Description:

This Document list the log files needed by support to trouble shoot different components of the SiteMinder family including the following:

1. Policy server issue
   
   
   
2. Report Server
3. WAMUI
4. Session Server

• Web Agent Issues
• Application Server Agent Issues
• ERP Agent Issues
• Federation Issues
• Secure Proxy Server Issues
• Identity Manager Issues
• Advanced Password Services
• Identity Minder / Identity Manager

Solution:

General Guidelines for Providing Log files to CA SiteMinder Security Support Cases

To determine root cause, CA SiteMinder Security Support typically needs a certain set of data to be collected. Providing the information as described in the table below up front when the case is opened will expedite resolution.

The logs with full tracing (as opposed to partial tracing) provide the Support Engineer a great deal of insight into the state of the environment leading up to the error condition. More limited tracing or no logging is almost always insufficient

CA SiteMinder Security Support certainly understands that most production environments are not set to full logging. In these scenarios, CA will do its best to analyze the data provided however in many cases this may not provide enough information to determine the root cause of the issue and higher log levels will be requested. This document is only a baseline of data as some issues will require additional data collection which the Support Engineer will request as necessary.

Problem Area	Log File(s)	Ideal Log Level
Advanced Password Services	APS.cfg Webagent Logs Web agent trace logs *** Policy Server smps.log Policy server Smaceess.log Policy server trace logs **	"Trace" enabled NA See Web agent section NA NA See Policy Server Section
ASA - Web Logic 8.1 and above	ASA Connection log ASA Providers log WebLogic Server log BEA proxy log	Show startup messages 4 providers (IA, AU, AZ, and ADJ) WebLogic system message Web server that forwards requests
ASA - WebSphere 6.1 and above	ASA Connection log ASA Providers log WebSphere Server log	Show startup messages 4 providers (IA, AU, AZ, and ADJ) WebSphere system message
ERP Agent (PeopleSoft Connector)	Front-end Agent error log *** Front-end Webagent Logs Front-end web server error/access logs Session Linker Log Session Linker Daemon Log ERP Agent log (from peoplecode.txt) Deployed 'peoplecode.txt' Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs **	See Web agent Logging NA NA NA NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (SAP WebAS SMSSW)	Front-end Agent Trace logs *** Front-end Webagent Logs Front-end web server error/access logs SmWebAsSSO.conf SAP authschemes.xml http://webserver:port/testapp/testconfig.jsp SAP defaultTrace.trc with SiteMinder logging enabled SAP security.log, if enabled SAP responses.trc, if enabled Session Linker Log Session Linker Daemon Log One of the following test pages: http://<machine.domain.com>/smwebasagent/webastest.asp http://<machine.domain.com>/smwebasagent/webastest.jsp http://<machine.domain.com>/smwebasagent/webastest.pl Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs **	See Web agent Logging NA NA NA NA NA NA NA NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (SAP ITS SMSST)	Front-end Agent trace logs *** Front-end Webagent Logs Front-end web server error/access logs Session Linker Log Session Linker Daemon Log NPSHeader2PCookie log SAP ITS (PAS module) logs ERP Agent error log ERP Agent 'zsmsapsso.srvc' file Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs **	See Web agent Logging NA NA NA NA Log level=3 NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (Siebel Connector)	Front-end Agent trace logs *** Front-end Webagent Logs Front-end web server error/access logs Siebel Web Service Extensions (SWE) logs Siebel Object Manager application logs Session Linker Log Session Linker Daemon Log SiteMinder Security Adapter log Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs**	See Web agent Logging NA NA NA NA NA NA Log Level 3 NA NA NA See Policy Server trace logs section
6.x Policy Server**	Smps.log PS Minimal Trace SM exec log SM access log	NA See Section Below Policy startup logs Admin UI access
12.x Policy Server**	Smps.log PS Minimal Trace SM exec log SM access log	NA See Section Below Policy startup logs Admin UI access
R12 WAMUI	Application logs	Boot.log, sever.log
R12 Report Server	Application logs Tomcat Logs Report server installation logs Policy server smps.log Policy server trace logs **	Boot.log, Server.log NA NA NA See Policy server section
6.x & 12 X Web Agent*	Web Agent logs Web Agent Trace log*** WebAgent.conf And SmHost.conf Web server configuration files Web Server Error and Access logs HTTP Header trace	NA See below Web agent configuration files Examples: Magnus.conf, HTTPD.conf, obj.cof, Server.xml. Startup scripts, metabase.xml or web.confg We server messages Using either Fiddler 2 or IE Headers are preferable.
Password Services	Web Agent.log Web agent trace logs *** Policy Server trace Logs **	NA See Webagent logging See Policy Server trace logs
