SiteMinder Log Gathering requirements for Support

book

Article ID: 50091

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

This Document list the log files needed by support to trouble shoot different components of the SiteMinder family including the following:

  1. Policy server issue

  2. Report Server
  3. WAMUI
  4. Session Server

 

    • Web Agent Issues
    • Application Server Agent Issues
    • ERP Agent Issues
    • Federation Issues
    • Secure Proxy Server Issues
    • Identity Manager Issues
    • Advanced Password Services
    • Identity Minder / Identity Manager

Solution:

General Guidelines for Providing Log files to CA SiteMinder Security Support Cases

To determine root cause, CA SiteMinder Security Support typically needs a certain set of data to be collected. Providing the information as described in the table below up front when the case is opened will expedite resolution.

The logs with full tracing (as opposed to partial tracing) provide the Support Engineer a great deal of insight into the state of the environment leading up to the error condition. More limited tracing or no logging is almost always insufficient

CA SiteMinder Security Support certainly understands that most production environments are not set to full logging. In these scenarios, CA will do its best to analyze the data provided however in many cases this may not provide enough information to determine the root cause of the issue and higher log levels will be requested. This document is only a baseline of data as some issues will require additional data collection which the Support Engineer will request as necessary.

Problem Area Log File(s) Ideal Log Level
Advanced Password Services
  • APS.cfg
  • Webagent Logs
  • Web agent trace logs ***
  • Policy Server smps.log
  • Policy server Smaceess.log
  • Policy server trace logs **
  • "Trace" enabled
  • NA
  • See Web agent section
  • NA
  • NA
  • See Policy Server Section
ASA - Web Logic 11.x

 

and above
  • ASA Connection log
  • ASA Providers log
  • WebLogic Server log
  •  
  • Show startup messages
  • 4 providers (IA, AU, AZ, and ADJ)
  • WebLogic system message
  • Web server that forwards requests
ASA - WebSphere 8.1

 

