Configuring SiteMinder SNMP on Red Hat 5

Note: Portions of this post come from details in the SiteMinder Admin and Install Guides Copyright © by CA Technologies.

Overview This post cover details on how to configure SiteMinder's SNMP services on Red Hat 5.  The SiteMinder SNMP module enables many operational aspects of the SiteMinder environment to be monitored by SNMP-compliant network management applications. The SiteMinder SNMP module provides SNMP request handling and configurable event trapping for the SiteMinder environment. It does this by collecting operational data from the SiteMinder OneView Monitor and making it available in a MIB to third-party Network Management Systems applications (NMS) that support the SNMP protocol.

The SiteMinder SNMP module consists of:

  • SiteMinder SNMP MIB is the database of SiteMinder objects that can be monitored by an SNMP-compliant network management system.
  • A SiteMinder SNMP Subagent responds to SNMP requests (GET and GETNEXT only) passed to it from an SNMP master agent.
  • SiteMinder Event Manager captures Policy Server events and, if configured to do so, generates SNMP traps (unsolicited messages sent by an SNMP agent to a SNMP NMS indicating that some event has occurred).

The SNMP support is dependent on OneView monitor being installed and configured on the Policy Server and also requires a Master SNMP Agent at the Operating System level.

The following figure illustrates SNMP module dataflow:

SiteMinder SNMP Dataflow:

  1. The SNMP Master Agent receives SNMP requests from a management application.
  2. The SNMP Master Agent forwards the SNMP request to the SNMP Subagent.
  3. The SiteMinder SNMP Subagent retrieves the requested information from OneView Monitor.
  4. The SiteMinder SNMP Subagent passes the retrieved information back to the SNMP Master Agent.
  5. The SNMP Master Agent generates an SNMP response and sends it back to the requesting management application.

The SiteMinder MIB provides an SNMPv2-compliant data representation of all monitored components in the SiteMinder environment.  The SiteMinder MIB is supplied in an ASCII text file and should be sent to the monitoring team for interpreting the SNMP information from the Policy Server.  The MIB is located at:

<SiteMinder Home Directory>/mibs/NetegritySNMP.mib

Refer to the Policy Server Administration Guide for details on all the SNMP information provided by SiteMinder.

SNMP Base Configuration

While SNMP support can be configured manually, the Policy Server Configuration Wizard will be used to enable SNMP support.  By default port 161 and 8001 must be open on the box for the SNMP Master and Sub-agent.  This post assumes that you can the ability to become root on the server.

To configure SNMP:

  1. Log in to the Policy Server using ssh
  2. Become root: >sudo su - root
  3. Source the ca_ps_env: >source <SiteMinder Home Directory>/ca_ps_env.ksh
  4. Run the Policy Server Configuration Wizard: ><SiteMinder Home Directory>/ca-ps-config.sh -i console
  5. When the wizard loads select 3 to configure SNMP support
  6. Review the Pre-Configuration Summary and Press <Enter> to continue (I have installed to /opt/SiteMinder)
  7. The wizard configures SNMP support for the Policy Server
  8. At the SNMP Configured message press <Enter> to accept the message
  9. At the Installation Complete message press <Enter> to exit the installers

The base components for SNMP support have now been configured.  The SNMP Master Agent, SNMP Sub-Agent and Policy Server must be restarted after the configuration is completed.  See below for details on stopping and starting the SNMP Master and Sub-Agent.  The Master SNMP Agent must be restarted as root.  The Sub-Agent can also be started as root.  The Policy Server should be stopped/started as the SiteMinder user.

SNMP Agent Configuration

Once the Policy Server Configuration Wizard completes the SNMP configuration, the server should be set up with the values specific to your implementation.  The wizard configured the SiteMinder SNMP files at <SiteMinder Home Directory>/etc/snmp/conf and modified the snmpd.conf system file at /etc/snmp to include the line:

proxy -c public -v 1 localhost:8001 .1.3.6.1.4.1.2552

To change the SNMP community string to something besides public:

  1. Log into the Policy Server through ssh
  2. Become root: sudo su - root
  3. Edit the snmpd.conf file: vi /etc/snmp/snmpd.conf
  4. Go to the end of the file
  5. Edit the “-c” parameter to change the value from “public” to the desired community string
  6. Save the file

The SNMP sub-agent uses port 8001 to listen for SNMP requests.  To change the local port that the SiteMinder SNMP sub-agent is using:

  1. Log into the Policy Server through ssh
  2. Become root: sudo su - root
  3. Edit the SiteMinder RunSubagent.sh file at: >vi <SiteMinder Home Directory>/etc/snmp/conf/RunSubagent.sh
  4. Change the following line to the desired port: AGENTPORT=8001
  5. Save the file
  6. Edit the snmpd.conf file: >vi /etc/snmp/snmpd.conf
  7. Go to the end of the file
  8. Edit the “localhost:8001” parameter to the port specified in step 4 above
  9. Save the file

The SNMP Master and Sub-Agent must be restarted for these changes to take effect.

