Previous Topic: How to Use the Cloud Service Provider Administration Console to TroubleshootNext Topic: Locations for the Configuration, Log, and Trace Files for Federation Single-Sign-On Components

Troubleshooting GuideRuntime IssuesFederation Single Sign-On IssuesHow to Enable Logging and Trace Tools for Federation Single-Sign-On

How to Enable Logging and Trace Tools for Federation Single-Sign-On

Use the following procedures to enable the logging and trace tools on the system components for debugging purposes.

Note: Enabling trace may impact performance, so trace should only be turned on during troubleshooting process.

How to Enable Logging and Trace for the Secure Proxy Server

All requests for CloudMinder services go through the Secure Proxy Server. You can enable the Secure Proxy Server web agent logging and tracing using either Agent Configuration Object or local configuration.

For most cases, CA Technologies recommends editing Agent Configuration Object settings, because changes there automatically take place; local configuration requires restarting the Secure Proxy Server.

Follow these steps:

  1. For the Agent Configuration Object, launch the Cloud Service Provider Administrative User Interface.
  2. Navigate to Infrastructure, Agent Configuration Objects
  3. Edit the Agent Configuration Object for the the Security Proxy Server web agent. The following parameters need to be configured:

Note: If necessary to debug proxy rules, locate the proxyrules.xml file, and set the nete:proxyrules element's debug attribute to yes.

How to Enable Logging and Trace for the Federation Web Services

You can enable trace to extract detailed message about federation transactions. For example, you can look at the FWSTrace.log to see the generated SAML assertion. Changes to the LoggerConfig.properties file require restarting the Secure Proxy Server.

Follow these steps:

  1. Configure the following parameters:

How to Enable Logging and Trace for the Policy Server

By default, the SiteMinder Policy Server logs information in the smps.log file. This file is typically the starting point to troubleshoot policy server side issues. If you need additional trace information, turn on trace from the Policy Server Management Console.

Note: You can invoke the Policy Server Management Console from here:
/opt/CA/siteminder/bin/smconsole

Follow these steps:

  1. From the Profiler tab, set the Enable Profiling option to enable profiling.
  2. Click Configuration Settings, and then move selected components to the right.
  3. To troubleshoot federation related issues, make sure to select the Fed_Server component. This component monitors activity for the assertion generator and the SAML authentication scheme. For example, you can view the generated assertion in the smtracedefault.log file.

Note: Changes to the Profile settings take effect automatically.

How to Enable Logging and Trace for the Extensible Policy Store (XPS)

Enable XPS validation and federation object tracing to monitor federation database activities. Use the XPSConfig utility to make changes.

Note: CA Technologies recommends restarting the Policy Server after the change.

SiteMinder logs these activities to the smps.log file.