This section contains the following topics:
Configure the CA SiteMinder® Event Manager
Start and Stop SiteMinder SNMP Support
Troubleshooting the SiteMinder SNMP Module
The CA SiteMinder® SNMP module enables many operational aspects of the CA SiteMinder® environment to be monitored by SNMP-compliant network management applications.
Network management takes place between two types of systems: those in control, called managing systems, and those observed and controlled, called managed systems. Managed systems can include hosts, servers, and the software components that run on those systems, or network components such as routers or intelligent repeaters.
To promote interoperability, cooperating systems adhere to the industry standard Simple Network Management Protocol (SNMP), an application-layer protocol designed to facilitate the exchange of management information between network devices.
A complete SNMP solution comprises three components:
Note: SNMP agents, which are a standard component of all SNMP implementations should not be confused with CA SiteMinder® Agents.
The CA SiteMinder® SNMP module provides SNMP request handling and configurable event trapping for the CA SiteMinder® environment. It does this by collecting operational data from the CA SiteMinder® OneView Monitor and making it available in a MIB to third-party NMS applications that support the SNMP protocol (for example, HP OpenView).
Note: The 6.0 SNMP agent is backwards compatible with all CA SiteMinder® 5.x-based Agent applications.
The CA SiteMinder® SNMP module consists of:
The CA SiteMinder® SNMP Module has the following dependencies:
The following figure illustrates SNMP module dataflow:
CA SiteMinder® SNMP Dataflow:
The CA SiteMinder® MIB provides a SNMPv2-compliant data representation of all monitored components in the CA SiteMinder® environment.
The CA SiteMinder® MIB is supplied in an ASCII text file:
SiteMinder_Install_Directory\mibs\NetegritySNMP.mib.
SNMP MIB structure is logically represented by an inverse tree hierarchy. MIBs for internet-related products such as CA SiteMinder® are located under the ISO main branch of the MIB hierarchy.
The upper part of the ISO branch is shown in the following figure.
MIB branches, MIBs, and managed objects within MIBs are all identified by short text strings. Complete MIB hierarchies can be expressed notationally by concatenating branch and object identifiers, separating each entry with a period. For example, the private sub-branch of the internet entry shown above can be expressed as iso.org.dod.internet.private.
The CA SiteMinder® MIB can be expressed as iso.org.dod.internet.private.
enterprises.netegrity.products.siteminder.
Supported managed components represented by MIB objects are Policy Servers and Web Agents. Because there can be multiple instances of each of these components, the managed properties of each of these components are columnar objects.
The CA SiteMinder® MIB has three sub-branches:
Contains the Policy Server (policyServerTable) objects.
Contains Web Agent (webAgent) objects.
Contains SNMP trap types for system events.
The following sections contain detailed lists of the Policy Server, Web Agent, and Event MIB objects.
The following table contains the subset of Authentication Server properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.policyServer.policyServerTable.
Object Name |
SNMP Type |
Object Description |
---|---|---|
policyServerIndex |
Integer32 |
A unique identifier for the current Policy Server instance. |
policyServerHostID |
IP address |
IP address of the machine where the Policy Server is installed. |
policyServerType |
Display string |
Type of component. |
policyServerStatus |
Integer32 |
Status of the Policy Server. The status can be Active or Inactive. |
policyServerPort |
Integer32 |
Policy Server port number. |
policyServerProduct |
Display string |
Policy Server product name. |
policyServerPlatform |
Display string |
Operating system of the machine where the Policy Server is installed. |
policyServerVersion |
Display string |
Version number of the Policy Server. |
policyServerUpdate |
Display string |
Version number of the most recently applied update. |
policyServerLabel |
Display string |
Policy Server build number. |
policyServerCrypto |
Integer32 |
Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server. |
policyServerUTC |
Display string |
The startup time of the Web server where the Policy Server is installed. The time is specified in Universal Coordinated Time format. |
policyServerTime Zone |
Integer32 |
Time zone for the geographical location where the Policy Server is installed. |
policyServerMaxSockets |
Integer32 |
Maximum number of open sockets (which correspond to the number of open connections between the Policy Server and Web Agents) that the Policy Server can support. |
policyServerSocketCount |
Gauge32 |
Number of open sockets, which corresponds to the number of open connections between the Policy Server and Web Agents. |
policyServerAuth AcceptCount |
Counter32 |
Number of successful authentications. |
policyServerAuthReject-Count |
Counter32 |
Number of failed authentication attempts. These attempts failed because of invalid credentials. |
policyServerAzAccept-Count |
Counter32 |
Number of successful authorizations. |
policyServerAzReject-Count |
Counter32 |
Number of failed authorization attempts. These attempts failed because of invalid credentials. |
policyServerPolicy-CacheEnabled |
Truth Value |
Indicates whether or not policy cache is enabled. |
policyServerL2Cache-Enabled |
Truth Value |
Indicates whether or not L2 cache is enabled. |
The following table contains the Web Agent properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.webAgentTable.webAgentEntry.
