Monitoring OpenAM Services

This chapter covers how to monitor OpenAM services to ensure appropriate performance and service availability.

Monitoring Interfaces

OpenAM lets you monitor OpenAM over protocol through web pages, Java Management Extensions (JMX), or Simple Network Management Protocol (SNMP). The services are based on JMX.

To configure monitoring services, login to OpenAM console as OpenAM administrator, and navigate to Configure > Global Services > System, and then click Monitoring. Alternatively, you can use the ssoadm set-attr-defs command:

$ ssoadm \
 set-attr-defs \
 --servicename iPlanetAMMonitoringService \
 --schematype Global \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --attributevalues iplanet-am-monitoring-enabled=true

Restart OpenAM for the changes to take effect. You must also restart OpenAM if you disable monitoring.

Web-Based Monitoring

You can configure OpenAM to allow you to access a web based view of OpenAM MBeans on port 8082 where the core server runs, such as http://openam-ter.example.com:8082/. Either use the console, or use the ssoadm command:

$ ssoadm \
 set-attr-defs \
 --servicename iPlanetAMMonitoringService \
 --schematype Global \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --attributevalues iplanet-am-monitoring-http-enabled=true

The default authentication file allows you to authenticate over HTTP as user demo, password changeit. The user name and password are kept in the file specified, with the password encrypted:

$ cat openam/openam/openam_mon_auth
demo AQICMBCKlwx6G3vzK3TYYRbtTpNYAagVIPNP

Or:

$ cat openam/openam/opensso_mon_auth
demo AQICvSe+tXEg8TUUT8ekzHb8IRzVSvm1Lc2u

You can encrypt a new password using the ampassword command. After changing the authentication file, you must restart OpenAM for the changes to take effect.

JMX Monitoring

You can configure OpenAM to allow you to listen for Java Management eXtension (JMX) clients, by default on port 9999. Either use the OpenAM console page under Configure > Global Services > System > Monitoring and make sure both Monitoring Status and Monitoring RMI interface status are both set to Enabled, or use the ssoadm command:

$ ssoadm \
 set-attr-defs \
 --servicename iPlanetAMMonitoringService \
 --schematype Global \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --attributevalues iplanet-am-monitoring-enabled=true \
  iplanet-am-monitoring-rmi-enabled=true

A number of tools support JMX, including jvisualvm and jconsole. When you use jconsole to browse OpenAM MBeans for example, the default URL for the OpenAM running on the local system is service:jmx:rmi:///jndi/rmi://localhost:9999/server.

$ jconsole service:jmx:rmi:///jndi/rmi://localhost:9999/server &

You can also browse the MBeans by connecting to your web application container, and browsing to the OpenAM MBeans. By default, JMX monitoring for your container is likely to be accessible only locally, using the process ID.

Also see Monitoring and Management Using JMX for instructions on how to connect remotely, how to use SSL, and so forth.

JMX has a limitation in that some Operations and CTS tables cannot be properly serialized from OpenAM to JMX. As a result, only a portion of OpenAM’s monitoring information is available through JMX. SNMP is a preferred monitoring option over JMX and exposes all OpenAM tables, especially for CTS, with no serialization limitations.

SNMP Monitoring

You can configure OpenAM to allow you to listen on port 8085 for SNMP monitoring. Either use the console, or use the ssoadm command:

$ ssoadm \
 set-attr-defs \
 --servicename iPlanetAMMonitoringService \
 --schematype Global \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --attributevalues iplanet-am-monitoring-snmp-enabled=true

Monitoring CTS Tokens

The "Configuring the Core Token Service" in the Installation Guide (CTS) provides persistent and highly available token storage for a several components within OpenAM, including user sessions, OAuth 2.0, SAML v2.0 and UMA tokens.

Depending on system load and usage, the CTS can produce a large quantity of tokens, which can be short lived. This style of usage is significantly different from typical LDAP usage. As such, systems administrators may be interested in monitoring this usage as part of LDAP directory maintenance.

The CTS functions only with one external LDAP service, OpenDJ.

To that end, the current state of CTS tokens on a system can be monitored over SNMP. The current state of different types of CTS tokens are associated with different Object Identifiers (OIDs) in a Management Information Base (MIB).

