SiteMinder Log Gathering requirements for Support

search cancel

SiteMinder Log Gathering requirements for Support

book

Article ID: 50091

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

This document lists the log files needed by support to troubleshoot different components of the SiteMinder family including the following:

Policy server issue
Report Server
WAMUI
Session Server

Web Agent Issues
Application Server Agent Issues
ERP Agent Issues
Federation Issues
Secure Proxy Server/Access Gateway Issues
Identity Manager Issues
Advanced Password Services
Identity Minder / Identity Manager

Environment

Release:
Component: SMPLC

Resolution

General Guidelines for Providing Log Files to Symantec SiteMinder Support Cases

To determine the root cause, Broadcom Support typically needs a certain set of data to be collected. Providing the information as described in the table below up front when the case is opened will expedite resolution.

The logs with full tracing (as opposed to partial tracing) provide the Support Engineer a great deal of insight into the state of the environment leading up to the error condition. More limited tracing or no logging is almost always insufficient

Broadcom Support certainly understands that most production environments are not set to full logging. In these scenarios, Broadcom will do its best to analyze the data provided however in many cases this may not provide enough information to determine the root cause of the issue and higher log levels will be requested. This document is only a baseline of data as some issues will require additional data collection which the Support Engineer will request as necessary.

Problem Area	Log File(s)	Ideal Log Level
Advanced Password Services	APS.cfg Webagent Logs Web agent trace logs * Policy Server smps.log Policy server Smaceess.log Policy server trace logs	"Trace" enabled NA See Web agent section NA NA See Policy Server Section
ASA - Web Logic 11.x and above	ASA Connection log ASA Providers log WebLogic Server log	Show startup messages 4 providers (IA, AU, AZ, and ADJ) WebLogic system message Web server that forwards requests
ASA - WebSphere 8.1 and above	ASA Connection log ASA Providers log WebSphere Server log SystemOut.log SystemErr.log	Show startup messages 4 providers (IA, AU, AZ, and ADJ) WebSphere system message
ERP Agent (PeopleSoft Connector)	Front-end Agent error log * Front-end Webagent Logs Front-end web server error/access logs Session Linker Log Session Linker Daemon Log ERP Agent log (from peoplecode.txt) Deployed 'peoplecode.txt' Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs	See Web agent Logging NA NA NA NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (SAP WebAS SMSSW)	Front-end Agent Trace logs * Front-end Webagent Logs Front-end web server error/access logs SmWebAsSSO.conf SAP authschemes.xml http://webserver.example.com:port/testapp/testconfig.jsp SAP defaultTrace.trc with SiteMinder logging enabled SAP security.log, if enabled SAP responses.trc, if enabled Session Linker Log Session Linker Daemon Log One of the following test pages: http://<machine.example.com>/smwebasagent/webastest.asp http://<machine.example.com>/smwebasagent/webastest.jsp http://<machine.example.com>/smwebasagent/webastest.pl Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs	See Web agent Logging NA NA NA NA NA NA NA NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (SAP ITS SMSST)	Front-end Agent trace logs * Front-end Webagent Logs Front-end web server error/access logs Session Linker Log Session Linker Daemon Log NPSHeader2PCookie log SAP ITS (PAS module) logs ERP Agent error log ERP Agent 'zsmsapsso.srvc' file Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs	See Web agent Logging NA NA NA NA Log level=3 NA NA NA NA NA NA See Policy Server trace logs section
ERP Agent (Siebel Connector)	Front-end Agent trace logs * Front-end Webagent Logs Front-end web server error/access logs Siebel Web Service Extensions (SWE) logs Siebel Object Manager application logs Session Linker Log Session Linker Daemon Log SiteMinder Security Adapter log Export of relevant Realm(s)/Policy Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy Server Trace Logs	See Web agent Logging NA NA NA NA NA NA Log Level 3 NA NA NA See Policy Server trace logs section
12.8.3 Policy Server**	Smps.log PS Minimal Trace SM exec log SM access log	NA See Section Below Policy startup logs Admin UI access
12.8.06 Policy Server**	Smps.log PS Minimal Trace SM exec log SM access log	NA See Section Below Policy startup logs Admin UI access
R12.8 WAMUI	Application logs	Boot.log, sever.log
R12.8 Report Server	Application logs Tomcat Logs Report server installation logs Policy server smps.log Policy server trace logs **	Boot.log, Server.log NA NA NA See Policy server section
12.52.X Web Agent*	Web Agent logs Web Agent Trace log*** WebAgent.conf And SmHost.conf Web server configuration files Web Server Error and Access logs HTTP Header trace	NA See below Web agent configuration files Examples: Magnus.conf, HTTPD.conf, obj.cof, Server.xml. Startup scripts, metabase.xml or web.confg Web server messages Using either Fiddler 2 or IE Headers are preferable.
