Previous Topic: Logs to Monitor Federation ActivitiesNext Topic: Transaction IDs to Aid Federation Troubleshooting

CA SiteMinder® Federation Standalone GuideLogs to Monitor Federation ActivitiesAudit Logging

Audit Logging

CA SiteMinder® Federation Standalone automatically creates an audit log, smaccess.log, located in the directory federation_install_dir/logs/server. This log remains empty until you enable logging for authentication events or authorization events, or both, using the XPSConfig command.

Note: XPSConfig is case-sensitive on UNIX platforms.

To enable audit logging

  1. Open a command window.
  2. Type XPSConfig at the command prompt.

    The Product Menu is displayed.

  3. Enter SM.

    The list of parameters with their current values is displayed.

  4. (Optional) Enter f to filter the list of settings.

    At the Enter Filter prompt enter report to find all the settings related to audit log.

  5. Enter the number associated with the type of audit logging to enable.
    ReportAuth

    Specifies the log settings for authentication events.

    ReportAz

    Specifies the log settings for authorization events.

  6. Enter c to change the value. The default is 0, which means that no events are logged.
  7. Enter one of the following values at the prompt:

    1 = log all events

    2 = log only rejection events

  8. Enter q until you return to the Products Menu.

    Audit logging is enabled.

Note: You can repeat this procedure at any time to update the settings for the audit log settings.

Set the Audit Log Name and Location (Optional)

The default name for the audit log is smaccess.log, and the default location is federation_install_dir/logs/server. You can change these values.

Follow these steps:

  1. Open a command window.
  2. Type XPSConfig at the command-line prompt.

    Note: XPSConfig is case-sensitive on UNIX platforms.

    The Product Menu is displayed.

  3. Enter SM.

    The list of parameters and their values is displayed.

  4. (Optional) Enter f to filter the list of settings.

    At the Enter Filter prompt enter text to find the setting related to audit log text file name.

  5. Enter the number associated with the ReportTextFile setting.

    The current value is displayed.

  6. Enter c to change the file name.
  7. Enter the a valid path and a new file name.
  8. Enter q until you return to the system command prompt.

The new file name and location is saved.

Use an ODBC Database for Audit Logging (Optional)

You can use an ODBC database to record audit data instead of the default text file.

Follow these steps:

  1. Change the audit log storage type to ODBC.
  2. Configure an ODBC data source. Refer to one of the following set of instructions:
Change the Audit Log Storage Type

The audit log is in text format, by default. To store audit data in an ODBC database, change the storage type of the log.

Important! If you change the audit log storage type from TEXT to ODBC, you cannot change it back.

Follow these steps:

  1. Open a command window.
  2. Type XPSConfig at the command-line prompt.

    Note: XPSConfig is case-sensitive on UNIX platforms.

    The Product Menu is displayed.

  3. Enter SM.

    The list of parameters and their current values is displayed.

  4. (Optional) Enter f to filter the list of settings.

    At the Enter Filter prompt enter store to find all the settings that are related to the audit log storage type.

  5. Enter the number for the LogStoreNamespace setting.

    The current value is displayed.

  6. Enter c to change the storage type.
  7. Enter ODBC: at the prompt.

    Note: Include the colon in the entry.

  8. Type q twice to return to the list of parameters.
  9. Configure these additional settings. Enter the number for each setting to modify it.

    Note: Enter f to filter the list of settings. At the Enter Filter prompt, enter Db to find all the settings related to audit log database.

    DbLogAdminName

    Specifies the data source user name for the audit log.

    Limits: A string; only applies when LogStoreNamespace is set to ODBC:.

    DbLogAdminPassword

    Specifies the data source user password for the audit log.

    Limits: A string; only applies when LogStoreNamespace is set to ODBC:.

    DbLogDataSource

    Specifies the data source name for the audit log.

    Limits: A string; only applies when LogStoreNamespace is set to ODBC:.

    DbLogMaxConnections

    Specifies the maximum number of connections to the data source for the audit log.

    Default: 15

    Limits: Must be an integer; only applies when LogStoreNamespace is set to ODBC:.

    DbLogUseDefault

    Specifies whether the audit log will use the same ODBC data source as the policy store.

    Default: FALSE

    Limits: TRUE or FALSE; only applies when LogStoreNamespace is set to ODBC:.

  10. Enter q enough times to return to the system command prompt.
  11. To use an ODBC database to record audit data, set up a data source.
Create a SQL Server Data Source on Windows

ODBC requires that you configure a data source for the MS SQL Server wire protocol.

To create the data source on Windows

  1. Do one of the following:

    The ODBC Data Source Administrator appears.