To enable SNMP, see "SNMP Monitoring"

CTS SNMP Monitoring

Once activated, SNMP monitoring works over UDP by default. You may want to install one of many available network monitoring tools. For the purpose of this section, basic SNMP service and monitoring tools have been installed on a GNU/Linux system. The same commands should work on a Mac OS X system.

SNMP depends on labels known as Object Identifiers (OIDs). These are uniquely defined labels, organized in tree format. For OpenAM, they are configured in a .mib file named FORGEROCK-OPENAM-CTS.mib, found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-13.5.2-15.jar file of the OpenAM deployment.

For detailed information on configured OIDs, see "Core Token Service (CTS) Object Identifiers" in the Reference.

With the OIDs in hand, you can set up an SNMP server to collect the data. You would also need SNMP utility commands with associated OIDs to measure the current state of a component. First, to verify the operation of SNMP on a GNU/Linux system, over port 8085, using SNMP version 2c, run the following command:

# snmpstatus -c public -v 2c localhost

The output should normally specify communications over UDP. If you get a timeout message, the SNMP service may not be running.

You can get the value for a specific OID. For example, the following command would retrieve the cumulative count for CTS create operations, over port 8085:

# snmpget -c public -v 2c :8085 enterprises.36733.1.2.3.3.1.1.1

If your version of the tool does not support the enterprises OID string, use 1.3.6.1.4.1 instead, as in 1.3.6.1.4.1.36733.1.2.3.3.1.1.1.

For one view of the tree of OIDs, you can use the snmpwalk command. For example, the following command lists all OIDs related to CTS:

# snmpwalk -c public -v 2c :8085 enterprises.36733.1.2.3

A number of CTS OIDs are listed with a Counter64 value. As defined in RFC 2578 an OID so configured has a maximum value of 2^64 - 1.

SNMP Monitoring for Policy Evaluation

You can monitor policy evaluation performance over SNMP. OpenAM records statistics for up to a number of recent policy evaluation requests. (You can configure the number in OpenAM console under Configuration > System > Monitoring. For details, see the system configuration reference section, "Monitoring" in the Reference.)

Interface Stability: Evolving

As described in "CTS SNMP Monitoring", SNMP uses OIDs defined in the .mib file, FORGEROCK-OPENAM-POLICY.mib, found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-13.5.2-15.jar file of the OpenAM deployment. This file specifies the statistics OpenAM keeps for policy evaluation operations. Adapt the examples in "CTS SNMP Monitoring" to read monitoring statistics about policy evaluation on the command line.

When monitoring is active, OpenAM records statistics about both the numbers and rates of policy evaluations performed, and also the times taken to process policy evaluations.

The statistics are all read-only. The base OID for policy evaluation statistics is enterprises.36733.1.2.2.1. The following table describes the values that you can read:

OIDs Used in SNMP Monitoring For Policy Evaluation
OID	Description	Syntax
`enterprises.36733.1.2.2.1.1.1`	Cumulative number of policy evaluations for specific resources (self)	`Counter64`
`enterprises.36733.1.2.2.1.1.2`	Average rate of policy evaluations for specific resources (self)	`Counter64`
`enterprises.36733.1.2.2.1.1.3`	Minimum rate of policy evaluations for specific resources (self)	`Counter64`
`enterprises.36733.1.2.2.1.1.4`	Maximum rate of policy evaluations for specific resources (self)	`Counter64`
`enterprises.36733.1.2.2.1.2.1`	Cumulative number of policy evaluations for a tree of resources (subtree)	`Counter64`
`enterprises.36733.1.2.2.1.2.2`	Average rate of policy evaluations for a tree of resources (subtree)	`Counter64`
`enterprises.36733.1.2.2.1.2.3`	Minimum rate of policy evaluations for a tree of resources (subtree)	`Counter64`
`enterprises.36733.1.2.2.1.2.4`	Maximum rate of policy evaluations for a tree of resources (subtree)	`Counter64`
`enterprises.36733.1.2.2.1.1.2`	Average length of time to evaluate a policy for a specific resource (self)	`Counter64`
`enterprises.36733.1.2.2.2.1.2`	Slowest evaluation time for a specific resource (self)	`SnmpAdminString`
`enterprises.36733.1.2.2.1.2.2.1`	Average length of time to evaluate a policy for a tree of resources (subtree)	`Counter64`
`enterprises.36733.1.2.2.1.2.2.2`	Slowest evaluation time for a tree of resources (subtree)	`SnmpAdminString`
`enterprises.36733.1.2.2.1.3.1`	Slowest individual policy evaluation time overall	`SnmpAdminString`

SNMP Monitoring for Sessions

You can monitor stateful session statistics over SNMP. OpenAM records statistics for up to a configurable number of recent sessions. (You can configure the number in OpenAM console under Configuration > System > Monitoring. For details, see the system configuration reference section, "Monitoring" in the Reference.)

