Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > May
2016

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on May 30, 2016

 

 

Doc ID#StatusTitleDescriptionProductDate
TEC3542298 PublishedPolicy Server crashes on JVM startup after upgrade to 12.52 SP1CR4 when CAWily (Introscope) agent is integratedPolicy server crashes due to JRE incompatiblity with CAWily agentCA Single Sign -On5/30/2016

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 2nd April 2016 for your reference:

 

Siteminder administrator audit events in smaccess log
Information on how to log administrator audit events in smacess log
Last Update: 5/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1889902

500 error seen when POSTing data to protected resources on Oracle iPlanet webserver
users get 500 error from iplanet webserver, when trying to post data to protected resources.
Last Update: 5/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1831477

Performance degradation when implementing session store with logouts
We Implemented session store to minimize session replay attacks, after load test transaction are taking too long to complete
Last Update: 5/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1750186

Impersonation Events are disabled when creating new rules
Impersonation Events are disabled when creating new rules. Agent type does not have actions : ImpersonateStart, ImpersonateStartUser
Last Update: 5/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC616948

SP Failing with SamlValidator (Pass 1)Caught unknown exception or error: java.lang.NullPointerException
Why SP is failing to process the samlresponse (assertion) with Error Stacktrace: java.lang.NullPointerException
Last Update: 5/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1338383

SMTRYNO Cookie is not created/generated after invalid credential login attempts
Explanation of internationalization with login FCC forms and how it affects the creation/generation of the SMTRYNO cookie.
Last Update: 5/23/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1899715

SMTRYNO cookie not being created
Customer noticed that SMTRYNO cookies were not being created despite adding the configuration and parameters to the login.fcc.
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1632097

CA Access Gateway (formerly Secure Proxy Server): Commonly Tuned Parameters
How to tune CA Access Gateway (SPS) parameters in order to suit typical production environment processing needs.
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1929227

Slow LDAP query after load balancer
The error and description is exactly same as the one we got opened few months Back .00335082 -slow LDAP query after load balancer.One of the servers started to see Ldap Delays on higher load and users started to see delay on application access. Needs
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1346225

When using IIS 8.0 "Application Request Routing" (ARR), SMSESSION Cookie domain is set to unexpected value.
This article explains a problem where IIS ARR is used and the domain value of SMSESION cookie issued was changed unexpectedly. This also provides the resolution.
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1190144

ACO Parameter LegacyStreamingBehavior for Apache Web server
This article explains a recommendation of LegacyStreamingBehavior when Chunked content-type or big data transfer on POST Request to Apache Web Server.
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1880337

FIPS Compatibility Mode Setting must be consistent in both Policy Server and Web Agent.
This article explains the requirement of FIPS Mode Setting when Compatibility mode is used.
Last Update: 5/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1256409

How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters
This technote discusses the way to let the Apache 2.4 to accept header names with underscores.
Last Update: 5/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC606939

Why is it that the smtransactionid is not logged in to IIS logs ?
Why is it that the smtransactionid is not logged in to IIS logs even though we enabled the appendiisserverlog option ?
Last Update: 5/19/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1417427

Why is the Siteminder WebAgent not starting up?
After installing and starting the Win64 IIS7.5 agent on a Windows server IIS7.5, we can't see any LLAWP process.
Last Update: 5/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1946875

Web Agent Configuration of ASF Apache 2.2.31 (32-bit) for Windows
This article explains how to configure Web Agent for ASF Apache 2.2.31 (32-bit) on Windows.
Last Update: 5/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1319421

When using an SSL offloader, the TARGET parameter when redirected to the login.fcc page is changed to specify a http: rather than https: protocol even though the original request was made over https:
When using an SSL offloader, the TARGET parameter when redirected to the login.fcc page is changed to specify a http: rather than https: protocol even though the original request was made over https:
Last Update: 5/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529421

‘back’ command is available in Installer and Configuration Wizard in console mode
This is a Tip to explain the ‘back’ command which can be used in CA SSO Installer and Configuration Wizard in console mode.
Last Update: 5/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1784903

