Steps to Configure SiteMinder SNMP Agent.

Following components are used in this sample.

OS : Windows 2003 SP2

SiteMinder Policy Server : v6.0SP5CR32

Prepared by : Sung Hoon Kim (KIMSU05)

Prerequisites:

(This is based on the Policy Server and Health Monitor installed and running)

1. Master SNMP Agent

a. SiteMinder SNMP Agent is just a subagent and you need to install Master SNMP Agent

which usually comes with the OS.

b. Master SNMP Agent need to be configured to and enabled to forward requests to

SiteMinder SNMP Agent.

2. 3rd

Party SNMP Browser

a. You can use any 3rd

party SNMP browser or SNMP Management Tools to make the

query.

b. Here is one : http://www.mg-soft.com/files/mgMibBrow-11_0j.zip

c. Here is another: http://download-cdn.paessler.com/download/snmptester.zip and

http://download-cdn.paessler.com/download/mibimporter.zip (optional)

Configuration :

1. Install SNMP Master Agent.

2. Configure Master SNMP Agent Service

This community should match the one specified in the <PolicyServer>/config/snmptrap.conf and

snmp.conf

And in my test environment, the policy server is installed on “sample” host, you can specify the

IP address as well which in my case is 192.168.38.132. Don’t use “localhost”.

3. Ensure that the permission is set correctly and is accepting SNMP packets.

Best way to test is to “Accept SNMP packets from any host”.

4. Install SiteMinder SNMP Agent

Here is the instructions to install SiteMinder SNMP Agent. This is for windows. Other OS, please

refer to documentation.

Configure the SNMP Agent on Windows

To configure the SNMP agent on Windows

1. Ensure the NETE_PS_ROOT environment variable is set to the SiteMinder installation

directory. The Policy Server installation program should have already done this.

2. Open the <siteminder-install-dir>\config\snmp.conf file and edit the last row to contain

the full path to <siteminder-install-dir>\log\snmp.log.

Note: You only need to do this if you did not specify the Policy Server installation program to

automatically configure SNMP.

Correct example: LOG_FILE=C:\Program Files\Netegrity\siteminder\ log\snmp.LOG

Incorrect example: LOG_FILE=$NETE_PS_ROOT\log\snmp.log

3. Edit <Windows_dir>/java_service.ini file.

Note: You only need to do this if you did not specify the Policy Server installation to

automatically configure SNMP.

a. Set SERVICE_BINARY_NAME to the full path name of JavaService.exe.

Example: SERVICE_BINARY_NAME=c:\\Windows\\JavaService.exe

b. Set WORKING_DIR to the full path to directory <siteminder-install-dir>\bin:

Example: WORKING_DIR=C:\\Program files\\Netegrity\\siteminder\\bin

c. Set JRE_PATH to the full path of javaw.exe.

4. Run <siteminder-install-dir>\bin\thirdparty\proxyreg.exe to change the registry keys for

the apadll.dll and snmp.conf:

proxyreg.exe <full path for apadll.dll> <full path for snmp.conf>

Example: proxyreg.exe "c:\program files\netegrity\siteminder\ bin\ thirdparty\apadll.dll"

"c:\programfiles\netegrity\ siteminder\ config\ snmp.conf"

5. Run <WINNT dir>/JavaService.exe with the -install option, to register the Netegrity

SNMP agent as a WINNT service.

6. Start the Netegrity SNMP agent by using the Windows Services dialog box.

7. Restart the SNMP service.

This is my java_service.ini after modification. You just need to ensure the PATH is correct.

Note that the backslash is double. (“\\”)

5. Configure SiteMinder SNMP SubAgent (<PolicyServer>/config/snmp.conf)

Configure(uncomment) which you want to trap and specify the IP address to which Master

Agent it will send.

The community here should match with the one which you have configured at the Master SNMP

Agent Trap.

6. Configure SiteMinder SNMP SubAgent (<PolicyServer>/config/snmptrap.conf)

Do not use “localhost” as hostname and the community must match with SNMP Master Agent’s

Trap setting.

7. At the smconsole(Policy Server Management Console) [Advanced] tab, load the eventsnmp.dll

8. Restart Master “SNMP service”, “SNMP Trap Service”, “Netegrity SNMP agent”, “SiteMinder

Policy Server” and “SiteMinder Health Monitor” service.

9. Load MIB Browser from a remote machine and check that you can ping the Master Agent

machine. In my test, remote machine is 192.168.38.1 and the Master Agent is installed on

192.168.38.132

And if you click on “Contact Remote SNMP Agent” button it should return the following

response.

