Policy Server Guides › Policy Server Administration Guide › Monitoring CA SiteMinder® Using SNMP

Monitoring CA SiteMinder® Using SNMP

This section contains the following topics:

Configure the CA SiteMinder® Event Manager

Troubleshooting the SiteMinder SNMP Module

SNMP Monitoring

The CA SiteMinder® SNMP module enables many operational aspects of the CA SiteMinder® environment to be monitored by SNMP-compliant network management applications.

SNMP Overview

Network management takes place between two types of systems: those in control, called managing systems, and those observed and controlled, called managed systems. Managed systems can include hosts, servers, and the software components that run on those systems, or network components such as routers or intelligent repeaters.

To promote interoperability, cooperating systems adhere to the industry standard Simple Network Management Protocol (SNMP), an application-layer protocol designed to facilitate the exchange of management information between network devices.

A complete SNMP solution comprises three components:

SNMP Management Information Base (MIB) is a database of managed objects. The managed objects, or variables, can be read by a managing system to provide information about the managed system.
SNMP Agents are low-impact software modules that access information about the managed system and make it available to the managing system. For software systems, agent functionality is sometimes split between a master agent (provided by the host operating system) and subagent (provided by the managed application).
Note: SNMP agents, which are a standard component of all SNMP implementations should not be confused with CA SiteMinder® Agents.
SNMP Manager is typically a Network Management System (NMS) application such as HP OpenView.

The CA SiteMinder® SNMP module provides SNMP request handling and configurable event trapping for the CA SiteMinder® environment. It does this by collecting operational data from the CA SiteMinder® OneView Monitor and making it available in a MIB to third-party NMS applications that support the SNMP protocol (for example, HP OpenView).

Note: The 6.0 SNMP agent is backwards compatible with all CA SiteMinder® 5.x-based Agent applications.

CA SiteMinder® SNMP Module Contents

The CA SiteMinder® SNMP module consists of:

CA SiteMinder® SNMP MIB is the database of CA SiteMinder® objects that can be monitored by an SNMP-compliant network management system.
A CA SiteMinder® SNMP Subagent responds to SNMP requests (GET and GETNEXT only) passed to it from an SNMP master agent.
CA SiteMinder® Event Manager captures Policy Server events and, if configured to do so, generates SNMP traps (unsolicited messages sent by an SNMP agent to a SNMP NMS indicating that some event has occurred).

More information:

CA SiteMinder® MIB

Start and Stop SiteMinder SNMP Support

Dependencies

The CA SiteMinder® SNMP Module has the following dependencies:

CA SiteMinder® OneView Monitor—The CA SiteMinder® SNMP Module obtains operational information from the OneView Monitor. OneView Monitor must also be configured and running on any Policy Server on which you want to run the CA SiteMinder® SNMP Module.
SNMP Master Agent—The CA SiteMinder® SNMP Module does not provide an SNMP Master Agent. You will need to ensure that the SNMP Master Agent (Windows SNMP Service or Solstice Enterprise Master Agent) appropriate to the Operating System of the Policy Server on which you are running the CA SiteMinder® SNMP Module is also installed and enabled.

SNMP Component Architecture and Dataflow

The following figure illustrates SNMP module dataflow:

Graphic showing SNMP component architecture and dataflow

CA SiteMinder® SNMP Dataflow:

The SNMP Master Agent receives SNMP requests from a management application.
The SNMP Master Agent forwards the SNMP request to the SNMP Subagent.
The CA SiteMinder® SNMP Subagent retrieves the requested information from OneView Monitor.
The CA SiteMinder® SNMP Subagent passes the retrieved information back to the SNMP Master Agent.
The SNMP Master Agent generates an SNMP response and sends it back to the requesting management application.

CA SiteMinder® MIB

The CA SiteMinder® MIB provides a SNMPv2-compliant data representation of all monitored components in the CA SiteMinder® environment.

The CA SiteMinder® MIB is supplied in an ASCII text file:

SiteMinder_Install_Directory\mibs\NetegritySNMP.mib.

MIB Overview

SNMP MIB structure is logically represented by an inverse tree hierarchy. MIBs for internet-related products such as CA SiteMinder® are located under the ISO main branch of the MIB hierarchy.

The upper part of the ISO branch is shown in the following figure.

Graphic showing the upper part of the ISO branch

MIB branches, MIBs, and managed objects within MIBs are all identified by short text strings. Complete MIB hierarchies can be expressed notationally by concatenating branch and object identifiers, separating each entry with a period. For example, the private sub-branch of the internet entry shown above can be expressed as iso.org.dod.internet.private.

SiteMinder MIB Hierarchy

The CA SiteMinder® MIB can be expressed as iso.org.dod.internet.private.
enterprises.netegrity.products.siteminder.

Supported managed components represented by MIB objects are Policy Servers and Web Agents. Because there can be multiple instances of each of these components, the managed properties of each of these components are columnar objects.

