Previous Topic: Using the OneView MonitorNext Topic: Configure the CA SiteMinder® Event Manager


Monitoring CA SiteMinder® Using SNMP

This section contains the following topics:

SNMP Monitoring

CA SiteMinder® MIB

Configure the CA SiteMinder® Event Manager

Start and Stop SiteMinder SNMP Support

Troubleshooting the SiteMinder SNMP Module

SNMP Monitoring

The CA SiteMinder® SNMP module enables many operational aspects of the CA SiteMinder® environment to be monitored by SNMP-compliant network management applications.

SNMP Overview

Network management takes place between two types of systems: those in control, called managing systems, and those observed and controlled, called managed systems. Managed systems can include hosts, servers, and the software components that run on those systems, or network components such as routers or intelligent repeaters.

To promote interoperability, cooperating systems adhere to the industry standard Simple Network Management Protocol (SNMP), an application-layer protocol designed to facilitate the exchange of management information between network devices.

A complete SNMP solution comprises three components:

The CA SiteMinder® SNMP module provides SNMP request handling and configurable event trapping for the CA SiteMinder® environment. It does this by collecting operational data from the CA SiteMinder® OneView Monitor and making it available in a MIB to third-party NMS applications that support the SNMP protocol (for example, HP OpenView).

Note: The 6.0 SNMP agent is backwards compatible with all CA SiteMinder® 5.x-based Agent applications.

CA SiteMinder® SNMP Module Contents

The CA SiteMinder® SNMP module consists of:

More information:

CA SiteMinder® MIB

Start and Stop SiteMinder SNMP Support

Dependencies

The CA SiteMinder® SNMP Module has the following dependencies:

SNMP Component Architecture and Dataflow

The following figure illustrates SNMP module dataflow:

Graphic showing SNMP component architecture and dataflow

CA SiteMinder® SNMP Dataflow:

  1. The SNMP Master Agent receives SNMP requests from a management application.
  2. The SNMP Master Agent forwards the SNMP request to the SNMP Subagent.
  3. The CA SiteMinder® SNMP Subagent retrieves the requested information from OneView Monitor.
  4. The CA SiteMinder® SNMP Subagent passes the retrieved information back to the SNMP Master Agent.
  5. The SNMP Master Agent generates an SNMP response and sends it back to the requesting management application.

CA SiteMinder® MIB

The CA SiteMinder® MIB provides a SNMPv2-compliant data representation of all monitored components in the CA SiteMinder® environment.

The CA SiteMinder® MIB is supplied in an ASCII text file:

SiteMinder_Install_Directory\mibs\NetegritySNMP.mib.
MIB Overview

SNMP MIB structure is logically represented by an inverse tree hierarchy. MIBs for internet-related products such as CA SiteMinder® are located under the ISO main branch of the MIB hierarchy.

The upper part of the ISO branch is shown in the following figure.

Graphic showing the upper part of the ISO branch

MIB branches, MIBs, and managed objects within MIBs are all identified by short text strings. Complete MIB hierarchies can be expressed notationally by concatenating branch and object identifiers, separating each entry with a period. For example, the private sub-branch of the internet entry shown above can be expressed as iso.org.dod.internet.private.

SiteMinder MIB Hierarchy

The CA SiteMinder® MIB can be expressed as iso.org.dod.internet.private.
enterprises.netegrity.products.siteminder.

Supported managed components represented by MIB objects are Policy Servers and Web Agents. Because there can be multiple instances of each of these components, the managed properties of each of these components are columnar objects.

Graphic showing SiteMinder MIB Hierarchy

The CA SiteMinder® MIB has three sub-branches:

Policy Server

Contains the Policy Server (policyServerTable) objects.

agents

Contains Web Agent (webAgent) objects.

smEvent

Contains SNMP trap types for system events.

MIB Object Reference

The following sections contain detailed lists of the Policy Server, Web Agent, and Event MIB objects.

Authentication Server Data

The following table contains the subset of Authentication Server properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.policyServer.policyServerTable.