SNMP monitoring is not available for stateless sessions.

Interface Stability: Evolving

As described in "CTS SNMP Monitoring", SNMP uses OIDs defined in a .mib file that specifies the statistics OpenAM keeps for policy evaluation operations, the FORGEROCK-OPENAM-SESSION.mib file. This file is found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-13.5.2-15.jar file of the OpenAM deployment. Adapt the examples in "CTS SNMP Monitoring" to read monitoring statistics about sessions on the command line.

When monitoring is active, OpenAM records statistics about both the numbers of internal, remote, and CTS sessions, and also the times taken to process sessions.

The statistics are all read-only. The base OID for session statistics is enterprises.36733.1.2.1. Times are expressed in nanoseconds rather than milliseconds, as many operations take less than one millisecond. The following table describes the values that you can read:

OIDs Used in SNMP Monitoring For Sessions
OID	Description	Syntax
`enterprises.36733.1.2.1.1.1`	Total number of current internal sessions	`Counter64`
`enterprises.36733.1.2.1.1.2`	Average time it takes to refresh an internal session	`Counter64`
`enterprises.36733.1.2.1.1.3`	Average time it takes to logout an internal session	`Counter64`
`enterprises.36733.1.2.1.1.4`	Average time it takes to destroy an internal session	`Counter64`
`enterprises.36733.1.2.1.1.5`	Average time it takes to set a property on an internal session	`Counter64`
`enterprises.36733.1.2.1.2.1`	Total number of current remote sessions	`Counter64`
`enterprises.36733.1.2.1.2.2`	Average time it takes to refresh a remote session	`Counter64`
`enterprises.36733.1.2.1.2.3`	Average time it takes to logout a remote session	`Counter64`
`enterprises.36733.1.2.1.2.4`	Average time it takes to destroy a remote session	`Counter64`
`enterprises.36733.1.2.1.2.5`	Average time it takes to set a property on a remote session	`Counter64`
`enterprises.36733.1.2.1.3.1`	Total number of sessions currently in the Core Token Service (CTS)	`Counter64`
`enterprises.36733.1.2.1.3.2`	Average time it takes to refresh a CTS session	`Counter64`
`enterprises.36733.1.2.1.3.3`	Average time it takes to logout a CTS session	`Counter64`
`enterprises.36733.1.2.1.3.4`	Average time it takes to destroy a CTS session	`Counter64`
`enterprises.36733.1.2.1.3.5`	Average time it takes to set a property on a CTS session	`Counter64`

Is OpenAM Running?

You can check over HTTP whether OpenAM is up, using isAlive.jsp. Point your application to the file under the OpenAM URL, such as http://openam.example.com:8080/openam/isAlive.jsp.

If you get a success code (with Server is ALIVE: in the body of the page returned), then OpenAM is in operation.

Debug Logging

OpenAM services capture a variety of information in debug logs. Unlike audit log records, debug log records are unstructured. Debug logs contain a variety of types of information that is useful when troubleshooting OpenAM, including stack traces. The level of debug log record output is configurable. Debug log records are always written to flat files.

Setting Debug Logging Levels

To adjust the debug level while OpenAM is running, login to the OpenAM console as OpenAM administrator and navigate to Deployment > Servers > Server Name > Debugging. The default level for debug logging is Error. This level is appropriate for normal production operations, in which case no debug log messages are expected.

Setting the debug log level to Warning increases the volume of messages. Setting the debug log level to Message dumps detailed trace messages. Unless told to do so by qualified support personnel, do not use Warning and Message levels in production.

By default, certain components that run in OpenAM’s JVM—for example, embedded OpenDJ configuration stores—do not generate trace-level messages when you configure the debug log level to Message. If you need trace-level messages for these components, navigate to Deployment > Servers > Server Name > Advanced, create a org.forgerock.openam.slf4j.enableTraceInMessage property, and set its value to true.