Validity Duration seconds and SP Session Validity Duration
how to control assetion validity time as well as the session validity time on the SP
Last Update: 5/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1080105

DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified
Why am I getting the DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified when verifying signature while I made sure that the cert is imported into the CDS database
Last Update: 5/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616975

Policy server crash terminates unexpectedly
Policy server crashes during LDAP failover under load, also crashes again when primary session store brought back online
Last Update: 5/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1768203

Read more at http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&typeofcontent=Knowledge%20Base%20Articles&page=1

 

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on May 10, 2016

 

Problem Summary

Policy Server Hung if LDAP User Directory is unresponsive/slowly performing.

 

Environment

Version : r12.5+

Policy Server OS : ANY

User Directory : LDAP (ANY)

 

Root Cause

 

If the Policy server doesn't have an existing connection to LDAP User Directory, it creates 3 new connection to the LDAP directory :

 

    1. PING Connection : The PING connection is used to check the health of the LDAP server periodically. One PING thread is created per each LDAP Failover group.

PING's thread ping connections send the following query every 30 seconds to test that the LDAP server is up and listening on the LDAP port

SRC base="<root object>" scope=0 filter="(objectclass=*)"

    2. Search/Directory Connection: The  "dir" connection is the LDAP connection used to search the directory instance (binds always as anonymous or as the credentials given in the User Directory Object)

    3. User Connection : “user" connection is the LDAP connection used to bind to the directory instance (binds first as anonymous or as the credentials given in the User Directory Object, then the connection is reused to bind

with the credentials of the authenticating user

 

When Policy server thread does the LDAP_BIND, it is always done under a LOCK, because LDAP handle needs to be protected. This is done so that Policy server won't crash when one worker thread is chaining the handle during the bind and the other thread tries to use it for LDAP search for example.

What this means is that, when one worker thread is doing an LDAP bind for say LDAP Server A, then no other worker thread can concurrently do the LDAP bind for ANY other LDAP Servers. So , if the first LDAP bind is delayed (due to LDAP server being unresponsive or slow performing) , then it will eventually cause remaining worker threads which are also waiting for LDAP bind to go into a waiting/hung state. However, if the other worker thread already have a valid LDAP connection, then they will not be impacted. This phenomena could sometime result Policy server to go into a hung state and become unresponsive.

 

To confirm if Policy server is affected with this condition, we need to obtain the process dump of the Policy server process (smpolicysrv.exe) and review where all the NORMAL priority thread are stuck.

For e.g. pstack capture would show a stack similar to following for this condition :

 

Thread 1 (Thread 0xe6e27b90 (LWP 17007)):

#0  0xffffe410 in __kernel_vsyscall ()

#1 0x00c3d6c3 in poll () from /lib/libc.so.6

#2  0xf5f23271 in pt_Continue () from /opt/CA/SiteMinder/PolicyServer/lib/libnspr4.so

#3  0xf5f2423d in pt_Connect () from /opt/CA/SiteMinder/PolicyServer/lib/libnspr4.so

#4  0xf5f0e869 in PR_Connect () from /opt/CA/SiteMinder/PolicyServer/lib/libnspr4.so

#5  0xf6026b58 in prldap_try_one_address () from /opt/CA/SiteMinder/PolicyServer/lib/libprldap60.so

#6  0xf6026e40 in prldap_connect () from /opt/CA/SiteMinder/PolicyServer/lib/libprldap60.so

#7  0xf6070e06 in nsldapi_connect_to_host () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#8  0xf607462c in nsldapi_new_connection () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#9  0xf60702e6 in nsldapi_open_ldap_defconn () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#10 0xf607507c in nsldapi_send_server_request () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#11 0xf607584f in nsldapi_send_initial_request () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#12 0xf6079474 in ldap_simple_bind () from /opt/CA/SiteMinder/PolicyServer/lib/libldap60.so