Object Name

SNMP Type

Object Description

policyServerIndex

Integer32

A unique identifier for the current Policy Server instance.

policyServerHostID

IP address

IP address of the machine where the Policy Server is installed.

policyServerType

Display string

Type of component.

policyServerStatus

Integer32

Status of the Policy Server. The status can be Active or Inactive.

policyServerPort

Integer32

Policy Server port number.

policyServerProduct

Display string

Policy Server product name.

policyServerPlatform

Display string

Operating system of the machine where the Policy Server is installed.

policyServerVersion

Display string

Version number of the Policy Server.

policyServerUpdate

Display string

Version number of the most recently applied update.

policyServerLabel

Display string

Policy Server build number.

policyServerCrypto

Integer32

Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server.

policyServerUTC

Display string

The startup time of the Web server where the Policy Server is installed. The time is specified in Universal Coordinated Time format.

policyServerTime Zone

Integer32

Time zone for the geographical location where the Policy Server is installed.

policyServerMaxSockets

Integer32

Maximum number of open sockets (which correspond to the number of open connections between the Policy Server and Web Agents) that the Policy Server can support.

policyServerSocketCount

Gauge32

Number of open sockets, which corresponds to the number of open connections between the Policy Server and Web Agents.

policyServerAuth AcceptCount

Counter32

Number of successful authentications.

policyServerAuthReject-Count

Counter32

Number of failed authentication attempts. These attempts failed because of invalid credentials.

policyServerAzAccept-Count

Counter32

Number of successful authorizations.

policyServerAzReject-Count

Counter32

Number of failed authorization attempts. These attempts failed because of invalid credentials.

policyServerPolicy-CacheEnabled

Truth Value

Indicates whether or not policy cache is enabled.

policyServerL2Cache-Enabled

Truth Value

Indicates whether or not L2 cache is enabled.

Web Agent Objects in the SiteMinder MIB

The following table contains the Web Agent properties that are exposed as objects in the CA SiteMinder® MIB, which are under iso.org…siteminder.webAgentTable.webAgentEntry.

Object Name

SNMP Type

Object Description

webAgentIndex

Integer32

A unique identifier for the current Web Agent instance.

webAgentHostID

IP address

IP address of the machine where the web agent server is installed.

webAgentType

Display string

Type of component.

webAgentStatus

Integer32

Status of the Web Agent. The status can be Active or Inactive.

webAgentPort

Integer32

Web Agent port number.

webAgentProduct

Display string

Web Agent product name.

webAgentPlatform

Display string

Operating system of the machine where the Web Agent is installed.

webAgentVersion

Display string

Version number of the Web Agent.

webAgentUpdate

Display string

Version number of the most recently applied update.

webAgentLabel

Display string

Web Agent build number.

webAgentCrypto

Integer32

Length of the encryption key used to encrypt/decrypt data sent between the Web Agent and the Policy Server.

webAgentUTC

Display string

The startup time of the Web server where the Web Agent is installed. The time is specified in Universal Coordinated Time format.

webAgentTime Zone

Integer32

Time zone for the geographical location where the Web Agent is installed.

webAgentSocketCount

Gauge32

Number of open sockets, which corresponds to the number of open connections between the Policy Server and the Web Agent.

Note: Because the Web Agent architecture has changed, SocketCount has no value.

webAgentResource-CacheCount

Integer32

Number of entries in the resource cache. The resource cache stores information about recently accessed resources to speed up subsequent requests for the same resource.

The number of entries in the resource cache can be 0 to the n, where n is the maximum cache size specified in the Web Agent’s configuration.

webAgentResource-CacheHits

Integer32

Number of times that the resource cache is accessed. This number indicates how frequently CA SiteMinder® is using cached resources.

webAgentResource-CacheMisses

Integer32

The number of times the Web Agent could not locate a resource in the resource cache. This occurs when:

  • The resource has not been accessed before.
  • The cached information has expired.

webAgentUserSession-CacheCount

Integer32

Number of entries in the user session cache. The user session cache stores information about users who have recently accessed resources. Storing user information speeds up resource requests.

The number of entries in the user session cache can be 0 to n, where n is the maximum cache size specified in the Web Agent’s configuration.

Note: The user session cache count may differ based on the Web server where the session cache is located.

webAgentUserSession-CacheHits

Integer32

Number of times that Web Agent accessed the user session cache.

webAgentUserSession-CacheMisses

Integer32

The number of times the Web Agent could not locate user session information in the user session cache. This occurs when:

  • The user has not accessed a resource before.
  • The cached information has expired.

webAgentIsProtected-Count

Integer32

Number of times the Web Agent has checked the Policy Server to see if a resource is protected.

Note: If the resource cache is set to 0, two or more IsProtected calls may be recorded per login attempt. If the Web Agent is not caching information, it must check with the Policy Server to determine whether or not a resource is protected each time a request is made to the Web server.

