Symantec Access Management

  • 1.  Specific User directory

    Posted Nov 27, 2018 05:24 AM

    Hi ,

     

    I wanted to know whether is there a way available or is there any logging parameter on Policy server which can be used to check by which specific User directory server a user requests is being served?

     

    Thanks,

    Shrawan



  • 2.  Re: Specific User directory

    Broadcom Employee
    Posted Nov 27, 2018 12:26 PM

    I believe you trying to see where user is getting Authenticated (against which user directory) .

     

    Option #1 :

     

    There is a default HTTP headers which carries the name of the directory against which the Policy Server authenticates the user.

     

    Default HTTP Headers Used by the Product - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    HTTP_SM_AUTHDIRNAME

    Indicates the name of the directory against which the Policy Server authenticates the user. The administrator specifies this directory with the Administrative UI.

    Option #2 :

    Below are log snippets from smtracedefault.log which has references to the Authenticated User directory.

    [11/27/2018][10:32:14.405][10:32:14][6724][6968][SmAuthUser.cpp:5289][CSmAuthUser::Authenticate][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::Authenticate]
    [11/27/2018][10:32:14.405][10:32:14][6724][6968][SmAuthUser.cpp:5440][CSmAuthUser::Authenticate][][][][ashokpearl][][][][CA-Dir-UserStore][][][][][][][][][][][][LDAP://mutas02-S11981:2389/uid=ashokpearl,ou=Users,o=sso,c=US][Authenticating user by the auth scheme]
    [11/27/2018][10:32:14.405][10:32:14][6724][6968][SmAuthHtml.cpp:279][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthenticate]

    :

    :

    :
    [11/27/2018][10:32:14.405][10:32:14][6724][6968][Sm_Auth_Message.cpp:5405][CSm_Auth_Message::FormatAttribute][s17/r4][iis.agent][][ashokpearl][][DisplayHTTPHeaders.asp][111Ashoktest][CA-Dir-UserStore][][][][][][][][][][][][LDAP:][Send response attribute 215, data size is 5]
    [11/27/2018][10:32:14.405][10:32:14][6724][6968][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][s17/r4][iis.agent][][ashokpearl][][DisplayHTTPHeaders.asp][111Ashoktest][CA-Dir-UserStore][][][][][][][][][][][][][** Status: Authenticated. ]
    [11/27/2018][10:32:14.405][10:32:14][6724][6968][Sm_Auth_Message.cpp:4906][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]

     

    Regards

    Ashok



  • 3.  Re: Specific User directory

    Posted Dec 04, 2018 11:24 AM

    Hi Ashok,

     

    Thanks for your response.

     

    I want to dig further more into that. I am aware we can see user directory name configured on Policy server WAM UI but i want to know if there is any way to check to which LDAP server it's connecting.

     

    Can you help in this regards?

     

    Thanks,

    Shrawan



  • 4.  Re: Specific User directory

    Posted Dec 04, 2018 11:36 AM

    The only way to get which exact LDAP server handled that request is by enabling profiler tracing on Policy Server (smtracedefault.log). Enabling tracing does add overheads. But if you direly need that info, you can cut down tracing by just enabling LDAP / Directory in Profiler tracing and keeping a few supporting elements, just to identify txns.



  • 5.  Re: Specific User directory

    Posted Dec 04, 2018 11:40 AM

    Hi Hubert,

     

    Can you please also help with documentation for the same which states how to enable profile tracing in sm.registry file?

     

    Thanks,

    Shrawan



  • 6.  Re: Specific User directory
    Best Answer

    Posted Dec 04, 2018 11:49 AM

    Once it is enabled via SmConsole OR directly via sm.registry, you'll need to stop and start the Policy Server services. This restart of Policy Server services is only for the first time enablement.

     

    After which you can stop and start tracing without restarting Policy Server using commands. If ENV variables are sourced, you can run this from anywhere OR from within <SMPS_HOME>/bin.

    e.g.

    smpolicysrv -stoptrace

    smpolicysrv -starttrace

     

    sm.registry
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LogConfig=988580027
    BufferedTracing= 0x0; REG_DWORD
    FilesToKeep= 0xa; REG_DWORD
    InMemoryTraceConfig= /smuser_HomeDir/programfiles/CA/siteminder/config/sminmemorytracedefault.txt; REG_SZ
    InMemoryTraceFilePath= /smuser_HomeDir/programfiles/CA/siteminder/log/; REG_SZ
    InMemoryTraceSize= 0x64; REG_DWORD
    LastRolloverTime= 0x0; REG_DWORD
    LogFile= /smuser_HomeDir/programfiles/CA/siteminder/log/smps.log; REG_SZ
    LogLocalTime= 0x1; REG_DWORD
    RolloverDays= 0x0; REG_DWORD
    RolloverInterval= 0x0; REG_DWORD
    RolloverOnStart= 0x1; REG_DWORD
    RolloverSize= 0xa; REG_DWORD
    RolloverTime= ; REG_SZ
    SizeOfRingBuffer= 0xa; REG_DWORD
    TraceConfig= /smuser_HomeDir/programfiles/CA/siteminder/config/smtracedefault.txt; REG_SZ
    TraceConfig1= /smuser_HomeDir/programfiles/CA/siteminder/config/smtracedefault.txt; REG_SZ
    TraceConfig2= ; REG_SZ
    TraceConfig3= ; REG_SZ
    TraceConfig4= ; REG_SZ
    TraceConsole= 0x0; REG_DWORD
    TraceDelim= ; REG_SZ
    TraceFilesToKeep= 0xa; REG_DWORD
    TraceFormat= sm; REG_SZ
    TraceInMemory= 0x0; REG_DWORD
    TraceLastRolloverTime= 0x0; REG_DWORD
    TraceMode= 0; REG_DWORD
    TraceOutput= /smuser_HomeDir/programfiles/CA/siteminder/log/smtracedefault.log; REG_SZ
    TraceRolloverDays= 0x0; REG_DWORD
    TraceRolloverInterval= 0x0; REG_DWORD
    TraceRolloverOnStart= 0x1; REG_DWORD
    TraceRolloverSize= 0xa; REG_DWORD
    TraceRolloverTime= ; REG_SZ


  • 7.  Re: Specific User directory

    Posted Dec 04, 2018 11:51 AM

    Thanks Hubert.

     

    I will try this out.



  • 8.  Re: Specific User directory

    Posted Dec 04, 2018 12:22 PM

    In smtracedefault.txt, I'd start with these and as you get better accustomed to reading log file, then cut down as needed.

     

    cat smtracedefault.txt

    components: AgentFunc/Init, AgentFunc/UnInit, AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, Server/Connection_Management, Server/Policy_Server_General, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized/Function_Begin_End, IsAuthorized/Policy_Evaluation, IsAuthorized/Send_Response, IsAuthorized/Receive_Request, Directory_Access, LDAP
    data: Date, PreciseTime, Pid, Tid, TransactionID, SrcFile, Function, TransactionName, Message, Data, AgentName, Resource, User, Group, Directory, ErrorValue, ReturnValue, ErrorString, Result, Returns, CallDetail, AuthScheme, AuthReason, AuthStatus, IPAddr, IPPort, ExecutionTime
    version: 1.1

     

    NOTE : You can add more deeper tracing for User Directory using XPSConfig --> xTrace --> 'ds'. 



  • 9.  Re: Specific User directory

    Posted Dec 04, 2018 12:30 PM

    Hi Hubert,

     

    I will check this too. Many Thanks