SNMP Trap Configuration SiteMinder can send SNMP Traps (alerts) when certain events happen on the Policy Server. These traps are received by the configured NMS and processed according to the rules configured within that system. The following traps can be generated:

Event Name

  • serverInit
  • serverUp
  • serverDown
  • serverInitFail
  • dbConnectionFailed
  • ldapConnection-Failed
  • logFileOpenFail
  • agentConnection-Failed
  • authReject
  • validateReject
  • azReject
  • adminReject
  • objectLoginReject
  • objectFailedLogin AttemptsCount
  • emsLoginFailed
  • emsAuthFailed

Enabling SNMP Traps is broken down into three steps:

  1. Enable SNMP event trapping
  2. Configure the SNMP Trap Config file
  3. Restart the Policy Server

Enable SNMP Event Trapping The XPSConfig utility is used to enable the SNMP trap event handler.  The library, libeventsnmp.so, is used to generate SNMP traps.  The library is located at:

<SiteMinder Home Directory>/lib

The library needs to be added to the XPSAudit list. Use the following steps to add the event handler:

  1. Log into the Policy Server through ssh
  2. Become the SiteMinder user
  3. Enter the following command: >XPSConfig
  4. The XPS Configuration utility starts
  5. At the Products menu enter: XPS
  6. Press <Enter>
  7. Enter 5 for the AuditSMHandlers option and press <Enter>
  8. The Audit Handler option menu appears
  9. Enter the following option to add the SNMP Trap library: C
  10. Press <Enter>
  11. Enter the following path to the SNMP Trap library (if there is an existing value keep, enter the existing value again and enter a comma before adding the SNMP Trap library): <SiteMinder Home Directory>/lib/libeventsnmp.so
  12. Press <Enter>
  13. The settings for the event handler libraries appear. The value you added is shown at the bottom of the settings as a "pending value."
  14. Enter the Option: Q
  15. Enter the Option: Q
  16. Quit XPSConfig by entering: Q

Your changes are saved and the command prompt appears.

Configure the SNMP Trap Config File You configure the SiteMinder SNMP Trap Event Manager by defining the event in the Event Configuration File, <SiteMinder Home Directory>/config/snmptrap.conf, which defines what events are to be processed and the addresses of the Network Management System to which the traps should be sent.

The snmptrap.conf is an editable ASCII file, with a simple one line per event syntax:

Event Name               Destination Address             Community String

Event_Name: The name of a MIB event object (or a comma-separated group of names of event objects).

Destination_Address: The address of the Network Management System (or a comma-separated group of the addresses) to which generated traps should be sent. Each address should be of the form:

HostID:port

HostID (mandatory): Either a hostname or IP address

Port (optional): IP port number (default is 162)

Community String (optional): An SNMP community. Note that if community is specified, Port must also be specified.  The default value is public.

To configure the snmptrap.conf file:

  1. Log in to the Policy Server using ssh
  2. Switch to the SiteMinder user
  3. Edit the SNMP Trap Config file: >vi <SiteMinder Home Directory>/config/snmptrap.conf
  4. Uncomment the lines for any desired traps
  5. Specify the IP Address, port number, and community for where you want the trap to be sent
  6. Save the snmptrap.conf file
  7. Restart the Policy Server

Stopping and Starting the SNMP Master and Sub-Agent In order for the SNMP configurations changes to take effect, you need to stop and restart the Policy Server using the Status tab of the Policy Server Management Console.  Additionally, the SNMP Master and Sub-Agents should be restarted when there are changes to the SNMP configuration.  The server start-up scripts should be modified to automatically start the Master and Sub-Agent.

Stopping and Starting the SNMP Master Agent To stop the SNMP Master Agent:

  1. Log in to the Policy Server using ssh
  2. Switch to root:  sudo su - root
  3. Go to the /etc/init.d directory: >cd /etc/init.d
  4. Type the command: >./snmpd stop
  5. The following message is resturn: Stopping snmpd:                                            [  OK  ]

The Master Agent stops.

To start the SNMP Master Agent:

  1. Log in to the Policy Server using ssh
  2. Switch to root:  sudo su - root
  3. Go to the /etc/init.d directory: >cd /etc/init.d
  4. Type the command: >./snmpd start
  5. The following message is resturn: Starting snmpd:                                            [  OK  ]

The Master Agent starts.

Stopping and Starting the SiteMinder SNMP Sub-Agent To stop the SiteMinder SNMP Sub-Agent:

  1. Log in to the Policy Server using ssh
  2. Become root: >sudo su - root
  3. Source the ca_ps_env: >source <SiteMinder Home Directory>/ca_ps_env.ksh
  4. Change to the SiteMinder snmp directory: >cd <SiteMinder Home Directory>/etc/snmp/conf
  5. Type the following command: >./StopSubagent.sh

The SiteMinder SNMP Sub-Agent stops.

To start the SiteMinder SNMP Sub-Agent:

  1. Log in to the Policy Server using ssh
  2. Become root: >sudo su - root
  3. Source the ca_ps_env: >source <SiteMinder Home Directory>/ca_ps_env.ksh
  4. Change to the SiteMinder snmp directory: >cd <SiteMinder Home Directory>/etc/snmp/conf
  5. Type the following command: >./RunSubagent.sh &

The SiteMinder SNMP Sub-Agent starts