SiteMinder Log Gathering requirements for Support
Article ID: 50091
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
Description:
This Document list the log files needed by support to trouble shoot different components of the SiteMinder family including the following:
- Policy server issue
- Report Server
- WAMUI
- Session Server
- Web Agent Issues
- Application Server Agent Issues
- ERP Agent Issues
- Federation Issues
- Secure Proxy Server Issues
- Identity Manager Issues
- Advanced Password Services
- Identity Minder / Identity Manager
- APS.cfg
- Webagent Logs
- Web agent trace logs ***
- Policy Server smps.log
- Policy server Smaceess.log
- Policy server trace logs **
- "Trace" enabled
- NA
- See Web agent section
- NA
- NA
- See Policy Server Section
- ASA Connection log
- ASA Providers log
- WebLogic Server log
- BEA proxy log
- Show startup messages
- 4 providers (IA, AU, AZ, and ADJ)
- WebLogic system message
- Web server that forwards requests
- ASA Connection log
- ASA Providers log
- WebSphere Server log
- Show startup messages
- 4 providers (IA, AU, AZ, and ADJ)
- WebSphere system message
- Front-end Agent error log ***
- Front-end Webagent Logs
- Front-end web server error/access logs
- Session Linker Log
- Session Linker Daemon Log
- ERP Agent log (from peoplecode.txt)
- Deployed 'peoplecode.txt'
- Export of relevant Realm(s)/Policy
- Policy Server error log (smps.log)
- Policy Server access log (smaccess.log)
- Policy Server Trace Logs **
- See Web agent Logging
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- See Policy Server trace logs section
- Front-end Agent Trace logs ***
- Front-end Webagent Logs
- Front-end web server error/access logs
- SmWebAsSSO.conf
- SAP authschemes.xml
- http://webserver:port/testapp/testconfig.jsp
- SAP defaultTrace.trc with SiteMinder logging enabled
- SAP security.log, if enabled
- SAP responses.trc, if enabled
- Session Linker Log
- Session Linker Daemon Log
- One of the following test pages:
- http://<machine.domain.com>/smwebasagent/webastest.asp
- http://<machine.domain.com>/smwebasagent/webastest.jsp
- http://<machine.domain.com>/smwebasagent/webastest.pl
- Policy Server error log (smps.log)
- Policy Server access log (smaccess.log)
- Policy Server Trace Logs **
- See Web agent Logging
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- See Policy Server trace logs section
- Front-end Agent trace logs ***
- Front-end Webagent Logs
- Front-end web server error/access logs
- Session Linker Log
- Session Linker Daemon Log
- NPSHeader2PCookie log
- SAP ITS (PAS module) logs
- ERP Agent error log
- ERP Agent 'zsmsapsso.srvc' file
- Export of relevant Realm(s)/Policy
- Policy Server error log (smps.log)
- Policy Server access log (smaccess.log)
- Policy Server Trace Logs **
- See Web agent Logging
- NA
- NA
- NA
- NA
- Log level=3
- NA
- NA
- NA
- NA
- NA
- NA
- See Policy Server trace logs section
- Front-end Agent trace logs ***
- Front-end Webagent Logs
- Front-end web server error/access logs
- Siebel Web Service Extensions (SWE) logs
- Siebel Object Manager application logs
- Session Linker Log
- Session Linker Daemon Log
- SiteMinder Security Adapter log
- Export of relevant Realm(s)/Policy
- Policy Server error log (smps.log)
- Policy Server access log (smaccess.log)
- Policy Server Trace Logs**
- See Web agent Logging
- NA
- NA
- NA
- NA
- NA
- NA
- Log Level 3
- NA
- NA
- NA
- See Policy Server trace logs section
- Smps.log
- PS Minimal Trace
- SM exec log
- SM access log
- NA
- See Section Below
- Policy startup logs
- Admin UI access
- Smps.log
- PS Minimal Trace
- SM exec log
- SM access log
- NA
- See Section Below
- Policy startup logs
- Admin UI access
- Application logs
- Boot.log, sever.log
- Application logs
- Tomcat Logs
- Report server installation logs
- Policy server smps.log
- Policy server trace logs **
- Boot.log, Server.log
- NA
- NA
- NA
- See Policy server section
- Web Agent logs
- Web Agent Trace log***
- WebAgent.conf And SmHost.conf
- Web server configuration files
- Web Server Error and Access logs
- HTTP Header trace
- NA
- See below
- Web agent configuration files
- Examples: Magnus.conf, HTTPD.conf, obj.cof, Server.xml. Startup scripts, metabase.xml or web.confg
- We server messages
- Using either Fiddler 2 or IE Headers are preferable.
