Diagnose the ActivID Appliance

You can generate a diagnostic package to troubleshoot the ActivID Apliance.

The Diagnostic Package is a light package that contains information about the appliance configuration and usage.

  • System information
  • Configuration information
  • Licensing information
  • ActivID Applications logs
  • Appliance management logs, such as backup/restore, archive audit, purge audit
  • General database system logs
  • External HSM configuration and cryptographic Migration logs

The Full Diagnostic Package contains the same information as the 'light' package plus detailed database system logs.

System information Configuration information Licensing information
  • Environment information (environment variables)
  • System messages
  • List all ActivID files
  • List of installed hot fixes and service packs (if any)
  • HSM information (if any):
    • Firmware version
    • FIPS mode
    • Status
  • System activity information (that is, the output of the “sar” system command)
  • Appliance model (for example, FT5000S)
  • Appliance type:
    • Virtual Machine with Software Cryptography or with External HSM
  • Software version: 8.0.x.x
  • Compatibility digest
  • OS version
  • List of applications - the list of all applications installed on the appliance
  • HSM information (if any):
    • ID
    • Status
    • Firmware version
    • FIPS mode
  • Software updates - the list of all hot fixes and service packs installed on the appliance
  • Application property file for each installed application
  • RADIUS FE information such as dictionary and sites etc
  • User licenses, for each:
    • Feature Name
    • Feature Version
    • Vendor Private /Vendor Public
    • User Limit
  • Current status (warning level)
  • Maintenance licenses, for each:
    • Feature Name
    • Feature Version
    • Vendor Private /Vendor Public
    • User Limit
    • Current status (warning level)
    • Expiration dates

During troubleshooting, in rare cases, HID Global personnel might need to access the original PII (for example, an issue might occur due to the content of the LDAP username). To facilitate this, ActivID Appliance also generates a substitution file that can be used to retrieve the exact original value.

For example, HID Global personnel need to alert the customer that they are seeing some specific issues regarding user Name1, but only the customer knows the identity of user Name1. Similarly, a customer might ask HID Global personnel to pay special attention to user Name2. HID Global does not need to know who that is.

  • The substitution file that the customer keeps, helps translate from the anonymized information to the PII and vice versa. If an actual PII needs to be provided to HID Global personnel, only that specific information is shared, and the other PII can be kept private by the customer.
  • The substitution file contains the list of PII with all the corresponding replacement values separated by a colon (:).
  • If there is no replacement value, then the PII is marked as <PII tag>_REMOVED_<PII tag>.
  • The substitution file is the same for all files processed.
Note: By default, the content of the package is anonymized to protect any PII.

Set the Logging Level

Setting the logging level allows generating a diagnostic package that contains logs and properties files useful for troubleshooting.

  1. Log on to the ActivID Console and, under Monitoring, select Troubleshooting.
  2. Select the Logs tab.

  3. From the Severity Level drop-down list, select the logging level required:
    • DEBUG – use to write detailed information to the log file in order to debug the system.
    • INFO – use in the early stages of troubleshooting when you suspect there is a problem.
    • WARN – use to detect potentially harmful situations.
    • ERROR – normal operating setting (default level).
  4. Click Save.
  5. Generate a diagnostic package.

Generate, Download or Export a Diagnostic Package

Prerequisites: Your browser is configured to allow pop-ups from the ActivID Console.
  1. Log on to the ActivID Console and, under Monitoring, select Troubleshooting.

    Note: The Download option for the Anonymize Substitution File is only visible if a diagnostic (light or full) has been generated.

    The Troubleshooting page contains the following information:

    • Appliance information – includes the appliance version and compatibility digest, appliance and cryptographic types, and hot fixes and service packs installed.
    • Diagnostic – enables you to download the diagnostic package, and to export the full diagnostic package (that is, to configure FTP server information and encryption password).
    • Logs – enables you to configure the logging level.

  1. If required, configure the logging level according to the level of information you want to generate in the diagnostic package.
  2. Perform various operations to generate information about the appliance and/or reproduce an issue.
  3. Return to the Diagnostic tab and either:
    • Click Download to generate and download a Diagnostic Package directly on to your local machine.
      • Note: Any previously generated diagnostic packages and substitution files are deleted.

      The file name of the anonymized diagnostic package is Diag_<hostname>_<date>-<time>_UTC.tar.gz (where the time is in UTC).

      The log files are generated with the configured logging level.

      Important: The diagnostic package is not encrypted. Make sure that you store it in a secure location.
    • Click Download to download the anonymization substitution file associated to the diagnostic package (light or full) that was last generated.

      • The substitution file name matches that of the diagnostic package with the suffix _Substitution_Table (for example, Diag_<hostname>_<date>-<time>_UTC_Substitution_Table.txt).

    • Click Export to export a Full Diagnostic Package to an FTP/SFTP server.

      1. Select the required FTP/SFTP site from the download list or click Add New to configure a new site.
      2. Set and confirm the Encryption Password.
        Important:  

        • The password:

          • Must contain between 1 and 20 characters

          • Can contain special characters except [ ] { } | < > " ' ( )

          • Must not contain empty characters such as spaces and tabulations

        • Make a note of this password as it will be required to decrypt the data package

      3. Click Export.

      The anonymized Full Diagnostic Package is encrypted using the defined password.

      The file name of the full diagnostic package is FullDiag_<hostname>_<date>-<time>_UTC.tar.gz (where the time is in UTC).

      Note: The associated substitution file is not exported. You must download the file separately if it is required.

Decrypt a Diagnostic Package

To decrypt the package, use the activid_decrypt_archive.sh script in the Utilities/Decrypt-Archive folder on the ActivID Appliance Companion delivery disk:

  1. Mount the ActivID Appliance Companion delivery disk on a Linux machine with openSSL installed.
  2. Copy the activid_decrypt_archive.sh script to a working folder (<WORK>).
  3. Copy the encrypted package to the local disk. It can be <WORK>.
  4. Create an output folder.

    5. This folder will be used to copy the files. It can be the <WORK> folder.

  5. Open a console on the <WORK> folder, and run the following command:

    6. Copy 
    activid_decrypt_archive.sh -i <input file> -o <output folder> -p <password>

    Where:

    -i <input file> indicates the diagnostic package generated by the appliance.

    -o <output folder> indicates the output folder where the diagnostic package should be extracted (the <output dir> folder should exist).

    -p <password> indicates the encryption password used when exporting the diagnostic package.

    All files in clear text are then available in the specified output folder.