If the resource cache is not set to 0, only one IsProtected call will be recorded. In this case, the Web Agent makes one IsProtected call to the Policy Server; subsequent requests to the Web server for the same resource are satisfied against the Web Agent’s resource cache until the resource in the cache expires or the resource cache is flushed.

webAgentIsProtected-Errors

Integer32

Number of times an error has occurred when the Web Agent asks the Policy Server whether or not a resource is protected. An error indicates a communication failure between the Web Agent and the Policy Server.

webAgentIsProtected-AvgTime

Unsigned 32

The average amount of time it takes for the Web Agent to determine from the Policy Server whether or not a resource is protected.

webAgentLoginCount

Counter 32

Number of login attempts made from this Web Agent.

webAgentLoginErrors

Counter 32

Number of errors that occurred during login attempts. An error indicates a communication failure between the Web Agent and the Policy Server.

webAgentLoginFailures

Counter 32

Number of failed login attempts because users were not authenticated or authorized by the Policy Server.

webAgentLoginAvgTime

Unsigned 32

Average time it takes for a user to log into a resource.

webAgentValidation-Count

Counter 32

The number of times a specific Web Agent attempted to validate a session cookie against the Policy Server to authenticate a user, instead of matching that user’s credentials to a user directory entry. (The Web Agent creates a session cookie on the user’s browser when a user is successfully authenticated, and uses that cookie to authenticate the user on subsequent requests for new resources.).

webAgentValidation-Errors

Counter 32

The number of errors that have occurred when the Web Agent attempted to validate a user session. Errors indicate a communication failure between the Web Agent and the Policy Server.

webAgentValidation-Failures

Counter 32

The number of times the Web Agent has failed to validate a user session because of an invalid session cookie.

webAgentValidation-AvgTime

Unsigned 32

Average amount of time it takes to validate a cookie used to authenticate a user (in milliseconds). Cookies may be used to authenticate a user in a single sign-on environment.

webAgentAuthorize-Count

Counter 32

Number of authorization attempts made by this Agent. An authorization attempt occurs when a user supplies credentials to the Policy Server in order to access a protected resource.

webAgentAuthorize-Errors

Counter 32

Number of errors that occurred during authorization attempts made by this Web Agent. An error indicates a communication failure between the Web Agent and Policy Server during an authorization call.

webAgentAuthorize-Failures

Counter 32

Number of failed authorization attempts. An authorization attempt fails when a user enters invalid credentials.

webAgentAuthorize-AvgTime

Integer32

Indicates the average time it takes to authorize a user (in milliseconds)

webAgentCrosssite-ScriptHits

Integer32

Number of cross-site scripting hits. A cross-site scripting hit consists of malicious code embedded in pages at your site. For more information about cross-site scripting, see the CA SiteMinder® Web Agent Configuration Guide.

webAgentBadURL-charsHits

Integer32

Number of requests that the Agent refuses because of bad URL characters. Bad URL characters are specifically blocked to prevent a Web client from evading CA SiteMinder® rules. These characters are specified in the Web Agent’s configuration.

webAgentBadCookie-HitsCount

Gauge32

Number of cookies that the Web Agent could not decrypt.

webAgentExpired-CookieHitsCount

Gauge32

Number of requests that contained an expired cookie.

Event Data

The following table contains the objects in the CA SiteMinder® MIB, under iso.org…siteminder.smEvents, for system events that can be mapped to SNMP traps using the CA SiteMinder® Event Manager

Event Name

Event ID

Event Category

Event Category Type

serverInit

SmLogSystemEvent_ServerInit

Server activity

System

serverUp

SmLogSystemEvent_ServerUP

serverDown

SmLogSystemEvent_ServerDown

serverInitFail

SmLogSystemEvent_ServerInitFail

dbConnectionFailed

SmLogSystemEvent_DbConnectFail

ldapConnection-Failed

SmLogSystemEvent_LDAP-ConnectFail

logFileOpenFail

SmLogSystemEvent_LogFile-OpenFail

System Activity

agentConnection-Failed

SmLogSystemEvent_Agent-ConnectionFail

authReject

SmLogAccessEvent_AuthReject

Authentication

Access

validateReject

SmLogAccessEvent_ValidateReject

azReject

SmLogAccessEvent_AzReject

Authorization

adminReject

SmLogAccessEvent_AdminReject

Administration

objectLoginReject

SmLogObjEvent_LoginReject

Authentication

Object

objectFailedLogin
AttemptsCount

SmLogObjEvent_FailedLogin-AttemptsCount

emsLoginFailed

SmLogEmsEvent_LoginFail

DirectorySession

EMS

emsAuthFailed

SmLogEmsAuthFail