#13 0xc89b82f0 in CSmDsLdapFunctionImpl::LdapBind(ldap*, char const*, char const*, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#14 0xc89b5467 in CSmDsLdapFunctionImpl::BindServer(int&, CString&, CSmLDAPConn*&, CString const&, CString const&, CString const&, bool, bool, int, int, CSmLdapServers*, int&, bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#15 0xc89ade8c in CSmDsLdapFunctionImpl::GetConHandle(CSmDsProviderInstance*, char const*, int, bool, bool, bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#16 0xc89ba376 in CSmDsLdapFunctionImpl::SearchExts(CSmDsProviderInstance*, CSmLDAPConn*&, char const*, int, char const*, char**, int, ldapcontrol**, ldapcontrol**, timeval*, int, CArray<ldapmsg*, ldapmsg*>&, int, bool, bool, int (*)(char const*, CSmDsLdapError const&)) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#17 0xc898d952 in CSmDsLdapProvider::SearchExts(CSmDsProviderInstance*, CSmLDAPConn*&, char const*, int, char const*, char**, int, ldapcontrol**, ldapcontrol**, timeval*, int, CArray<ldapmsg*, ldapmsg*>&, int, bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#18 0xc8970759 in CSmDsLdapProvider::SearchImpl(CSmDsProviderInstance*, CStringArray&, CStringArray*, CArray<int, int>*, CArray<CSmDsAttrs, CSmDsAttrs&>*, CStringArray const*, CString const&, CString const&, CSmDsCursor*, Sm_PolicyResolution_t, int, int, int, bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#19 0xc896f05b in CSmDsLdapProvider::Search(CSmDsProviderInstance*, CStringArray&, CStringArray*, CArray<int, int>*, CArray<CSmDsAttrs, CSmDsAttrs&>*, CStringArray const*, CString const&, CString const&, CSmDsCursor*, Sm_PolicyResolution_t, int, int, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#20 0xf63d7fe7 in CSmDsDir::Search(CStringArray&, CStringArray*, CArray<int, int>*, CArray<CSmDsAttrs, CSmDsAttrs&>*, CStringArray const*, CString const&, CString const&, CSmDsCursor*, Sm_PolicyResolution_t, int, int, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmds.so

#21 0xf63d721b in CSmDsDir::GetUserDNlist(CString const&, CStringArray&, bool&, CStringArray const&, CArray<CSmDsAttrs, CSmDsAttrs&>&, bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmds.so

#22 0xf6510307 in CSmAuthUser::AuthenticateUserDir(CSmObjUserDirectory const&, CSmObjScheme const&, Sm_Api_Reason_t, Sm_AuthApi_UserCredentials_t&, CSmDsDir*&, CSmDsUser*&, Sm_AuthApi_Status_t&, bool&, bool&, CString&, CString&, CString&, CString&) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmauth.so

#23 0x080cf5bb in CSm_Auth_Message::AuthenticateUser() ()

#24 0x080671e2 in CSm_Auth_Message::ProcessAgentMessage() ()

#25 0x080c460e in CSm_Auth_Message::ProcessMessage() ()

#26 0x081470e1 in CSmPolicyServer::vOnRequest(CClientSession const*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

#27 0xf7ded01c in CServer::ProcessRequest(CClientSession*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#28 0xf7dc739c in CAgentMessageHandler::DoWork(unsigned char*, unsigned char*, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#29 0xf7dbe3ee in ThreadPool::Run(bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#30 0xf7e6f096 in ThreadPoolBase::ThreadProc(void*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#31 0xf7cc8f29 in BtThreadBase(ThreadArgs*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmcommonutil.so

#32 0x00cd5912 in start_thread () from /lib/libpthread.so.0

#33 0x00c474ae in clone () from /lib/libc.so.6

 

Thread 2 (Thread 0xdb014b90 (LWP 17153)):

#0  0xffffe410 in __kernel_vsyscall ()

