Rick_Siek

Tips on Reading Policy Server Trace Log Files

Blog Post created by Rick_Siek Employee on Dec 11, 2017

Smtracedefault.txt recommended settings for debugging policies:

components: IsProtected, Login_Logout, IsAuthorized

 

data: Date, PreciseTime, Tid, Realm, Rule, Policy, AuthStatus, AuthReason, AuthScheme, User, Action, Resource, Directory, ErrorValue, ErrorString, AgentName, Message, Data

 

[Date][PreciseTime][Tid][Realm][Rule][Policy][AuthStatus][AuthReason][AuthScheme][User][Action] [Resource][Directory][ErrorValue][ErrorString][AgentName][Message][Data] [====][===========][===][=====][====][======][==========][==========][==========] [====][======][========][=========][==========][===========][=========][=======][====

 

Tips when reviewing the smtracedefault.log file:

Each policy server transaction begins with a set of entries that include the text “Receive request attribute”, as in the examples here:

 [Receive request attribute 200]  as in [09/15/2011][17:09:17.059][5232][][][][][][][][][][][][][apiagent][Receive request attribute 200, data size is 8][apiagent]

[Send response attribute 204]  as in [09/15/2011][17:09:17.059][5232][Content1][][][][][][][][][][][][apiagent][Send response attribute 204, data size is 39][06-c040c8c0-ca61-420f-a44a-9aae058597b3]

 

The type of the value in the data field is provided by the number (200, 204, etc) following the words “Receive request attribute”, the following is a list of the types of data displayed:

151 Auth Dir OID 152 User Universal ID

154 Start Session Time

155 Last Session Time

156 Identity Spec

200 DeviceName(AgentName)

201 Resource

202 Action

203 RealmName

204 RealmOid

205 SessionID

206 CertBinary

207 CertUserDN

208 ClientIP

209 SessionSpec

210 UserName

211 UserPassword

212 Reason

213 AuthDirName

214 AuthDirServer

215 AuhtDirNameSpace

216 UserMsg

217 Server

218 UserDN

219 RealmCredentials

220 FormLocation

221 CertIssuerDN

224 Active Response return value

225 IdleSessionTimeout

226 MaxSessionTimeout

227 DeniedRedirect

228 DeniedText

229 AcceptRedirect

230 AcceptText

 

So 200 means that the name of the agent will follow on the line, and 204 means that the realm OID will follow on the line.

The way to follow a transaction is to follow the thread ID. Tech support has a tool for breaking up a log file into multiple files, one for each thread.

 

The end of each isProtected, authentication and authorization transactions is marked by an entry containing the string “** Status:”, so searching on ** Status is a good way to skip down through the trace/profile log looking for particular types of transactions. After the colon is a keyword indicating the type of transaction (isProtected, Login/Authentication, Validation, Authorization) and whether it succeeded or failed. Or in the case of isProtected, whether the resource is protected or not protected.

 

Transactions start with a series of “Receive request attribute..” lines. And a series of “Send response attribute” lines immediately precede the “** Status: …” line at the end of the transaction.

 

Note that in the latest versions of CA SSO the policy server maintains an in-memory trace log of the most recent trace log entries. The in-memory data can be dumped to a file at any time via the command line command:

     smpolicysrv -dumptrace

This is very useful in production environments where turning on the normal smtracedefault.log file tracing is too great a performance impact to be allowed. Documentation on this can be found in the docops.ca.com online documentation by searching for in-memory trace.

Outcomes