Debug Logging to a Single File

During development, you might find it useful to log all debug messages to a single file. In order to do so, set Merge Debug Files to on.

OpenAM logs to a single file immediately after you change this property. You do not need to restart OpenAM or the container in which it runs for the change to take effect.

Debug Logging By Service

OpenAM lets you capture debug log messages selectively for a specific service. This can be useful when you must turn on debugging in a production system where you want to avoid excessive logging, but must gather messages when you reproduce a problem. Perform these steps to capture debug messages for a specific service:

Log in to OpenAM console as administrator, amadmin.
Browse to Debug.jsp, for example http://openam.example.com:8080/openam/Debug.jsp.

No links to this page are provided in the console.
Select the service to debug and also the level required given the hints provided in the Debug.jsp page.

The changes takes effect immediately.
Promptly reproduce the problem you are investigating.
After reproducing the problem, immediately return to the Debug.jsp page, and revert to normal log levels to avoid filling up the disk where debug logs are stored.

Rotating Debug Logs

By default OpenAM does not rotate debug logs. To rotate debug logs, edit WEB-INF/classes/debugconfig.properties where OpenAM is deployed.

The debugconfig.properties file includes the following properties:

org.forgerock.openam.debug.prefix: Specifies the debug log file prefix applied when OpenAM rotates a debug log file. The property has no default. It takes a string as the property value.
org.forgerock.openam.debug.suffix: Specifies the debug log file suffix applied when OpenAM rotates a debug log file. The property takes a SimpleDateFormat string. The default is -MM.dd.yyyy-kk.mm.
org.forgerock.openam.debug.rotation: Specifies an interval in minutes between debug log rotations. Set this to a value greater than zero to enable debug log rotation based on time passed.
org.forgerock.openam.debug.rotation.maxsize: Specifies a maximum log file size in megabytes between debug log rotations. Set this to a value greater than zero to enable debug log rotation based on log file size.

Changes to properties in the debugconfig.properties file take effect immediately. You do not need to restart OpenAM or the container in which it runs for the changes to take effect.

Recording Troubleshooting Information

The OpenAM recording facility lets you initiate events to monitor OpenAM while saving output that is useful when performing troubleshooting.

OpenAM recording events save four types of information:

OpenAM debug logs
Thread dumps, which show you the status of every active thread, with output similar to a JStack stack trace
Important run-time properties
The OpenAM configuration

You initiate a recording event by invoking the ssoadm start-recording command or by using the start action of the /json/records REST API endpoint. Both methods use JSON to control the recording event.

This section describes starting and stopping recording using the ssoadm command, using a JSON file to configure the recording event, and locating the output recorded information. For information about using the /json/records REST API endpoint to activate and deactivate recording, see "RESTful Troubleshooting Information Recording" in the Developer’s Guide.

Starting and Stopping Recording

Start OpenAM recording with the ssoadm start-recording command. For example:

$ ssoadm \
 start-recording \
 --servername http://openam.example.com:8080/openam \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --jsonfile recording.json


{
 "recording":true,
 "record": {
  "issueID":103572,
  "referenceID":"policyEvalFails",
  "description":"Record everything",
  "zipEnable":false,
  "threadDump": {
   "enable":true,
   "delay": {
     "timeUnit":"SECONDS",
     "value":5
   }
  },
  "configExport": {
   "enable":true,
   "password":"admin password",
   "sharePassword":true
  },
  "debugLogs": {
   "debugLevel":"message",
   "autoStop": {
    "time": {
     "timeUnit":"MILLISECONDS",
     "value":15000
    },
    "fileSize": {
     "sizeUnit":"KB",
     "value":1048576
    }
   }
  },
  "status":"RUNNING",
  "folder":"/home/openam/debug/record/103572/policyEvalFails/"
 }
}

The ssoadm command output in the preceding example is shown in indented format for ease of reading. The actual output is not indented.

In the preceding ssoadm start-recording command example, the recording.json file specifies the information to be recorded and under what conditions recording automatically terminates. This file is known as the recording control file. "The Recording Control File" describes the format of recording control files and provides an annotated example.