Graphic showing SiteMinder MIB Hierarchy

The CA SiteMinder® MIB has three sub-branches:

Policy Server: Contains the Policy Server (policyServerTable) objects.
agents: Contains Web Agent (webAgent) objects.
smEvent: Contains SNMP trap types for system events.

MIB Object Reference

The following sections contain detailed lists of the Policy Server, Web Agent, and Event MIB objects.

Authentication Server Data

The following table contains the subset of Authentication Server properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.policyServer.policyServerTable.

Object Name	SNMP Type	Object Description
policyServerIndex	Integer32	A unique identifier for the current Policy Server instance.
policyServerHostID	IP address	IP address of the machine where the Policy Server is installed.
policyServerType	Display string	Type of component.
policyServerStatus	Integer32	Status of the Policy Server. The status can be Active or Inactive.
policyServerPort	Integer32	Policy Server port number.
policyServerProduct	Display string	Policy Server product name.
policyServerPlatform	Display string	Operating system of the machine where the Policy Server is installed.
policyServerVersion	Display string	Version number of the Policy Server.
policyServerUpdate	Display string	Version number of the most recently applied update.
policyServerLabel	Display string	Policy Server build number.
policyServerCrypto	Integer32	Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server.
policyServerUTC	Display string	The startup time of the Web server where the Policy Server is installed. The time is specified in Universal Coordinated Time format.
policyServerTime Zone	Integer32	Time zone for the geographical location where the Policy Server is installed.
policyServerMaxSockets	Integer32	Maximum number of open sockets (which correspond to the number of open connections between the Policy Server and Web Agents) that the Policy Server can support.
policyServerSocketCount	Gauge32	Number of open sockets, which corresponds to the number of open connections between the Policy Server and Web Agents.
policyServerAuth AcceptCount	Counter32	Number of successful authentications.
policyServerAuthReject-Count	Counter32	Number of failed authentication attempts. These attempts failed because of invalid credentials.
policyServerAzAccept-Count	Counter32	Number of successful authorizations.
policyServerAzReject-Count	Counter32	Number of failed authorization attempts. These attempts failed because of invalid credentials.
policyServerPolicy-CacheEnabled	Truth Value	Indicates whether or not policy cache is enabled.
policyServerL2Cache-Enabled	Truth Value	Indicates whether or not L2 cache is enabled.

Web Agent Objects in the SiteMinder MIB

The following table contains the Web Agent properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.webAgentTable.webAgentEntry.

