Symantec Access Management

  • Private Community

  • 1.  Monitoring the Identity Suite components with CA UIM

    Posted Apr 05, 2018 04:03 PM

    Team,

     

    Paul konpa01 and I were testing the CA UIM solution with CA Identity Suite.

     

    There are quite a few monitoring processes we can leverage, to promote the health of the CA Identity Suite solution and assist our clients to be proactive.   

     

    Here is a view of the selective "monitoring probes" we have selected for CA Identity Suite.

     

     

    While the UIM Linux Agent typically requires root access, we can run select monitoring using the vApp config/ec2-user ID.    To avoid installation, we have extracted the installation for Linux x64, and will be building instructions how to update the configuration files for the agent.   The local agent is aka a "robot".    The primary agent "nimbus" will call three (3) other sub-services: nimbus-controller, nimbus-spooler, nimbus-hdb.   Upon startup, the nimbus agent will call out to the management server and register itself.  The other sub-services will then listen on TCP 48000, 48001, 48007 for updates or configuration changes from the UIM Management UI.

    -  After deploying/extracting the agent.   We are updating the robot.cfg file with sed commands to search/replace.

    - Example:   

    sed -i 's|robotip = 1.1.1.1|robotip = 172.31.56.159 |g' robot.cfg
    sed -i 's|robotname =|robotname = IdentitySuite_Node1|g' robot.cfg
    sed -i 's|hub_dns_name = UIM_HUB_HOSTNAME|hub_dns_name = 34.204.69.11|g' robot.cfg

     

     

     

    One of the "monitoring probes" that have value for the CA Identity Suite, is the jboss probe.   This can be used for all three (3) wildfly installation.

    More information about this feature is at:

    https://docops.ca.com/ca-unified-infrastructure-management-probes/ga/en/alphabetical-probe-articles/jboss-jboss-monitoring/jboss-im-configuration

     

    Other probes of interest:   url_response, jboss, jvm_monitor, apache, jdbc_response, processes, ldap_response

     

     

    We are building a table to assist where the value will be for each monitoring probe we have selected.

    - We expect to add others, include standard system monitoring, e.g. CPU, Disk, Memory, Network.

    Paul will be collecting his notes to share.

     

     

     

     

     

     

    Cheers,

     

    Alan & Paul konpa01

     

    Edit:  4/12/2018

     

    View of the running UIM (nimbus) processes.

     

    View of the network ports that UIM (nimbus) processes are listening on:

     

    Ensure that incoming TCP/UDP ports from UIM agent/robot to the UIM management server is open.  

    Suggest range of TCP/UDP 48000-48500.

     

    Example from AWS Security Groups (Inbound Services)

     

     

    Example from MS Windows Server

     

     

    Avoid this error message:



  • 2.  Re: Monitoring the Identity Suite components with CA UIM

    Posted Apr 06, 2018 12:49 PM

    For additional background, should we be reading Deploy Robots to understand the "avoid installation" approach? The article on how to Configure a Robot for Marketplace Probes covers using a non-superuser to run the Market Place probes, so I assume you are following this approach in using the "config" user, right? This is an interesting approach which support the DevSecOps model we are building. I'll monitor the thread for additional details.



  • 3.  Re: Monitoring the Identity Suite components with CA UIM

    Posted Dec 13, 2018 10:02 PM

    Added an update to help with deployment and testing in our remote labs.

     

    Using CA UIM with CA Identity Suite - Single NAT and Double NAT