An active recording event stops when:

You explicitly tell OpenAM to stop recording by executing the ssoadm stop-recording command. See the Reference for details about this command.
Another ssoadm start-recording command is sent to OpenAM that specifies an issue ID other that differs from the active recording event’s issue ID. In this case, the initial recording session terminates and the new recording event starts. Note that you can determine whether an OpenAM recording event is active by using the ssoadm get-recording-status command.
A timer configured in the recording control file determines that the maximum amount of time for the recording event has been reached.
A file size monitor configured in the recording control file determines that the maximum amount of information in debug logs has been reached.

The Recording Control File

A JSON file that is input to the ssoadm start-recording command controls the amount of information OpenAM records, the recording duration, and the location of recording output files.

File Format

The following properties comprise the recording control file:

issueID

Type: Number

Required. The issue identifier—a positive integer stored internally as a Java long data type. A case number is a good choice for the issueID value.

The issueID is a component of the path at which recorded information is stored. See "Retrieving Recording Information" for more information.

referenceID

Type: String

Required. A second identifier for the recording event. Use this property to segregate multiple recording events for the same issue.

The referenceID is a component of the path at which recorded information is stored. See "Retrieving Recording Information" for more information.

Note that spaces are not allowed in the referenceID value.

Description

Type: String

Required. A textual description of the recording event.

zipEnable

Type: Boolean

Required. Whether to compress the output directory into a zip file when recording has stopped.

configExport

Type: Object

Required. An object containing the following properties:

enable: Type: Boolean

Required. Whether to export the OpenAM configuration upon completion of the recording event. Exporting the OpenAM configuration is a best practice, because it is extremely useful to have access to the configuration when troubleshooting.
password: Type: String

Required if enable is true. A key required to import the exported configuration. The key is used the same way that the ssoadm export-svc-cfg command uses the -e argument.
sharePassword: Type: Boolean

Required if enable is true. Whether to show the password value in the ssoadm start-recording, ssoadm get-recording-status, and ssoadm stop-recording output, and in the info.json file, which is output during recording events, and which contains run-time properties.

debugLogs

Type: Object

Required. An object containing the following properties:

debugLevel

Type: String

Required. The debug level to set for the recording event. Set the value of debugLevel to MESSAGE to get the most troubleshooting information from your recording period. Other acceptable but less commonly used values are ERROR and WARNING.

autoStop

Type: Object

Optional. Contains another object used to specify an event that automatically ends a recording period. For time-based termination, specify a time object; for termination based on uncompressed file size, specify a fileSize object. If you specify both time and fileSize objects, the event that occurs first causes recording to stop.

Specifying fileSize and time objects is a best practice, because it ensures that the recorded output does not occupy a larger than expected amount of space on your file system, and that recording events end in a timely fashion.

time

Type: Object

Optional; must be specified in the autoStop object if fileSize is not specified. Configures a recording period to terminate recording after this amount of time.

timeUnit: Type: String

Required. Acceptable values are MILLISECONDS, SECONDS, MINUTES, HOURS, and DAYS.
value: Type: Numeric

Required. Values in MILLISECONDS are rounded down to the second. The minimum acceptable value for autoStop is one second.

fileSize

Type: Object

Optional; must be specified in the autoStop object if time is not specified. Configures a recording period to terminate after the aggregate size of uncompressed debug logs has reached this size.

sizeUnit: Type: String

Required. Acceptable values are B, KB, MB, and GB.
value: Type: Numeric

Required.

threadDump

Type: Object

Required. An object containing the following properties:

enable

Type: Boolean

Required. Whether to dump threads during the recording event. Thread dumps are especially useful when troubleshooting performance issues and issues with unresponsive servers.

delay

Type: Object

Required if enable is true. Contains another object used to specify an interval at which thread dumps are taken. The initial thread dump is taken at the start of the recording event; subsequent thread dumps are taken at multiples of the delay interval.

timeUnit: Type: String

Required. Acceptable values are MILLISECONDS, SECONDS, MINUTES, HOURS, and DAYS.
value: Type: Numeric

Required. The minimum acceptable value is one second. Time units that are smaller than seconds, such as MILLISECONDS, are rounded to the closest second.