Password Services	Web Agent.log Web agent trace logs * Policy Server trace Logs	NA See Webagent logging See Policy Server trace logs
Secure Proxy Server/Access Gateway	Version of SPS + platform SPS (Agent) error log SPS (Agent) trace log SPS (Apache) error log SPS (Apache) access log SPS (Tomcat) server.log SPS (Tomcat) nohup.out (if unix) Policy Server error log (smps.log) Policy Server access log (smaccess.log) Policy server trace logs * HTTP Header trace (CRITICAL)** Httpclient.log Set Proxyrules.dtd	NA NA NA NA NA NA NA NA NA See Policy server section NA NA Debug =Yes
Identity Minder Identity Manager	Application Server Log Smps.log (6.x Policy Server) Profiler log (6.x & 12.x Policy Server) Web Agent Log Web agent trace logs ***	Highest Level Set in \identityminder.ear\config\com\netegrity\config\log4j_<AppServerType>.properties where <AppServerType> = {JBoss,WebSphere,WebLogic}. NA Default template NA See Web agent trace logs
Federation ** SAML 1.0 / 1.1 / 2.0 Federation Security Srvcs (SMFSS) For Non-Affiliate Agent Federation (with Option Pack): From Both sides	Policy server smps.log Policy server trace logs Web Agent logs Web agent trace logs * Affwebserv.log FWStrace.log Web Server Access & Error Logs HTTP Header trace (CRITICAL)	NA See Policy server section (make sure to include federation) NA See Web agent section ( make sure to include federation) NA NA NA
Federation ** SAML 1.0 Affiliate Agent Cases: From Portal Side (Producer):	Policy server smps.log Policy server trace logs Web Agent logs Web agent trace logs Affwebserv.log FWStrace.log Web Server Access & Error Logs HTTP Header trace (CRITICAL)	NA See Policy server section (make sure to include federation) NA See Web agent section ( make sure to include federation) NA NA NA NA
Federation ** From Affiliate (Consumer) - SM FSS to SAML Affiliate Agent	AffiliateConfig.xml Affiliateserverconf.properties Affiliateserver.txt affiliate.log (for non-IIS web servers) HTTP Header trace (CRITICAL)	NA NA NA NA NA
Federation Manager	Server.log Policy Server SMPS log FWSTrace.log and AffWebServ.log WALog.log and WATrace.log enable "Federation Database Objects Trace" using xpsconfig which logs to the SMPS log Proxy embedded Web agent trace **	set to log level 5 in federation_mgr_home\secure-proxy\proxy-engine\conf\server.conf) - located federation_mgr_home/logs/ui/server.log NA located federation_mgr_home\logs\FWS - set up logs in federation_mgr_home\secure-proxy\proxy-engine\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties set in the /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent LocalConfig.conf - trace settings here same as agents with full tracing - TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf") NA NA
Note: Communications errors indicated by 20-0003 and 20-0002 errors will also require policy server logs. Note: Policy Server hang conditions will also require a pstack against the hung process on Solaris 9 or 10 and a packaged core.
** For PS Profiler use ps-minimal-trace.conf.txt	Components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Fed_Client, Fed_Server, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages Data: Date, PreciseTime, Pid, Tid, SrcFile, Function, TransactionID, SessionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message
*** Web agent trace config file	Components: AgentFramework, HTTPAgent, AgentFunc, Agent_Con_Manager Data: Date, PreciseTime, Pid, Tid, TransactionID, Function, Message, SrcFile, User, Domain, Realm, AgentName, DomainOID, IPAddr, IPPort, RequestIPAddr, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, UserDN, Resource, Action, RealmOID, ResponseTime
****Federation Manager Proxy built-in web agent tracing	The proxy engine has an embedded Web Agent. You can monitor Web Agent run time activities by enabling tracing in the Agent LocalConfig.conf file. To enable Web Agent tracing Navigate to the following directory: /federation_mgr_home/secure-proxy/proxy-engine/conf/defaultagent Make a backup copy of the LocalConfig.conf file Edit the LocalConfig.conf file by replacing the entire contents of the file with the following text: LogFileName="federation_mgr_home\secure-proxy\Federation\log\WALog.log" LogFile="YES" TraceConfigFile="federation_mgr_home\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf" TraceFileName="federation_mgr_home\logs\server\WATrace.log" TraceFile="YES" Note: Change the back slash character to a forward slash (/) in the paths if Federation Manager is installed on a Solaris operating environment. Save and close the LocalConfig.conf file. Open the WebAgent.conf file. Remove the pound sign (#) to uncomment the localconfigfile line. Save and close the WebAgent.conf file. Restart the Federation Manager services according to your operating environment.

HTTP Head tools:

In order or preference for Support

Fiddler
Web and HTTP Debugging and Troubleshooting Made Simple

Make sure to enable SSL decryption
Edge HTTP Header trace
Network features reference
Firefox live headers
HTTP Header Live

HTTP Watch is not recommended as this is a licensed product that Broadcom does not currently license.
Because of this, the information that Broadcom Support can see when they use the free copy of this software is very limited.

Feedback

thumb_up Yes

thumb_down No