Object Name |
SNMP Type |
Object Description |
---|---|---|
webAgentIndex |
Integer32 |
A unique identifier for the current Web Agent instance. |
webAgentHostID |
IP address |
IP address of the machine where the web agent server is installed. |
webAgentType |
Display string |
Type of component. |
webAgentStatus |
Integer32 |
Status of the Web Agent. The status can be Active or Inactive. |
webAgentPort |
Integer32 |
Web Agent port number. |
webAgentProduct |
Display string |
Web Agent product name. |
webAgentPlatform |
Display string |
Operating system of the machine where the Web Agent is installed. |
webAgentVersion |
Display string |
Version number of the Web Agent. |
webAgentUpdate |
Display string |
Version number of the most recently applied update. |
webAgentLabel |
Display string |
Web Agent build number. |
webAgentCrypto |
Integer32 |
Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server. |
webAgentUTC |
Display string |
The startup time of the Web server where the Web Agent is installed. The time is specified in Universal Coordinated Time format. |
webAgentTime Zone |
Integer32 |
Time zone for the geographical location where the Web Agent is installed. |
webAgentSocketCount |
Gauge32 |
Number of open sockets, which corresponds to the number of open connections between the Policy Server and the Web Agent. Note: Because the Web Agent architecture has changed, SocketCount has no value. |
webAgentResource-CacheCount |
Integer32 |
Number of entries in the resource cache. The resource cache stores information about recently accessed resources to speed up subsequent requests for the same resource. The number of entries in the resource cache can be 0 to the n, where n is the maximum cache size specified in the Web Agent’s configuration. |
webAgentResource-CacheHits |
Integer32 |
Number of times that the resource cache is accessed. This number indicates how frequently CA SiteMinder® is using cached resources. |
webAgentResource-CacheMisses |
Integer32 |
The number of times the Web Agent could not locate a resource in the resource cache. This occurs when:
|
webAgentUserSession-CacheCount |
Integer32 |
Number of entries in the user session cache. The user session cache stores information about users who have recently accessed resources. Storing user information speeds up resource requests. The number of entries in the user session cache can be 0 to n, where n is the maximum cache size specified in the Web Agent’s configuration. Note: The user session cache count may differ based on the Web server where the session cache is located. |
webAgentUserSession-CacheHits |
Integer32 |
Number of times that Web Agent accessed the user session cache. |
webAgentUserSession-CacheMisses |
Integer32 |
The number of times the Web Agent could not locate user session information in the user session cache. This occurs when:
|
webAgentIsProtected-Count |
Integer32 |
Number of times the Web Agent has checked the Policy Server to see if a resource is protected. Note: If the resource cache is set to 0, two or more IsProtected calls may be recorded per login attempt. If the Web Agent is not caching information, it must check with the Policy Server to determine whether or not a resource is protected each time a request is made to the Web server. If the resource cache is not set to 0, only one IsProtected call will be recorded. In this case, the Web Agent makes one IsProtected call to the Policy Server; subsequent requests to the Web server for the same resource are satisfied against the Web Agent’s resource cache until the resource in the cache expires or the resource cache is flushed. |
webAgentIsProtected-Errors |
Integer32 |
Number of times an error has occurred when the Web Agent asks the Policy Server whether or not a resource is protected. An error indicates a communication failure between the Web Agent and the Policy Server. |
webAgentIsProtected-AvgTime |
Unsigned 32 |
The average amount of time it takes for the Web Agent to determine from the Policy Server whether or not a resource is protected. |
webAgentLoginCount |
Counter 32 |
Number of login attempts made from this Web Agent. |
webAgentLoginErrors |
Counter 32 |