#1  0x00cdc839 in __lll_lock_wait () from /lib/libpthread.so.0

#2  0x00cd7e9f in _L_lock_885 () from /lib/libpthread.so.0

#3  0x00cd7d66 in pthread_mutex_lock () from /lib/libpthread.so.0

#4  0xf7cc69f3 in EnterCriticalSection(_critsection*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmcommonutil.so

#5  0xc8969b27 in CSmDsLdapProvider::InitDir(CSmDsProviderInstance*&, Sm_Api_AppSpecificContext_t const*, CString const&, CString const&, CString const&, CString const&, CString const&, CString const&, bool, bool, int, int, int, CString const&) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmdsldap.so

#6  0xf63d0abf in CSmDsDir::CSmDsDir(CSmObjUserDirectory const&, Sm_Api_AppSpecificContext_t const*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmds.so

#7  0xf485b9ad in CSmAzMapping::GetAzUser(Sm_Api_UserContext_t*, CSmAuthSession const&, CSmObjRealm const&, int&) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmazuser.so

#8  0x0808e2cf in CSm_Az_Message::InitAuthUser(CSmAuthSession const&, CSmObjRealm const&, int&, bool*) ()

#9  0x08088791 in CSm_Az_Message::IsAuthorized() ()

#10 0x080b3508 in CSm_Az_Message::ProcessMessage() ()

#11 0x081470e1 in CSmPolicyServer::vOnRequest(CClientSession const*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

#12 0xf7ded01c in CServer::ProcessRequest(CClientSession*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#13 0xf7dc739c in CAgentMessageHandler::DoWork(unsigned char*, unsigned char*, int) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#14 0xf7dbe3ee in ThreadPool::Run(bool) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#15 0xf7e6f096 in ThreadPoolBase::ThreadProc(void*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmutilities.so

#16 0xf7cc8f29 in BtThreadBase(ThreadArgs*) () from /opt/CA/SiteMinder/PolicyServer/lib/libsmcommonutil.so

#17 0x00cd5912 in start_thread () from /lib/libpthread.so.0

#18 0x00c474ae in clone () from /lib/libc.so.6

 

As you can see above, Thread 1 is doing a LDAP bind operation and is currently waiting for the LDAP response and due to this , Thread 2 which is also is trying to intialize the directory (initialization of the directory involves LDAP bind to that directory) is currently stuck and waiting for Thread 1 to complete.

 

Solution

The best solution for this is to check for the root cause of LDAP slow perfermonace and fix it.

However, from policy server side , you can configure various LDAP time out settings such that Policy server does not wait indefinitely for LDAP response.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1466133.aspx

 

References

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1466133.aspx

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 7th May 2016

 

INTRODUCTION:

With Siteminder in the picture, when user account status invokes the password services (native or Siteminder password policy), user is redirected to the smpwservices.fcc page by default.

 

QUESTION:

How to redirect user to a customized error page when password services is invoked?

 

Use case:

1) Siteminder Password Policy is disabled

2) Active Directory as user directory

3) Defined user directory with LDAP namespace in Siteminder

 

User account status (change password by next login/ user account is disabled) invokes password services and Policy Server redirects user to the default password services page – smpwervices.fcc.

 

ENVIRONMENT:

Policy Server: R12.52 SP1 CR1

Webagent: R12.52 SP1 CR1 on IIS 7.5

 

ANSWER:

If Password Services is invoked and there is no SM password policy configured, set the environment variable NETE_PWSERVICES_REDIRECT at Policy Server, to a relative path for smpwservices.fcc or relative path for customized error page e.g: /siteminderagent/forms/smpwservices.fcc. If the error page is hosted on a specific server, define the full URL e.g: http://support.ca.com/index.asp.

 

Policy Server will redirect user to the defined page according to the NETE_PWSERVICES_REDIRECT environment variable, if either criteria is fulfilled:

  • Redirect URL in SM password policy is blank OR
  • No SM password policy is defined

 

If SM password policy is configured, specify the error page at the Redirect URL column or clear the column if you want it to default to the value associated with NETE_PWSERVICES_REDIRECT environment variable.

passwordpolicy.png

 

NOTES:

If you have SM password policy defined and you are relying on NETE_PWSERVICES_REDIRECT environment variable, Redirect URL needs to be cleared every time before you define/ redefine value for NETE_PWSERVICES_REDIRECT environment variable.