- Web Agent.log
- Web agent trace logs ***
- Policy Server trace Logs **
- NA
- See Webagent logging
- See Policy Server trace logs
- Version of SPS + platform
- SPS (Agent) error log
- SPS (Agent) trace log
- SPS (Apache) error log
- SPS (Apache) access log
- SPS (Tomcat) server.log
- SPS (Tomcat) nohup.out (if unix)
- Policy Server error log (smps.log)
- Policy Server access log (smaccess.log)
- Policy server trace logs ***
- HTTP Header trace (CRITICAL)
- Httpclient.log
- Set Proxyrules.dtd
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- NA
- See Policy server section
- NA
- NA
- Debug =Yes
- Application Server Log
- Smps.log (6.x Policy Server)
- Profiler log (6.x & 12.x Policy Server)
- Web Agent Log
- Web agent trace logs ***
- Highest Level
Set in \identityminder.ear\config\com\netegrity\config\log4j_<AppServerType>.properties where <AppServerType> = {JBoss,WebSphere,WebLogic}. - NA
- Default template
- NA
- See Web agent trace logs
- Policy server smps.log
- Policy server trace logs **
- Web Agent logs
- Web agent trace logs ***
- Affwebserv.log
- FWStrace.log
- Web Server Access & Error Logs
- HTTP Header trace (CRITICAL)
- NA
- See Policy server section (make sure to include federation)
- NA
- See Web agent section ( make sure to include federation)
- NA
- NA
- NA
- Policy server smps.log
- Policy server trace logs
- Web Agent logs
- Web agent trace logs
- Affwebserv.log
- FWStrace.log
- Web Server Access & Error Logs
- HTTP Header trace (CRITICAL)
- NA
- See Policy server section (make sure to include federation)
- NA
- See Web agent section ( make sure to include federation)
- NA
- NA
- NA
- NA
- AffiliateConfig.xml
- Affiliateserverconf.properties
- Affiliateserver.txt
- affiliate.log (for non-IIS web servers)
- HTTP Header trace (CRITICAL)
- NA
- NA
- NA
- NA
- NA
- Server.log
- Policy Server SMPS log **
- FWSTrace.log and AffWebServ.log
- WALog.log and WATrace.log
- enable "Federation Database Objects Trace" using xpsconfig which logs to the SMPS log
- Proxy embedded Web agent trace ****
- set to log level 5 in federation_mgr_home\secure-proxy\proxy-engine\conf\server.conf) - located federation_mgr_home/logs/ui/server.log
- NA
- located federation_mgr_home\logs\FWS - set up logs in federation_mgr_home\secure-proxy\proxy-engine\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties
- set in the /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent LocalConfig.conf - trace settings here same as agents with full tracing - TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf")
- NA
- NA
- Navigate to the following directory:
/federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent - Make a backup copy of the LocalConfig.conf file
- Edit the LocalConfig.conf file by replacing the entire contents of the file with the following text:
LogFileName="federation_mgr_home\secure-proxy\Federation\log\WALog.log"
LogFile="YES"
TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf"
TraceFileName="federation_mgr_home\logs\server\WATrace.log"
TraceFile="YES"
Note: Change the back slash character to a forward slash (/) in the paths if Federation Manager is installed on a Solaris operating environment. - Save and close the LocalConfig.conf file.