and above
  • ASA Connection log
  • ASA Providers log
  • WebSphere Server log
  • SystemOut.log
  • SystemErr.log
  • Show startup messages
  • 4 providers (IA, AU, AZ, and ADJ)
  • WebSphere system message
ERP Agent
(PeopleSoft Connector)
  • Front-end Agent error log ***
  • Front-end Webagent Logs
  • Front-end web server error/access logs
  • Session Linker Log
  • Session Linker Daemon Log
  • ERP Agent log (from peoplecode.txt)
  • Deployed 'peoplecode.txt'
  • Export of relevant Realm(s)/Policy
  • Policy Server error log (smps.log)
  • Policy Server access log (smaccess.log)
  • Policy Server Trace Logs **
  • See Web agent Logging
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • See Policy Server trace logs section
ERP Agent
(SAP WebAS SMSSW)
  • Front-end Agent Trace logs ***
  • Front-end Webagent Logs
  • Front-end web server error/access logs
  • SmWebAsSSO.conf
  • SAP authschemes.xml
  • http://webserver:port/testapp/testconfig.jsp
  • SAP defaultTrace.trc with SiteMinder logging enabled
  • SAP security.log, if enabled
  • SAP responses.trc, if enabled
  • Session Linker Log
  • Session Linker Daemon Log
  • One of the following test pages:
    • http://<machine.domain.com>/smwebasagent/webastest.asp
    • http://<machine.domain.com>/smwebasagent/webastest.jsp
    • http://<machine.domain.com>/smwebasagent/webastest.pl
  • Policy Server error log (smps.log)
  • Policy Server access log (smaccess.log)
  • Policy Server Trace Logs **
  • See Web agent Logging
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • See Policy Server trace logs section
ERP Agent
(SAP ITS SMSST)
  • Front-end Agent trace logs ***
  • Front-end Webagent Logs
  • Front-end web server error/access logs
  • Session Linker Log
  • Session Linker Daemon Log
  • NPSHeader2PCookie log
  • SAP ITS (PAS module) logs
  • ERP Agent error log
  • ERP Agent 'zsmsapsso.srvc' file
  • Export of relevant Realm(s)/Policy
  • Policy Server error log (smps.log)
  • Policy Server access log (smaccess.log)
  • Policy Server Trace Logs **
  • See Web agent Logging
  • NA
  • NA
  • NA
  • NA
  • Log level=3
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • See Policy Server trace logs section
ERP Agent (Siebel Connector)
  • Front-end Agent trace logs ***
  • Front-end Webagent Logs
  • Front-end web server error/access logs
  • Siebel Web Service Extensions (SWE) logs
  • Siebel Object Manager application logs
  • Session Linker Log
  • Session Linker Daemon Log
  • SiteMinder Security Adapter log
  • Export of relevant Realm(s)/Policy
  • Policy Server error log (smps.log)
  • Policy Server access log (smaccess.log)
  • Policy Server Trace Logs**
  • See Web agent Logging
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • Log Level 3
  • NA
  • NA
  • NA
  • See Policy Server trace logs section
12.8.3 Policy Server**
  • Smps.log
  • PS Minimal Trace
  • SM exec log
  • SM access log
  • NA
  • See Section Below
  • Policy startup logs
  • Admin UI access
12.8.06 Policy Server**
  • Smps.log
  • PS Minimal Trace
  • SM exec log
  • SM access log
  • NA
  • See Section Below
  • Policy startup logs
  • Admin UI access
R12.8 WAMUI
  • Application logs
  • Boot.log, sever.log
R12.8 Report Server
  • Application logs
  • Tomcat Logs
  • Report server installation logs
  • Policy server smps.log
  • Policy server trace logs **
  • Boot.log, Server.log
  • NA
  • NA
  • NA
  • See Policy server section
12.52.X Web Agent*
  • Web Agent logs
  • Web Agent Trace log***
  • WebAgent.conf And SmHost.conf
  • Web server configuration files
  • Web Server Error and Access logs
  • HTTP Header trace
  • NA
  • See below
  • Web agent configuration files
  • Examples: Magnus.conf, HTTPD.conf, obj.cof, Server.xml. Startup scripts, metabase.xml or web.confg
  • We server messages
  • Using either Fiddler 2 or IE Headers are preferable.
Password Services
  • Web Agent.log
  • Web agent trace logs ***
  • Policy Server trace Logs **
  • NA
  • See Webagent logging
  • See Policy Server trace logs
Secure Proxy Server
  • Version of SPS + platform
  • SPS (Agent) error log
  • SPS (Agent) trace log
  • SPS (Apache) error log
  • SPS (Apache) access log
  • SPS (Tomcat) server.log
  • SPS (Tomcat) nohup.out (if unix)
  • Policy Server error log (smps.log)
  • Policy Server access log (smaccess.log)
  • Policy server trace logs ***
  • HTTP Header trace (CRITICAL)
  • Httpclient.log
  • Set Proxyrules.dtd
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • NA
  • See Policy server section
  • NA
  • NA
  • Debug =Yes
Identity Minder

 

Identity Manager
  • Application Server Log
  • Smps.log (6.x Policy Server)
  • Profiler log (6.x & 12.x Policy Server)
  • Web Agent Log
  • Web agent trace logs ***
  • Highest Level
    Set in \identityminder.ear\config\com\netegrity\config\log4j_<AppServerType>.properties where <AppServerType> = {JBoss,WebSphere,WebLogic}.
  • NA
  • Default template
  • NA
  • See Web agent trace logs
Federation **

 

SAML 1.0 / 1.1 / 2.0

Federation Security Srvcs (SMFSS)

For Non Affiliate Agent Federation (with Option Pack):

From Both sides
  • Policy server smps.log
  • Policy server trace logs **
  • Web Agent logs
  • Web agent trace logs ***
  • Affwebserv.log
  • FWStrace.log
  • Web Server Access & Error Logs
  • HTTP Header trace (CRITICAL)
  • NA
  • See Policy server section (make sure to include federation)
  • NA
  • See Web agent section ( make sure to include federation)
  • NA
  • NA
  • NA
Federation **