Questions

  • How is SMSESSION cookie created?
  • What all information is contained in SMSESSION cookie?
  • If someone steals, SMSESSION cookie, will they be able to decrypt it and retrieve information out of it ?

 

Answers

 

How is SMSESSION cookie created?

To understand how and who creates the SMSESSION cookie, we need to understand the user login flow. It goes something like below in the simplistic scenario:

 

  1. The Agent collects the user’s credentials.
  2. The Agent sends the Login() request to the Policy Server passing the received credentials. The Policy Server verifies the credentials and creates a Session Spec that represents the newly created user session. Policy server encrypts the Session Spec using Session Ticket Key (Persistent Key). The encrypted Session Spec is then sent back to the Agent together with the Session ID and other session related parameters (idle timeout, expiration timeout, etc.).
  3. The Agent embeds the Session ID and the Session Spec in an encrypted SMSESSION cookie that is sent back to the user’s browser. This encryption is done using Agent Keys.
  4. The Agents also saves the Session ID and the Session Spec in its User Session Cache.
  5. Any time when an authenticated user accesses the Web site, the browser submits the SMSESSION cookie together with a HTTP request.
  6. When the Agent receives the SMSESSION cookie, it decrypts the SMSESSION cookie using Agent Keys, extracts the Session ID and the Session Spec it checks them against the values stored in the User Session Cache. If the Agent cache doesn’t contain corresponding entry, the Agent uses the Validate() call to pass the Session ID and the Session Spec to the Policy Server for validation.
  7. Once Policy server receives the validation request from Web Agent, it decrypts the Session Spec using Session Ticket Key (Persistent Key) and then performs validation.
  8. If the validation succeeds, the Policy Server returns the updated Session Spec to the Agent. The Session ID is not modified in the course of validation.

 

What all information is contained in SMSESSION cookie?

SMSESSION Contains following information:

 

  • ATTR_USERDN. The user's distinguished name.
  • ATTR_SESSIONSPEC. The session specification returned from the login call.
  • ATTR_SESSIONID. The session ID returned from the login call.
  • ATTR_USERNAME. The user's name.
  • ATTR_CLIENTIP. The IP address of the machine where the user initiated a request for a protected resource.
  • ATTR_DEVICENAME. The name of the agent that is decoding the token.
  • ATTR_IDLESESSIONTIMEOUT. Maximum idle time for a session.
  • ATTR_MAXSESSIONTIMEOUT. Maximum time a session can be active.
  • ATTR_STARTSESSIONTIME. The time the session started after a successful login.
  • ATTR_LASTSESSIONTIME. The time that the Policy Sever was last accessed within the session.

 

SESSIONSPEC in turn contains following information. SESSIONSPEC can only be decrypted by Policy server.

It contains following information:

 

  • SessionVersion
  • SessionStartTime
  • SessionLastTime
  • SessionMaxTimeout
  • SessionIdleTimeout
  • SessionLevel
  • SessionId
  • SessionIp
  • SessionDn
  • SessionDirOid
  • SessionDirName
  • SessionUnivId
  • SessionType
  • SessionAnonymous
  • SessionImpersonatorName
  • SessionLoginName
  • SessionPersistent
  • SessionDrift
  • SessionImpersonatorDirName
  • SessionAuthContext

 

If someone steals, SMSESSION cookie, will they be able to decrypt it and retrieve information out of it ?

No, only SiteMinder agent can decrypt SMSESSION cookie as they are encrypted with AGENT KEYS.

In order to track the activity between a Program like the Policy Server or Web Agent, and the OS such as Unix or AIX, you can start the Policy Server that way and redirect the output into a file :

 

# cd /opt/CA/siteminder/bin
# truss –adefl –o output.txt smpolicysrv

 

the output.txt will have all interaction between the Policy Server Process and the OS.