Recording Control File Example

The following is an example of a recording control file:

{
  "issueID": 103572,
  "referenceID": "policyEvalFails",
  "description": "Troubleshooting artifacts in support of case 103572",
  "zipEnable": true,
  "configExport": {
    "enable": true,
    "password": "5x2RR70",
    "sharePassword": false
  },
  "debugLogs": {
    "debugLevel": "MESSAGE",
    "autoStop": {
      "time":  {
        "timeUnit": "SECONDS",
        "value": 15
      },
      "fileSize": {
        "sizeUnit": "GB",
        "value": 1
      }
    }
  },
  "threadDump" : {
    "enable": true,
    "delay" :  {
      "timeUnit": "SECONDS",
      "value": 5
     }
  }
}

The recording control file properties in the preceding example affect the recording output as follows:

Recording Control File Example Properties and Their Effect on Recording Behavior
Recording Control File Property	Value	Effect
`issueID`, `referenceID`	`103572`, `policyEvalFails`	Recording output is stored at the path `debugFileLocation/record/103572/policyEvalFails_timestamp.zip`. For more information about the location of recording output, see "Retrieving Recording Information".
`Description`	`Troubleshooting artifacts in support of case 103572`	No effect.
`zipEnable`	`true`	Recording output is compressed into a zip file.
`configExport` / `enable`	`true`	The OpenAM configuration is exported at the start of the recording event.
`configExport` / `password`	`5x2RR70`	Knowledge of this password will be required to access the OpenAM configuration that was saved during recording.
`configExport` / `sharePassword`	`false`	The password is not displayed in output messages displayed during the recording event or in the `info.json` file.
`debugLogs` / `debugLevel`	`MESSAGE`	Recording enables message-level debug logs during the recording event.
`debugLogs` / `autoStop` / `time`	`SECONDS`, `15`	Because both the `time` and `fileSize` properties are set, recording stops after 15 seconds, or after the size of the debug logs exceeds 1 GB, whichever occurs first.
`debugLogs` / `autoStop` / `fileSize`	`GB`, `1`	Because both the `time` and `fileSize` properties are set, recording stops after 15 seconds, or after the size of the debug logs exceeds 1 GB, whichever occurs first.
`threadDump` / `enable`	`true`	Thread dumps are taken throughout the recording event.
`threadDump` / `delay`	`SECONDS`, `5`	The first thread dump is taken when the recording event starts. Additional thread dumps are taken every five seconds hence.

Retrieving Recording Information

Information recorded by OpenAM is stored at the path debugFileLocation/record/issueID/referenceID. For example, if the debug file location is /home/openam/debug, the issue ID 103572, and the reference ID policyEvalFails, the path containing recorded information is /home/openam/debug/record/103572/policyEvalFails.

When there are multiple recording events with the same issueID and referenceID, OpenAM appends a timestamp to the referenceID of the earliest paths. For example, multiple recording events for issue ID 103572 and reference ID policyEvalFails might be stored at the following paths:

Most recent recording: debugFileLocation/record/103572/policyEvalFails
Next most recent recording: debugFileLocation/record/103572/policyEvalFails_2015-10-24-11-48-51-902-PDT
Earliest recording: debugFileLocation/record/103572/policyEvalFails_2015-08-10-15-15-10-140-PDT

OpenAM compresses the output from recording events when you set the zipEnable property to true. The output file can be found at the path debugFileLocation/record/issueID/referenceID_timestamp.zip. For example, compressed output for a recording event for issue ID 103572 and reference ID policyEvalFails might be stored at the following path: debugFileLocation/record/103572/policyEvalFails_2015-08-12-12-19-02-683-PDT.zip.

Use the referenceID property value to segregate output from multiple problem recreations associated with the same case. For example, while troubleshooting case 103572, you notice that you only have a problem when evaluating policy for members of the Finance realm. You could trigger two recording events as follows:

Segregating Recording Output Using the referenceID Value
OpenAM Behavior	referenceIDValue	Recording Output Path
Policy evaluation behaves as expected for members of the Engineering realm.	`policyEvalSucceeds`	`debugFileLocation/record/103572/policyEvalSucceeds`
Policy evaluation unexpectedly fails for members of the Finance realm.	`policyEvalFails`	`debugFileLocation/record/103572/policyEvalFails`

Session Management

The OpenAM console lets the administrator view and manage active user sessions on the Sessions tab page.

Session management from the OpenAM console is only available for stateful sessions. Stateless sessions do not appear in the Sessions tab page.

To end a user session manually, select the user’s session, and then click the Invalidate Session button. As a result, the user has to authenticate again.

Deleting a user does not automatically remove any of the user’s sessions. After deleting a user, check for any sessions for the user and remove them under the Console’s Sessions tab.