Can Access Gateway log the SSL/TLS version of incoming client requests

  • 7016352
  • 26-Mar-2015
  • 26-Mar-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager Access Gateway

Situation

Admin wants to log the SSL/TLS protocol versions of all HTTP requests coming into their Access Gateway servers. The HTTP logs provide a lot of flexibility in terms of what can be logged, yet do not mention any details on SSL/TLS versions.

Resolution

Common or Extended HTTP logs are for HTTP level information; SSL/TLS falls into a layer below this, and therefor cannot be logged. There are however two workarounds which one could try:

1) edit  /etc/opt/novell/apache2/conf/httpd.conf

uncomment following lines add the bolded text SSL_PROTCOL
    LogFormat "%h %l %u %t \"%r\" %>s %b %{SSL_PROTOCOL}x" common
    CustomLog "/var/log/novell-apache2/access_log" common

More details are available from http://httpd.apache.org/docs/2.2/mod/mod_ssl.html (under CustomLog format section)

2) add an advanced option in the PR where you want this additional log

           Include /etc/opt/novell/apache2/conf/mypr1.conf

    Create this file with the following content before applying

  LogFormat "%{%Y-%m-%d %H:%M:%S}t  %a \"%{Cache-Control}o\" %L %B %X \"%{X-Forwarded-For}i\" %I \"%{ETag}o\" \"%{If-Range}o\" \"%{Range}o\" \"%{Content-Range}o\" \"%{Pragma}i\" \"%{Pragma}o\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" mypr1
  CustomLog "|\"/opt/novell/apache2/sbin/rotatelogs\" \"/var/log/novell/reverse/rp1/ps1-ps1.extended.log.%Y-%m-%d-%H_%M_%S\" 10M 7files" mypr1 env=ps1


In both the above options, you cannot have "extended logging" enabled for the PR. However, with the above changes, the statements will do what you do in extended logging with the exception of losing the ability to add/modify logging options from the Admin console.