 

SAML 1.0

Affiliate Agent Cases: From Portal Side (Producer):
  • Policy server smps.log
  • Policy server trace logs
  • Web Agent logs
  • Web agent trace logs
  • Affwebserv.log
  • FWStrace.log
  • Web Server Access & Error Logs
  • HTTP Header trace (CRITICAL)
  • NA
  • See Policy server section (make sure to include federation)
  • NA
  • See Web agent section ( make sure to include federation)
  • NA
  • NA
  • NA
  • NA
Federation **

 

From Affiliate (Consumer) - SM FSS to

SAML Affiliate Agent
  • AffiliateConfig.xml
  • Affiliateserverconf.properties
  • Affiliateserver.txt
  • affiliate.log (for non-IIS web servers)
  • HTTP Header trace (CRITICAL)
  • NA
  • NA
  • NA
  • NA
  • NA
Federation Manager
  • Server.log
  • Policy Server SMPS log **
  • FWSTrace.log and AffWebServ.log
  • WALog.log and WATrace.log
  • enable "Federation Database Objects Trace" using xpsconfig which logs to the SMPS log
  • Proxy embedded Web agent trace ****
  • set to log level 5 in federation_mgr_home\secure-proxy\proxy-engine\conf\server.conf) - located federation_mgr_home/logs/ui/server.log
  • NA
  • located federation_mgr_home\logs\FWS - set up logs in federation_mgr_home\secure-proxy\proxy-engine\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties
  • set in the /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent LocalConfig.conf - trace settings here same as agents with full tracing - TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf")
  • NA
  • NA
Note: Communications errors indicated by 20-0003 and 20-0002 errors will also require policy server logs.

 

Note: Policy Server hang conditions will also require a pstack against the hung process on Solaris 9 or 10 and a packaged core.
** For PS Profiler use
ps-minimal-trace.conf.txt		 Components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Fed_Client, Fed_Server, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages

Data: Date, PreciseTime, Pid, Tid, SrcFile, Function, TransactionID, SessionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message		  
*** Web agent trace config file Components: AgentFramework, HTTPAgent, AgentFunc, Agent_Con_Manager

Data: Date, PreciseTime, Pid, Tid, TransactionID, Function, Message, SrcFile, User, Domain, Realm, AgentName, DomainOID, IPAddr, IPPort, RequestIPAddr, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, UserDN, Resource, Action, RealmOID, ResponseTime		  
****Federation Manager Proxy built in web agent tracing The proxy engine has an embedded Web Agent. You can monitor Web Agent run time activities by enabling tracing in the Agent LocalConfig.conf file.

 

To enable Web Agent tracing

  1. Navigate to the following directory:
    /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent
  2. Make a backup copy of the LocalConfig.conf file
  3. Edit the LocalConfig.conf file by replacing the entire contents of the file with the following text:
    LogFileName="federation_mgr_home\secure-proxy\Federation\log\WALog.log"
    LogFile="YES"
    TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf"
    TraceFileName="federation_mgr_home\logs\server\WATrace.log"
    TraceFile="YES"
    Note: Change the back slash character to a forward slash (/) in the paths if Federation Manager is installed on a Solaris operating environment.
  4. Save and close the LocalConfig.conf file.
  5. Open the WebAgent.conf file.
  6. Remove the pound sign (#) to uncomment the localconfigfile line.
  7. Save and close the WebAgent.conf file.
  8. Restart the Federation Manager services according to your operating environment.
  

HTTP Head tools:

In order or preference for Support

HTTP Watch is not recommended as this is a licensed product that CA does not currently license. Because of this the information that CA support can see when they use the free copy of this software is very limited.

Environment

Release:
Component: SMPLC

Resolution

SiteMinder / IDM side of logs

Powered by Wolken Software