Number of errors that occurred during login attempts. An error indicates a communication failure between the Web Agent and the Policy Server. |
webAgentLoginFailures |
Counter 32 |
Number of failed login attempts because users were not authenticated or authorized by the Policy Server. |
webAgentLoginAvgTime |
Unsigned 32 |
Average time it takes for a user to log into a resource. |
webAgentValidation-Count |
Counter 32 |
The number of times a specific Web Agent attempted to validate a session cookie against the Policy Server to authenticate a user, instead of matching that user’s credentials to a user directory entry. (The Web Agent creates a session cookie on the user’s browser when a user is successfully authenticated, and uses that cookie to authenticate the user on subsequent requests for new resources.). |
webAgentValidation-Errors |
Counter 32 |
The number of errors that have occurred when the Web Agent attempted to validate a user session. Errors indicate a communication failure between the Web Agent and the Policy Server. |
webAgentValidation-Failures |
Counter 32 |
The number of times the Web Agent has failed to validate a user session because of an invalid session cookie. |
webAgentValidation-AvgTime |
Unsigned 32 |
Average amount of time it takes to validate a cookie used to authenticate a user (in milliseconds). Cookies may be used to authenticate a user in a single sign-on environment. |
webAgentAuthorize-Count |
Counter 32 |
Number of authorization attempts made by this Agent. An authorization attempt occurs when a user supplies credentials to the Policy Server in order to access a protected resource. |
webAgentAuthorize-Errors |
Counter 32 |
Number of errors that occurred during authorization attempts made by this Web Agent. An error indicates a communication failure between the Web Agent and Policy Server during an authorization call. |
webAgentAuthorize-Failures |
Counter 32 |
Number of failed authorization attempts. An authorization attempt fails when a user enters invalid credentials. |
webAgentAuthorize-AvgTime |
Integer32 |
Indicates the average time it takes to authorize a user (in milliseconds) |
webAgentCrosssite-ScriptHits |
Integer32 |
Number of cross-site scripting hits. A cross-site scripting hit consists of malicious code embedded in pages at your site. For more information about cross-site scripting, see the CA SiteMinder® Web Agent Configuration Guide. |
webAgentBadURL-charsHits |
Integer32 |
Number of requests that the Agent refuses because of bad URL characters. Bad URL characters are specifically blocked to prevent a Web client from evading CA SiteMinder® rules. These characters are specified in the Web Agent’s configuration. |
webAgentBadCookie-HitsCount |
Gauge32 |
Number of cookies that the Web Agent could not decrypt. |
webAgentExpired-CookieHitsCount |
Gauge32 |
Number of requests that contained an expired cookie. |
The following table contains the objects in the CA SiteMinder® MIB, under iso.org…siteminder.smEvents, for system events that can be mapped to SNMP traps using the CA SiteMinder® Event Manager
Event Name |
Event ID |
Event Category |
Event Category Type |
---|---|---|---|
serverInit |
SmLogSystemEvent_ServerInit |
Server activity |
System |
serverUp |
SmLogSystemEvent_ServerUP |
||
serverDown |
SmLogSystemEvent_ServerDown |
||
serverInitFail |
SmLogSystemEvent_ServerInitFail |
||
dbConnectionFailed |
SmLogSystemEvent_DbConnectFail |
||
ldapConnection-Failed |
SmLogSystemEvent_LDAP-ConnectFail |
||
logFileOpenFail |
SmLogSystemEvent_LogFile-OpenFail |
System Activity |
|
agentConnection-Failed |
SmLogSystemEvent_Agent-ConnectionFail |
||
authReject |
SmLogAccessEvent_AuthReject |
Authentication |
Access |
validateReject |
SmLogAccessEvent_ValidateReject |
||
azReject |
SmLogAccessEvent_AzReject |
Authorization |
|
adminReject |
SmLogAccessEvent_AdminReject |
Administration |
|
objectLoginReject |
SmLogObjEvent_LoginReject |
Authentication |
Object |
objectFailedLogin |
SmLogObjEvent_FailedLogin-AttemptsCount |
||
emsLoginFailed |
SmLogEmsEvent_LoginFail |
DirectorySession |
EMS |
emsAuthFailed |
SmLogEmsAuthFail |
Copyright © 2013 CA.
All rights reserved.
|
|