- Open the WebAgent.conf file.
- Remove the pound sign (#) to uncomment the localconfigfile line.
- Save and close the WebAgent.conf file.
- Restart the Federation Manager services according to your operating environment.
- Fiddler2
- Downloaded at http://www.fiddler2.com
- Make sure to enable SSL decryption
Solution:
General Guidelines for Providing Log files to CA SiteMinder Security Support Cases
To determine root cause, CA SiteMinder Security Support typically needs a certain set of data to be collected. Providing the information as described in the table below up front when the case is opened will expedite resolution.
The logs with full tracing (as opposed to partial tracing) provide the Support Engineer a great deal of insight into the state of the environment leading up to the error condition. More limited tracing or no logging is almost always insufficient
CA SiteMinder Security Support certainly understands that most production environments are not set to full logging. In these scenarios, CA will do its best to analyze the data provided however in many cases this may not provide enough information to determine the root cause of the issue and higher log levels will be requested. This document is only a baseline of data as some issues will require additional data collection which the Support Engineer will request as necessary.
| Problem Area | Log File(s) | Ideal Log Level |
| Advanced Password Services | ||
| ASA - Web Logic 8.1 and above | ||
| ASA - WebSphere 6.1 and above | ||
| ERP Agent (PeopleSoft Connector) | ||
| ERP Agent (SAP WebAS SMSSW) | ||
| ERP Agent (SAP ITS SMSST) | ||
| ERP Agent (Siebel Connector) | ||
| 6.x Policy Server** | ||
| 12.x Policy Server** | ||
| R12 WAMUI | ||
| R12 Report Server | ||
| 6.x & 12 X Web Agent* | ||
| Password Services | ||
| Secure Proxy Server | ||
| Identity Minder Identity Manager | ||
| Federation ** SAML 1.0 / 1.1 / 2.0 Federation Security Srvcs (SMFSS) For Non Affiliate Agent Federation (with Option Pack): From Both sides | ||
| Federation ** SAML 1.0 Affiliate Agent Cases: From Portal Side (Producer): | ||
| Federation ** From Affiliate (Consumer) - SM FSS to SAML Affiliate Agent | ||
| Federation Manager | ||
| Note: Communications errors indicated by 20-0003 and 20-0002 errors will also require policy server logs. Note: Policy Server hang conditions will also require a pstack against the hung process on Solaris 9 or 10 and a packaged core. | ||
| ** For PS Profiler use ps-minimal-trace.conf.txt | Components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Fed_Client, Fed_Server, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages Data: Date, PreciseTime, Pid, Tid, SrcFile, Function, TransactionID, SessionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message | |
| *** Web agent trace config file | Components: AgentFramework, HTTPAgent, AgentFunc, Agent_Con_Manager Data: Date, PreciseTime, Pid, Tid, TransactionID, Function, Message, SrcFile, User, Domain, Realm, AgentName, DomainOID, IPAddr, IPPort, RequestIPAddr, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, UserDN, Resource, Action, RealmOID, ResponseTime | |
| ****Federation Manager Proxy built in web agent tracing | The proxy engine has an embedded Web Agent. You can monitor Web Agent run time activities by enabling tracing in the Agent LocalConfig.conf file. To enable Web Agent tracing | |
HTTP Head tools:
In order or preference for Support
- IE HTTP Header trace
- a. Downloaded from : http://www.blunck.info/iehttpheaders.html
- a. Downloaded from : http://www.blunck.info/iehttpheaders.html
- Firefox live headers
- Download from : http://livehttpheaders.mozdev.org/
- Download from : http://livehttpheaders.mozdev.org/
HTTP Watch is not recommended as this is a licensed product that CA does not currently license. Because of this the information that CA support can see when they use the free copy of this software is very limited.
Environment
Release:
Component: SMPLC
Component: SMPLC
Feedback
Yes
No
Powered by
