain at least one Identity Server.

Modify the Identity Server configuration and add an Identity Server.

Configure the Access Gateway to trust an Identity Server configuration. See Section 1.1.1, Creating a Proxy Service.

Audit Logging Server: Indicates whether the audit agent is functioning and able to log events to the auditing server.

Auditing must be enabled on the Identity Server to activate this health check (click Devices > Identity Servers > Edit > Logging).

Check the network connection between the Identity Server and the auditing server.

See “Troubleshooting Novell Audit”.

4.8.3 Viewing the Health of an Access Gateway Cluster

The Health icon on the cluster row displays the status of the least healthy member of the cluster. For information on the meaning of the health icons, see Section 4.8.1, Health States.

To view details about the status of the cluster:

  1. In the Administration Console, click Devices > Access Gateways.

  2. On the cluster row, click the Health icon.

    Viewing Cluster Health Details
  3. To ensure that the information is current, click Refresh.

  4. To view specific information about the status of an Access Gateway, click the Health icon in the Access Gateway row.