Object Name	SNMP Type	Object Description
webAgentIndex	Integer32	A unique identifier for the current Web Agent instance.
webAgentHostID	IP address	IP address of the machine where the web agent server is installed.
webAgentType	Display string	Type of component.
webAgentStatus	Integer32	Status of the Web Agent. The status can be Active or Inactive.
webAgentPort	Integer32	Web Agent port number.
webAgentProduct	Display string	Web Agent product name.
webAgentPlatform	Display string	Operating system of the machine where the Web Agent is installed.
webAgentVersion	Display string	Version number of the Web Agent.
webAgentUpdate	Display string	Version number of the most recently applied update.
webAgentLabel	Display string	Web Agent build number.
webAgentCrypto	Integer32	Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server.
webAgentUTC	Display string	The startup time of the Web server where the Web Agent is installed. The time is specified in Universal Coordinated Time format.
webAgentTime Zone	Integer32	Time zone for the geographical location where the Web Agent is installed.
webAgentSocketCount	Gauge32	Number of open sockets, which corresponds to the number of open connections between the Policy Server and the Web Agent. Note: Because the Web Agent architecture has changed, SocketCount has no value.
webAgentResource-CacheCount	Integer32	Number of entries in the resource cache. The resource cache stores information about recently accessed resources to speed up subsequent requests for the same resource. The number of entries in the resource cache can be 0 to the n, where n is the maximum cache size specified in the Web Agent’s configuration.
webAgentResource-CacheHits	Integer32	Number of times that the resource cache is accessed. This number indicates how frequently CA SiteMinder® is using cached resources.
webAgentResource-CacheMisses	Integer32	The number of times the Web Agent could not locate a resource in the resource cache. This occurs when: The resource has not been accessed before. The cached information has expired.
webAgentUserSession-CacheCount	Integer32	Number of entries in the user session cache. The user session cache stores information about users who have recently accessed resources. Storing user information speeds up resource requests. The number of entries in the user session cache can be 0 to n, where n is the maximum cache size specified in the Web Agent’s configuration. Note: The user session cache count may differ based on the Web server where the session cache is located.
webAgentUserSession-CacheHits	Integer32	Number of times that Web Agent accessed the user session cache.
webAgentUserSession-CacheMisses	Integer32	The number of times the Web Agent could not locate user session information in the user session cache. This occurs when: The user has not accessed a resource before. The cached information has expired.
webAgentIsProtected-Count	Integer32	Number of times the Web Agent has checked the Policy Server to see if a resource is protected. Note: If the resource cache is set to 0, two or more IsProtected calls may be recorded per login attempt. If the Web Agent is not caching information, it must check with the Policy Server to determine whether or not a resource is protected each time a request is made to the Web server. If the resource cache is not set to 0, only one IsProtected call will be recorded. In this case, the Web Agent makes one IsProtected call to the Policy Server; subsequent requests to the Web server for the same resource are satisfied against the Web Agent’s resource cache until the resource in the cache expires or the resource cache is flushed.
webAgentIsProtected-Errors	Integer32	Number of times an error has occurred when the Web Agent asks the Policy Server whether or not a resource is protected. An error indicates a communication failure between the Web Agent and the Policy Server.
webAgentIsProtected-AvgTime	Unsigned 32	The average amount of time it takes for the Web Agent to determine from the Policy Server whether or not a resource is protected.
webAgentLoginCount	Counter 32	Number of login attempts made from this Web Agent.
webAgentLoginErrors	Counter 32	Number of errors that occurred during login attempts. An error indicates a communication failure between the Web Agent and the Policy Server.
webAgentLoginFailures	Counter 32	Number of failed login attempts because users were not authenticated or authorized by the Policy Server.
webAgentLoginAvgTime	Unsigned 32	Average time it takes for a user to log into a resource.
webAgentValidation-Count	Counter 32	The number of times a specific Web Agent attempted to validate a session cookie against the Policy Server to authenticate a user, instead of matching that user’s credentials to a user directory entry. (The Web Agent creates a session cookie on the user’s browser when a user is successfully authenticated, and uses that cookie to authenticate the user on subsequent requests for new resources.).
webAgentValidation-Errors	Counter 32	The number of errors that have occurred when the Web Agent attempted to validate a user session. Errors indicate a communication failure between the Web Agent and the Policy Server.
webAgentValidation-Failures	Counter 32	The number of times the Web Agent has failed to validate a user session because of an invalid session cookie.
webAgentValidation-AvgTime	Unsigned 32	Average amount of time it takes to validate a cookie used to authenticate a user (in milliseconds). Cookies may be used to authenticate a user in a single sign-on environment.
webAgentAuthorize-Count	Counter 32	Number of authorization attempts made by this Agent. An authorization attempt occurs when a user supplies credentials to the Policy Server in order to access a protected resource.
webAgentAuthorize-Errors	Counter 32	Number of errors that occurred during authorization attempts made by this Web Agent. An error indicates a communication failure between the Web Agent and Policy Server during an authorization call.
webAgentAuthorize-Failures	Counter 32	Number of failed authorization attempts. An authorization attempt fails when a user enters invalid credentials.
webAgentAuthorize-AvgTime	Integer32	Indicates the average time it takes to authorize a user (in milliseconds)
webAgentCrosssite-ScriptHits	Integer32	Number of cross-site scripting hits. A cross-site scripting hit consists of malicious code embedded in pages at your site. For more information about cross-site scripting, see the CA SiteMinder® Web Agent Configuration Guide.
webAgentBadURL-charsHits	Integer32	Number of requests that the Agent refuses because of bad URL characters. Bad URL characters are specifically blocked to prevent a Web client from evading CA SiteMinder® rules. These characters are specified in the Web Agent’s configuration.
webAgentBadCookie-HitsCount	Gauge32	Number of cookies that the Web Agent could not decrypt.
webAgentExpired-CookieHitsCount	Gauge32	Number of requests that contained an expired cookie.

Event Data

The following table contains the objects in the CA SiteMinder® MIB, under iso.org…siteminder.smEvents, for system events that can be mapped to SNMP traps using the CA SiteMinder® Event Manager

Event Name	Event ID	Event Category	Event Category Type
serverInit	SmLogSystemEvent_ServerInit	Server activity	System
serverUp	SmLogSystemEvent_ServerUP
serverDown	SmLogSystemEvent_ServerDown
serverInitFail	SmLogSystemEvent_ServerInitFail
dbConnectionFailed	SmLogSystemEvent_DbConnectFail
ldapConnection-Failed	SmLogSystemEvent_LDAP-ConnectFail
logFileOpenFail	SmLogSystemEvent_LogFile-OpenFail	System Activity
agentConnection-Failed	SmLogSystemEvent_Agent-ConnectionFail	System Activity
authReject	SmLogAccessEvent_AuthReject	Authentication	Access
validateReject	SmLogAccessEvent_ValidateReject	Authentication
azReject	SmLogAccessEvent_AzReject	Authorization
adminReject	SmLogAccessEvent_AdminReject	Administration
objectLoginReject	SmLogObjEvent_LoginReject	Authentication	Object
objectFailedLogin AttemptsCount	SmLogObjEvent_FailedLogin-AttemptsCount	Authentication	Object
emsLoginFailed	SmLogEmsEvent_LoginFail	DirectorySession	EMS
emsAuthFailed	SmLogEmsAuthFail	DirectorySession	EMS