SungHoon_Kim

Configuring SNMP Agent for CA Single Sign-On

Blog Post created by SungHoon_Kim Employee on Jan 15, 2016

Title:

    - Configuring SNMP Agent for CA Single Sign-On

 

Description:

    - You have a SNMP based Monitoring tool and would like to poll CA Single Sign-On Policy Server to get statistics.

    - You have a SNMP based Monitoring tool and would like Policy Server to send trap messages to this tool for critical events.

 

 

Introduction / Summary: 

CA Single Sign-On Policy Server bundles SNMP Sub-Agent that can be configured during installation.

By enabling this SNMP Sub-Agent, one can poll the policy server status and collect information.

Also, in case of critical events such as startup failure it can send SNMP Trap message to the monitoring server such as "CA Services Operations Insight" (aka SOI) in order to page the systems administrators or trigger an automated recovery scenario.

 

Instructions:

It has the following prerequisites:

1. SNMP Master Agent must be installed (This is provided by the OS side)

2. SNMP Master Agent is configured (Ensure the community and SNMP server is defined)

3. SNMP Port (UDP 161) must be open

4. UDP 8001 is not occupied by other service

 

Install Master SNMP Agent (This sample is based on Windows Platform, conceptually unix will be the same)

 

Load "Server Manager" and goto "Features".

Click on "Add Features" and select "SNMP Services" and install.

This will install "SNMP Service".

Double click on the "SNMP Service" and configure the "Traps" and "Security" tab.

Trap destination should be the Monitoring server. In this case, it is "testmc1" machine.

The Community is set to public but if you want to use different community string you will need to ensure that same community is used in other configurations too.

 

 

Install SNMP Sub-Agent

 

This can be done during installation or you will have to run the Policy Server Configuration Wizard again to set it up.

Select the "SNMP" option.

 

SNMP Sub-Agent Service

 

Ensure the "Netegrity SNMP agent" service is running.

This is the SNMP Sub-Agent and the service executable should be pointing to C:\Windows\JavaService.exe

The default configuration will work.

Configuration for this service is stored in C:\Windows\Java_Service.ini file.

You will notice this executable is just a wrapper for java and it actually will run "javaw.exe".

 

Optional:

If you want to differentiate this with other java processes running on your Windows server, you can copy "javaw.exe" file to something else like "subsnmp.exe" and update Java_Service.ini file for "JRE_PATH" parameter and make sure it is pointing to the subsnmp.exe.

 

 

 

Test with SNMP Walker utility

 

Navigate to "C:\Program Files (x86)\CA\siteminder\bin" and run "SnmpWalkRun.bat

Then in the "OID" type "products" (or select an entry from dropdown menu) and click on "Walk".

If it is configured correctly, you should see the following. (Ignore the popup message about "End of MIB")

In this case, you can see that the port used was "161" which is going through the OS's master SNMP agent.

If you want to test the "Netegrity SNMP Agent" directly, change the port to "8001" and try.

Configuration is in "C:\Program Files (x86)\CA\siteminder\config\snmp.conf" file.

Update the file as below.

 

LOG_FILE=C:\Program Files (x86)\CA\siteminder\log\SNMP.log

TRAP_RECEIVER(Y/N)=Y

 

Adding Event Handler

 

As instructed from the Policy Server Configuration Wizard, you must add the event handler.

 

  Execute the following commands. Follow these steps:

  1. Open a command line on the Policy Server, and enter the following command: xpsconfig (The tool starts and displays the name of the log file for this session, and a menu of choices opens.)
  2. Enter the following: xps A list of options appears.
  3. Enter the following: 5(AuditSMHandlers)The settings for the event handler libraries appear.
  4. Type C, and then enter the path and file name of the event handler library ("C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"). The settings for the event handler libraries appear. The value you added is shown at the bottom of the settings as a "pending value."

    5. Enter Q and [ENTER] three times to end your XPS session.

 

    6. Policy Server need to be restarted.

 

In the smps.log, you should find the following entry.

 

     [5032/5036][Thu Nov 05 2015 15:47:20][SmEventWedge.cpp:321][LateInit][INFO][sm-xpsxps-06860] Event handler library loaded: "C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"

SNMP Trap configuration

 

And for snmp trap messages, modify "C:\Program Files (x86)\CA\siteminder\config\snmptrap.conf" file as below.

In the above sample, there are 3 fields.

1. Trap Event

2. Trap destination

3. Community

 

For trap events, you can select which events to send trap message. Above sample shows all events are enabled.

For trap destination, above sample shows it is being sent to "testmc1" and the port is 162.

But if you are using default port then you can specify the host/IP only and will work.

And in case if you want to send to multiple destinations then you can separate them by comma but no spaces after the comma.

For example, "testmc1:162,testmc2:162".

For community, you need to ensure you use the same community string so your policy server and the monitoring server will be using common community string for this monitoring.

 

Restart Policy Server once everything is configured.

 

SNMP Trap Logging

 

Set environment variable "NETE_SNMPLOG_ENABLED=1" and it will generate smpolicysrv_snmptrap.log file in the "C:\Program Files (x86)\CA\siteminder\log" folder.

This log can generate lot of data so it should be used only for troubleshooting purpose.

Policy Server restart is required to enable or disable this logging as it is reading this environment variable at startup.

Sample log below.

smpolicysrv_snmptrap.log

## Event log file was sucessfully opened. ##

### SmEventInit::The EventSNMP dll is initializing ... ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

SmEventTrap::Send - trap (MIB id = 1) was sent successfully.

### SmEventRecord::SNMP Trap ( MIB id 1) was successfully sent nCategoryType: 3, nCategory: 1, nEventID: 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 9, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

 

Importing MIB file at the monitoring server

 

Any SNMP polling or trap receiving servers must import Policy Server MIB file in order to understand what the message is about.

"C:\Program Files (x86)\CA\siteminder\mibs\NetegrityMIB.mib" file is available for importing.

 

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1841322.aspx

 

 

Outcomes