Smtracedefault.txt recommended settings for debugging policies:
components: IsProtected, Login_Logout, IsAuthorized
data: Date, PreciseTime, Tid, Realm, Rule, Policy, AuthStatus, AuthReason, AuthScheme, User, Action, Resource, Directory, ErrorValue, ErrorString, AgentName, Message, Data
[Date][PreciseTime][Tid][Realm][Rule][Policy][AuthStatus][AuthReason][AuthScheme][User][Action] [Resource][Directory][ErrorValue][ErrorString][AgentName][Message][Data] [====][===========][===][=====][====][======][==========][==========][==========] [====][======][========][=========][==========][===========][=========][=======][====
Tips when reviewing the smtracedefault.log file:
Each policy server transaction begins with a set of entries that include the text “Receive request attribute”, as in the examples here:
[Receive request attribute 200] as in [09/15/2011][17:09:17.059][apiagent][Receive request attribute 200, data size is 8][apiagent]
[Send response attribute 204] as in [09/15/2011][17:09:17.059][Content1][apiagent][Send response attribute 204, data size is 39][06-c040c8c0-ca61-420f-a44a-9aae058597b3]
The type of the value in the data field is provided by the number (200, 204, etc) following the words “Receive request attribute”, the following is a list of the types of data displayed:
151 Auth Dir OID 152 User Universal ID
154 Start Session Time
155 Last Session Time
156 Identity Spec
224 Active Response return value
So 200 means that the name of the agent will follow on the line, and 204 means that the realm OID will follow on the line.
The way to follow a transaction is to follow the thread ID. Tech support has a tool for breaking up a log file into multiple files, one for each thread.
The end of each isProtected, authentication and authorization transactions is marked by an entry containing the string “** Status:”, so searching on ** Status is a good way to skip down through the trace/profile log looking for particular types of transactions. After the colon is a keyword indicating the type of transaction (isProtected, Login/Authentication, Validation, Authorization) and whether it succeeded or failed. Or in the case of isProtected, whether the resource is protected or not protected.
Transactions start with a series of “Receive request attribute..” lines. And a series of “Send response attribute” lines immediately precede the “** Status: …” line at the end of the transaction.
Note that in the latest versions of CA SSO the policy server maintains an in-memory trace log of the most recent trace log entries. The in-memory data can be dumped to a file at any time via the command line command:
This is very useful in production environments where turning on the normal smtracedefault.log file tracing is too great a performance impact to be allowed. Documentation on this can be found in the docops.ca.com online documentation by searching for in-memory trace.