10. Check the SNMP Agent setting

Ensure that you set the “Read community” to match what you have set at the Master Agent

Trap and that the “Port number” is 161.

11. At the [Query] tab, navigate to “iso.org.dod.internet.private.enterprise”

12. Right click on the “enterprise” branch and select “Walk”

If you had any SiteMinder event trapped(such as policy server start), it should return all the

system and siteminder info.

13. Then your SNMP monitoring tool should have the feature to check the status regularly and

trigger an alert to the administrator which is beyond the scope of this document.

14. OID 1.3.6.1.4.1.2552 translate as follows.

1(iso).3(org).6(dod).1(internet).4(private).1(enterprises).2552(Netegrity)

If you request for 1.3.6.1.4.1.2552 it returns “null”.

But if you request for “Get Next” then it would return the following.

As you can see it returns the OID 1.3.6.1.4.1.2552.200.300.1.1.1.1 and its value was integer “1”.

This OID matches authServerIndex.

If you have a custom MIB compiled to the MIB browser, it would translate this OID to text.

SiteMinder PolicyServer comes with MIB file that lists the OID and its translations.

<PolicyServer>/mibs/NetegrityMIB.mib

To explore what is in the NetegrityMIB.mib file, you can load the “MIB Explorer”.

And then click on “compile” so it will be compiled for this MIB explorer to use.

Click on “Save All” and just press “OK” when it ask where to save.

Now you should see the “NETEGRITY” in the MIB list.

If you close the MIB Explorer and open again, you should see “NETEGRITY” in the list as well.

And you should be able to see the node and its details.

From the MIB Browser, you can now load the “NETEGRITY” MIB module. Once this is done, you

should see more user friendly message instead of just OIDs.

So, this applies to your SNMP Monitoring Tools as well.

“NetegrityMIB.mib” is SNMPv2 compliant data

Here is another SNMP tool that translates OID to readable names by referring to the MIB file.

Paessler SNMP tester is a simple tool to make a request for OID and get back the status.

Paessler MIB Importer is a tool to import the siteminder mib file so that SNMP Tester can

reference the OID and display friendly names instead.

Load Paessler MIB Importer and click on “Import” button.

Navigate to “<Siteminder>/mibs” folder

Import NetegrityMIB.mib file.

You will now see the translated OIDs.

1.3.6.1.4.1.2552.200.300.1.3.1.1 is now translated to “policy server”

1.3.6.1.4.1.2552.200.300.1.3.1.19 is now “policy server auth accept count”.

Now, save the NetegrityMIB .mib data to Paessler SNMP Tool readable format. (Save As)

Load the Paessler SNMP Tool

Specify the Device IP(SNMP Master Agent IP) and port 161(default) and community to match

“public”.

Select “Scan Available OIDs from OIDLIB” and load the converted mib file(now oidlib ext).

Click on “3. Run Test” button and you will get the full list of what can be monitored(which was

specified in the MIB file) and their current status. This tool shows both OID and the translated

names together.

To troubleshoot SNMP.

1. Isolate where is the issue(Use snmpWalkrun.bat to test)

a. If you are able to get the server up time from Master SNMP Agent via UDP port 161,

that means Master agent is working

b. If you get results from Master agent but if you see “timeout” at the end of

messages(when using SNMP tools), that means the SiteMinder SNMP Agent is not

working correctly or Master agent is unable to contact SiteMinder Agent. Check by

accessing UDP port 8001 directly to see if SiteMinder SNMP works.

c. If UDP 8001 works then it is a configuration at the Master Agent how it should

forward the request to the SiteMinder SNMP Agent.

d. If UDP 8001 does not work, then check if “SiteMinder Health Monitor

Service(smservmon)” is running. It would be best to restart all Master and Sub

Agent and their traps altogether.

2. Enable debugging

Set system environment variable NETE_SNMPLOG_ENABLED=1

It will generate following log files in “<PolicyServer>/log” folder.

SmServAuth_snmptrap.log

SmServAz_snmptrap.log

SmServAcct_snmptrap.log

SmServAdm_snmptrap.log

You can disable the “Netegrity SNMP Agent” and use the snmprun.bat for this test so that you

can set the environment variable within the snmprun.bat and it will take effect immediately.

In most case, customers do not configure the Master SNMP Agent correctly so the query does

not reach SiteMinder SNMP SubAgent.