Secure Proxy Server	Version of SPS + platform SPS (Agent) error log SPS (Agent) trace log SPS (Apache) error log SPS (Apache) access log SPS (Tomcat) server.log SPS (Tomcat) nohup.out (if unix) Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy server trace logs *** HTTP Header trace (CRITICAL) Httpclient.log Set Proxyrules.dtd	NA NA NA NA NA NA NA NA NA See Policy server section NA NA Debug =Yes
Identity Minder Identity Manager	Application Server Log Smps.log (6.x Policy Server) Profiler log (6.x & 12.x Policy Server) Web Agent Log Web agent trace logs ***	Highest Level Set in \identityminder.ear\config\com\netegrity\config\log4j_<AppServerType>.properties where <AppServerType> = {JBoss,WebSphere,WebLogic}. NA Default template NA See Web agent trace logs
Federation ** SAML 1.0 / 1.1 / 2.0 Federation Security Srvcs (SMFSS) For Non Affiliate Agent Federation (with Option Pack): From Both sides	Policy server smps.log Policy server trace logs ** Web Agent logs Web agent trace logs *** Affwebserv.log FWStrace.log Web Server Access & Error Logs HTTP Header trace (CRITICAL)	NA See Policy server section (make sure to include federation) NA See Web agent section ( make sure to include federation) NA NA NA
Federation ** SAML 1.0 Affiliate Agent Cases: From Portal Side (Producer):	Policy server smps.log Policy server trace logs Web Agent logs Web agent trace logs Affwebserv.log FWStrace.log Web Server Access & Error Logs HTTP Header trace (CRITICAL)	NA See Policy server section (make sure to include federation) NA See Web agent section ( make sure to include federation) NA NA NA NA
Federation ** From Affiliate (Consumer) - SM FSS to SAML Affiliate Agent	AffiliateConfig.xml Affiliateserverconf.properties Affiliateserver.txt affiliate.log (for non-IIS web servers) HTTP Header trace (CRITICAL)	NA NA NA NA NA
Federation Manager	Server.log Policy Server SMPS log ** FWSTrace.log and AffWebServ.log WALog.log and WATrace.log enable "Federation Database Objects Trace" using xpsconfig which logs to the SMPS log Proxy embedded Web agent trace ****	set to log level 5 in federation_mgr_home\secure-proxy\proxy-engine\conf\server.conf) - located federation_mgr_home/logs/ui/server.log NA located federation_mgr_home\logs\FWS - set up logs in federation_mgr_home\secure-proxy\proxy-engine\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties set in the /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent LocalConfig.conf - trace settings here same as agents with full tracing - TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf") NA NA
Note: Communications errors indicated by 20-0003 and 20-0002 errors will also require policy server logs. Note: Policy Server hang conditions will also require a pstack against the hung process on Solaris 9 or 10 and a packaged core.
** For PS Profiler use ps-minimal-trace.conf.txt	Components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Fed_Client, Fed_Server, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages Data: Date, PreciseTime, Pid, Tid, SrcFile, Function, TransactionID, SessionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message
*** Web agent trace config file	Components: AgentFramework, HTTPAgent, AgentFunc, Agent_Con_Manager Data: Date, PreciseTime, Pid, Tid, TransactionID, Function, Message, SrcFile, User, Domain, Realm, AgentName, DomainOID, IPAddr, IPPort, RequestIPAddr, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, UserDN, Resource, Action, RealmOID, ResponseTime
****Federation Manager Proxy built in web agent tracing	The proxy engine has an embedded Web Agent. You can monitor Web Agent run time activities by enabling tracing in the Agent LocalConfig.conf file. To enable Web Agent tracing Navigate to the following directory: /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent Make a backup copy of the LocalConfig.conf file Edit the LocalConfig.conf file by replacing the entire contents of the file with the following text: LogFileName="federation_mgr_home\secure-proxy\Federation\log\WALog.log" LogFile="YES" TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf" TraceFileName="federation_mgr_home\logs\server\WATrace.log" TraceFile="YES" Note: Change the back slash character to a forward slash (/) in the paths if Federation Manager is installed on a Solaris operating environment. Save and close the LocalConfig.conf file. Open the WebAgent.conf file. Remove the pound sign (#) to uncomment the localconfigfile line. Save and close the WebAgent.conf file. Restart the Federation Manager services according to your operating environment.

HTTP Head tools:

In order or preference for Support

1. Fiddler2
   
   
   • Downloaded at http://www.fiddler2.com
   
   
2. Make sure to enable SSL decryption
   
   

• IE HTTP Header trace
  
  
  • a. Downloaded from : http://www.blunck.info/iehttpheaders.html
    
    
• Firefox live headers
  
  
  • Download from : http://livehttpheaders.mozdev.org/
    
    

HTTP Watch is not recommended as this is a licensed product that CA does not currently license. Because of this the information that CA support can see when they use the free copy of this software is very limited.