steps to configure siteminder snmp agent - ca … · steps to configure siteminder snmp agent. ......
TRANSCRIPT
Steps to Configure SiteMinder SNMP Agent.
Following components are used in this sample.
OS : Windows 2003 SP2
SiteMinder Policy Server : v6.0SP5CR32
Prepared by : Sung Hoon Kim (KIMSU05)
Prerequisites:
(This is based on the Policy Server and Health Monitor installed and running)
1. Master SNMP Agent
a. SiteMinder SNMP Agent is just a subagent and you need to install Master SNMP Agent
which usually comes with the OS.
b. Master SNMP Agent need to be configured to and enabled to forward requests to
SiteMinder SNMP Agent.
2. 3rd
Party SNMP Browser
a. You can use any 3rd
party SNMP browser or SNMP Management Tools to make the
query.
b. Here is one : http://www.mg-soft.com/files/mgMibBrow-11_0j.zip
c. Here is another: http://download-cdn.paessler.com/download/snmptester.zip and
http://download-cdn.paessler.com/download/mibimporter.zip (optional)
Configuration :
1. Install SNMP Master Agent.
2. Configure Master SNMP Agent Service
This community should match the one specified in the <PolicyServer>/config/snmptrap.conf and
snmp.conf
And in my test environment, the policy server is installed on “sample” host, you can specify the
IP address as well which in my case is 192.168.38.132. Don’t use “localhost”.
3. Ensure that the permission is set correctly and is accepting SNMP packets.
Best way to test is to “Accept SNMP packets from any host”.
4. Install SiteMinder SNMP Agent
Here is the instructions to install SiteMinder SNMP Agent. This is for windows. Other OS, please
refer to documentation.
Configure the SNMP Agent on Windows
To configure the SNMP agent on Windows
1. Ensure the NETE_PS_ROOT environment variable is set to the SiteMinder installation
directory. The Policy Server installation program should have already done this.
2. Open the <siteminder-install-dir>\config\snmp.conf file and edit the last row to contain
the full path to <siteminder-install-dir>\log\snmp.log.
Note: You only need to do this if you did not specify the Policy Server installation program to
automatically configure SNMP.
Correct example: LOG_FILE=C:\Program Files\Netegrity\siteminder\ log\snmp.LOG
Incorrect example: LOG_FILE=$NETE_PS_ROOT\log\snmp.log
3. Edit <Windows_dir>/java_service.ini file.
Note: You only need to do this if you did not specify the Policy Server installation to
automatically configure SNMP.
a. Set SERVICE_BINARY_NAME to the full path name of JavaService.exe.
Example: SERVICE_BINARY_NAME=c:\\Windows\\JavaService.exe
b. Set WORKING_DIR to the full path to directory <siteminder-install-dir>\bin:
Example: WORKING_DIR=C:\\Program files\\Netegrity\\siteminder\\bin
c. Set JRE_PATH to the full path of javaw.exe.
4. Run <siteminder-install-dir>\bin\thirdparty\proxyreg.exe to change the registry keys for
the apadll.dll and snmp.conf:
proxyreg.exe <full path for apadll.dll> <full path for snmp.conf>
Example: proxyreg.exe "c:\program files\netegrity\siteminder\ bin\ thirdparty\apadll.dll"
"c:\programfiles\netegrity\ siteminder\ config\ snmp.conf"
5. Run <WINNT dir>/JavaService.exe with the -install option, to register the Netegrity
SNMP agent as a WINNT service.
6. Start the Netegrity SNMP agent by using the Windows Services dialog box.
7. Restart the SNMP service.
This is my java_service.ini after modification. You just need to ensure the PATH is correct.
Note that the backslash is double. (“\\”)
5. Configure SiteMinder SNMP SubAgent (<PolicyServer>/config/snmp.conf)
Configure(uncomment) which you want to trap and specify the IP address to which Master
Agent it will send.
The community here should match with the one which you have configured at the Master SNMP
Agent Trap.
6. Configure SiteMinder SNMP SubAgent (<PolicyServer>/config/snmptrap.conf)
Do not use “localhost” as hostname and the community must match with SNMP Master Agent’s
Trap setting.
7. At the smconsole(Policy Server Management Console) [Advanced] tab, load the eventsnmp.dll
8. Restart Master “SNMP service”, “SNMP Trap Service”, “Netegrity SNMP agent”, “SiteMinder
Policy Server” and “SiteMinder Health Monitor” service.