  2. Click the System DSN tab.

    System data source settings appear.

  3. Click Add.

    The Create New Data Source dialog appears.

  4. Select CA SiteMinder® SQL Server Wire Protocol and click Finish.

    The ODBC SQL Server Wire Protocol Driver Setup dialog appears.

  5. Enter the data source name in the Data Source Name field.

    Example: CA SiteMinder® Federation Standalone Data Source.

    Note: Take note of your data source name. This information is required as you configure your database as a policy store.

  6. Enter the name of the MS SQL Server host system in the Server field.
  7. Enter the database name in the Database Name field.
  8. Click Test.

    The connection settings are tested and a prompt appears specifying that the connection is successful.

  9. Click OK.

    The SQL Server data source is configured and appears in the System Data Sources list.

Create a SQL Server Data Sources on UNIX Systems

The CA SiteMinder® Federation Standalone ODBC data sources are configured using a system_odbc.ini file, which you create by renaming sqlserverwire.ini, located in federation_install_dir/siteminder/db, to system_odbc.ini. This system_odbc.ini file contains all of the names of the available ODBC data sources as well as the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for CA SiteMinder®.

The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.

Note: If you modify of the first line of data source entry, which is [CA SiteMinder® Data Source], take note of the change because you will need this value when configure your ODBC database as a policy store.

Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver to be loaded when this data source is used by CA SiteMinder®. The remaining attributes are specific to the driver.

Adding a MS SQL Server Data source involves adding a new data source name in the [ODBC Data Sources] section of the file, and adding a section that describes the data source using the same name as the data source. You need to change the system_odbc.ini file if you create a new service name or want to use a different driver. You should have entries for the Oracle or SQL drivers under [CA SiteMinder® Data Source].

Again, to configure a MS SQL Server data source, you must first create a system_odbc.ini file in the federation_install_dir/siteminder/db directory. To do this, you need to rename sqlserverwire.ini, located in federation_install_dir/siteminder/db, to system_odbc.ini.

Create an Oracle Data Source on Windows

Create an ODBC data source for an Oracle database.

Follow these steps:

  1. Do one of the following:

    The ODBC Data Source Administrator appears.

  2. Click the System DSN tab, and then click Add.

    The Create New Data Source dialog appears

  3. Select CA SiteMinder® Oracle Wire Protocol, and click Finish.

    The ODBC Oracle Wire Protocol Driver Setup dialog appears. The General tab is pulled to the front.

  4. Enter a name that identifies the data source in the Data Source Name field.

    Note: Record this name. You will need the data source name when pointing the Policy Server to the database.

  5. Enter the machine name where the Oracle database is installed in the Host Name field.
  6. Enter the port number where the Oracle database is listening on the machine in the Port Number field.
  7. Enter the name of the Oracle instance to which you want to connect in the SID field.

    Note: The service name is specified in the tnsnames.ora file. The SID is the system identifier for the database instance. The tnsnames.ora file contains service names and details that Oracle uses to identify and connect to Oracle instances.

    Example: if the tnsnames.ora file contains the following entry for an Oracle instance, you enter instance1 in the SID field:

    instance1 =

    (Description=
(Address = (PROTOCOL = TCP)(Host = myhost)(Port=1521))
(Connect_DATA_ = (SID = SIDofinstance1))
)
  8. Click Test Connection.

    The connection settings are tested and a prompt appears specifying that the connection is successful.

  9. Click OK.

    The Oracle data source is configured for the wire protocol driver.

Create an Oracle Data Source on a UNIX System

The CA SiteMinder® ODBC data sources are configured using a system_odbc.ini file, which you create by renaming oraclewire.ini, located in federation_install_dir/siteminder/db, to system_odbc.ini. This system_odbc.ini file contains all of the names of the available ODBC data sources as well as the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for CA SiteMinder®.

The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.

Note: If you modify of the first line of data source entry, which is [CA SiteMinder® Data Source], take note of the change because you will need this value when configure your ODBC database as a policy store.

Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver to be loaded when this data source is used by CA SiteMinder®. The remaining attributes are specific to the driver.

Adding an Oracle Data source involves adding a new data source name in the [ODBC Data Sources] section of the file, and adding a section that describes the data source using the same name as the data source. You need to change the system_odbc.ini file if you create a new service name or want to use a different driver. You should have entries for the SQL Server or Oracle drivers under [CA SiteMinder® Data Source].

Again, to configure an Oracle data source, you must first create a system_odbc.ini file in the federation_install_dir/siteminder/db directory. To do this, you need to rename oraclewire.ini, located in federation_install_dir/siteminder/db, to system_odbc.ini.