In production environments, it’s important to ensure proper configuration management is maintained at all times, but troubleshooting some issues requires different levels of logging. In a properly controlled environment, a change request may be needed to increase the logging or enable the profiler. Its best to minimize any potential human errors or missteps. We often encounter customers who have failed to rollback logging to the production level, which greatly impacts performance and increases the disk space utilization. Additionally, changes in the profiler logging format or content of log could impact log aggregation mechanisms.
In this post, we will discuss a couple of tips that can ease the change management burden and ensure that performance is not impacted after troubleshooting has concluded.
Profile Logging Templates
SiteMinder uses smtracedefault.txt in /{SiteMinder_Home}/config/ to control the profiler logging. It monitors any changes to this file and adjusts the logging detail and format based on the contents of the file. This mechanism presents an opportunity to pre-stage profile logging templates and copy the contents to the active template (smtracedefault.txt).
Step 1 – Prepare Empty Template
Make a backup copy the smtracedefault.txt file. Delete the contents of the the original file and save it under a different name such as “sm_profile_logging_off.txt”.
Step 2 — Create Template
Use the SiteMinder management console to create your desired template with situational logging options. For example, create one for troubleshooting federation, ldap connectivity, and custom SiteMinder code. We recommend extending the existing templates within the console to accelerate this exercise. After creating the desired template, exit the profiler configuration to save the new smtracedefault.txt
Copy the smtracedefault.txt file to a descriptive name such as “federation_trace.txt”. Repeat the process until you have all of the desired templates.
Step 3 – Turn off Profile Logging using a template
Execute the following command on Linux:
cp -f /{SiteMinder_Home}/config/sm_profile_logging_off.txt /{SiteMinder_Home}/config/smtracedefault.txtNote: The copy command can be used on windows servers, make sure to force the overwrite.
Step 4 — Using the file based templates
Profile logging is turned on, but nothing is being logged because the configuration file is empty. To use one of the previously configured templates overwrite the default template
cp -f /{SiteMinder_Home}/config/federation_trace.txt /{SiteMinder_Home}/config/smtracedefault.txtThe policy server is now logging without making any changes within the SiteMinder management console. This eliminates the requirement of having access to a X-windows client for Linux or Unix based policy servers in order to change the logging level.
Logging Resources
The following resources are good references for configuring SiteMinder logging.
CA-SSO Policy Server Logging Procedure: https://community.broadcom.com/enterprisesoftware/blogs/gwanyu-kim/2019/05/29/tech-tip-policy-server-loggings
[PreciseTime] gives better Graphs & Stats with SMTraceAnalysisTool: https://community.broadcom.com/enterprisesoftware/browse/blogs/blogviewer?BlogKey=fe93308a-4710-41bb-9eb9-f5698f4cdb6d
Automate Logging Deactivation
Create a script or batch file that you can run, or use with a scheduler such as crontab, to execute disabling of the profiler with the following command:
cp -f /{SiteMinder_Home}/config/smp_rofile_logging_off.txt /{SiteMinder_Home}/config/smtracedefault.txtNote: The copy command can be used or windows servers, make sure to force the overwrite.
Using a regularly scheduled task will prevent unnecessary I/O on the policy server if the logging was unintentionally left enabled. If you always use the profiler, you can modify the copy to return to the default settings for your profiler to ensure logging is consistent across servers for log aggregation.
If you need assistance with your SiteMinder infrastructure or any Identity and Access Management (IAM) solution, please contact SIS.