9. Load MIB Browser from a remote machine and check that you can ping the Master Agent
machine. In my test, remote machine is 192.168.38.1 and the Master Agent is installed on
192.168.38.132
And if you click on “Contact Remote SNMP Agent” button it should return the following
response.
10. Check the SNMP Agent setting
Ensure that you set the “Read community” to match what you have set at the Master Agent
Trap and that the “Port number” is 161.
11. At the [Query] tab, navigate to “iso.org.dod.internet.private.enterprise”
12. Right click on the “enterprise” branch and select “Walk”
If you had any SiteMinder event trapped(such as policy server start), it should return all the
system and siteminder info.
13. Then your SNMP monitoring tool should have the feature to check the status regularly and
trigger an alert to the administrator which is beyond the scope of this document.
14. OID 1.3.6.1.4.1.2552 translate as follows.
1(iso).3(org).6(dod).1(internet).4(private).1(enterprises).2552(Netegrity)
If you request for 1.3.6.1.4.1.2552 it returns “null”.
But if you request for “Get Next” then it would return the following.
As you can see it returns the OID 1.3.6.1.4.1.2552.200.300.1.1.1.1 and its value was integer “1”.
This OID matches authServerIndex.
If you have a custom MIB compiled to the MIB browser, it would translate this OID to text.
SiteMinder PolicyServer comes with MIB file that lists the OID and its translations.
<PolicyServer>/mibs/NetegrityMIB.mib
To explore what is in the NetegrityMIB.mib file, you can load the “MIB Explorer”.
And then click on “compile” so it will be compiled for this MIB explorer to use.
Click on “Save All” and just press “OK” when it ask where to save.
Now you should see the “NETEGRITY” in the MIB list.
If you close the MIB Explorer and open again, you should see “NETEGRITY” in the list as well.
And you should be able to see the node and its details.
From the MIB Browser, you can now load the “NETEGRITY” MIB module. Once this is done, you
should see more user friendly message instead of just OIDs.
So, this applies to your SNMP Monitoring Tools as well.
“NetegrityMIB.mib” is SNMPv2 compliant data
Here is another SNMP tool that translates OID to readable names by referring to the MIB file.
Paessler SNMP tester is a simple tool to make a request for OID and get back the status.
Paessler MIB Importer is a tool to import the siteminder mib file so that SNMP Tester can
reference the OID and display friendly names instead.
Load Paessler MIB Importer and click on “Import” button.
Navigate to “<Siteminder>/mibs” folder
Import NetegrityMIB.mib file.
You will now see the translated OIDs.
1.3.6.1.4.1.2552.200.300.1.3.1.1 is now translated to “policy server”
1.3.6.1.4.1.2552.200.300.1.3.1.19 is now “policy server auth accept count”.
Now, save the NetegrityMIB .mib data to Paessler SNMP Tool readable format. (Save As)
Load the Paessler SNMP Tool
Specify the Device IP(SNMP Master Agent IP) and port 161(default) and community to match
“public”.
Select “Scan Available OIDs from OIDLIB” and load the converted mib file(now oidlib ext).
Click on “3. Run Test” button and you will get the full list of what can be monitored(which was
specified in the MIB file) and their current status. This tool shows both OID and the translated
names together.
To troubleshoot SNMP.
1. Isolate where is the issue(Use snmpWalkrun.bat to test)
a. If you are able to get the server up time from Master SNMP Agent via UDP port 161,
that means Master agent is working
b. If you get results from Master agent but if you see “timeout” at the end of
messages(when using SNMP tools), that means the SiteMinder SNMP Agent is not
working correctly or Master agent is unable to contact SiteMinder Agent. Check by
accessing UDP port 8001 directly to see if SiteMinder SNMP works.
c. If UDP 8001 works then it is a configuration at the Master Agent how it should
forward the request to the SiteMinder SNMP Agent.
d. If UDP 8001 does not work, then check if “SiteMinder Health Monitor
Service(smservmon)” is running. It would be best to restart all Master and Sub
Agent and their traps altogether.
2. Enable debugging
Set system environment variable NETE_SNMPLOG_ENABLED=1
It will generate following log files in “<PolicyServer>/log” folder.
SmServAuth_snmptrap.log
SmServAz_snmptrap.log
SmServAcct_snmptrap.log
SmServAdm_snmptrap.log
You can disable the “Netegrity SNMP Agent” and use the snmprun.bat for this test so that you
can set the environment variable within the snmprun.bat and it will take effect immediately.
In most case, customers do not configure the Master SNMP Agent correctly so the query does
not reach SiteMinder SNMP SubAgent.