Previous Topic: How to Enable Assertion Attribute Logging on Windows Operating EnvironmentsNext Topic: Configuring and Managing Encryption Keys


How to Enable Assertion Attribute Logging on UNIX or Linux Operating Environments

You can record information about the assertion attributes to the audit logs. Use these logs for a security audit, or during an investigation. The type of event determines the information that is recorded in the log. The following events are recorded when you enable assertion‑attribute logging:

The logging of assertion attributes is disabled by default. Enable assertion‑attribute logging on your Policy Server.

The following graphic describes how to enable assertion‑attribute logging:

This diagram describes the workflow for enabling assertion attribute logging on the UNIX and Linux operating environments.

Follow these steps:

  1. Open the sm.registry file with a text editor.
  2. Change the value of the line in the registry file.
  3. Restart your Policy Server with the following steps:
    1. Stop your Policy Server.
    2. Start your Policy Server.
Open the sm.registry File with a Text Editor

Change this setting on UNIX or Linux operating environments by opening the sm.registry file with a text editor. The sm.registry file is stored on your Policy Server.

Follow these steps:

  1. Navigate to the following directory:
    Installation_Directory/registry
    
    installation_directory

    Specifies the location in the file system where the Policy Server is installed.

    Default: /opt/CA/siteminder

  2. Open the following file with a text editor:
    sm.registry
    

    You can now change the settings.

Change the Value of the Line in the Registry File

The following entry in the sm.registry file controls attribute assertion logging:

Enable Enhance Tracing

Indicates whether attribute assertions are recorded in the audit logs. A value of 2 enables logging. A value of 3 enables logging and records the authentication method of the user.

Limits: 0, 2, 3

Default: 0 (logging disabled)

Follow these steps:

  1. Locate the following section of the sm.registry file:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports=
    
  2. Locate the following line in the Reports section:
    Enable Enhance Tracing=	0; REG_DWORD
    
  3. Change the zero to one of the following values:
  4. Verify that the line in your sm.registry file matches one of the following examples:
    Enable Enhance Tracing=	2; REG_DWORD
    
    Enable Enhance Tracing=	3; REG_DWORD
    
  5. Save the changes to the sm.registry file, and then close the text editor.

    The value of the line in the registry file is changed.

Stop a UNIX Policy Server

Stopping a Policy Server has the following results:

Follow these steps:

  1. Log in to the system hosting the Policy Server with the same user account that installed the Policy Server originally.
  2. Stop all Policy Server processes, with one of the following actions:
Start a UNIX Policy Server

Starting Policy Server has the following results:

Start all Policy Server processes, with one of the following actions:

The Policy Server logs all UNIX executive activity in the installation_directory/log/smexec.log file. Log entries are always appended to the existing log file.