Layer7 Access Management

CA Access Gateway Performance Monitoring: Even Simpler Than 1-2-3

By Jason_Wilcox posted 05-31-2018 12:23 PM

  

As a senior architect with CA Services, I collaborate with a lot of customers on their security environments. Lately, I’ve noticed that CA Access Gateway (formerly CA Secure Proxy Server), which is a component of CA Single Sign-On (CA SSO), is quickly becoming the mechanism of choice for enforcing CA SSO policies. Not only does it allow our customers to consolidate agents, which makes it easier for them to manage their environments, but it’s also their platform of choice for extending CA SSO’s functionality.

 

While our traditional CA SSO Web Agents continue to receive updates to support new platforms and ensure the security of customer environments, CA Access Gateway has seen enhancements like authentication and authorization web services, integration with Office 365, a purpose-built STS, enhanced session assurance, and most recently, services that support OAuth- and OIDC-based applications.

 

CA Access Gateway’s growing value makes it more and more important to monitor it, ensure that its performance meets SLAs, and see that it delivers the optimal customer experience. For years, CA Application Performance Management (CA APM) customers have had the benefit of an APM product that can be integrated with and is specifically dedicated to CA SSO. What has been a well-kept secret (one I’m determined to spread the word about) is that all the way back to version 12.5, CA Access Gateway could natively integrate with CA APM.

 

While CA SSO Policy Server and agents need a plug-in, CA Access Gateway needs to point to an EP agent application to report base web agent statistics, including:

  • User and resource caching
  • Bad and expired cookie hits
  • Bad URL and cross-site scripting hits
  • Standard web agent operations (Is Protected, Authorize, Validate, Logon)

 

These statistics are great for understanding the web agent side of Access Gateway, but we also need to understand the proxy’s other operations. So with this integration, CA APM can also report on:

  • The number of proxy rules files
  • SPS wait time
  • Average HTTP client time
  • Average Java web agent time
  • Average post-agent session write
  • Average proxy rule filter time
  • Average session discovery time
  • Average response time from back-end servers

 

It’s Even Simpler Than 1-2-3

Enabling the built-in monitor is as simple as a two-line change in the server.conf, where you will find the configuration fragment:

<metric-reporter name="WilyMetricReporter">

                class="com.ca.proxy.monitor.wily.WilyMetricReporter"

                enabled="no"

                endpoint="http://localhost:8886"

</metric-reporter>

1.   Change enabled="no" to enabled="yes"

2.   Change endpoint="http://localhost:8886" to endpoint="http://<EPAgent Endpoint>"

 

The endpoint can be any EP agent, although pointing it to a local EP agent would give you the rest of the local machine data. Upon restart, your enterprise manager will give performance and health data from CA Access Gateway. This enables you to baseline your performance, build alerts, and integrate the data into your performance management plans.

 

Inquiring minds want to know: Do you use APM for monitoring your CA Single Sign-On environment? If not, does it sound like a clever idea, or do you have a better idea? Let us know your thoughts!

10 comments
1 view

Comments

02-05-2019 01:12 PM

We have configured the SSO Proxy Server metrics here at NFCU, and I am trying to find a document that describes these metrics.  I see in the earlier posts that a document describing the metrics didn't exist, so my question is - does one exist now?  And if so where can I find it?  Thanks.

12-21-2018 03:37 PM

Thank you very much Jason,

 

I have modified port number correctly and restarted the server. Then it’s working good.

 

Thanks & Regards,

Venkat,

Enterprise Monitoring Team.

12-21-2018 03:27 PM


Hi Venkat,

This is really a very simple implementation so it shouldn't take much time to troubleshoot.

  • The first thing I would do is verify your settings a 10th time (I'm sure you've validated several times by now).
  • Ensure that the port you have defined in the server.conf is the port that the EPAgent is running on. 
  • If from the access gateway server can you telnet to the servername port that you have defined in the server.conf? We want to make sure if you put http://servername:port that the servername is resolving to itself properly.

  • Finally take a look at the server.log and see if you see any errors relating to posting the stats.

 

Let's start there and see what the results are.

12-17-2018 05:40 PM

Hi Jason,

 

I have installed EPAgent on Secure Proxy servers and it's up and running. But it's reporting only EPAgent host metrics, it's doesn't reporting SPS server metrics.

 

I have followed by your document and enabled the above configurations on server.conf file.

 

 

Thanks,

Venkat.

11-28-2018 03:04 PM

Is there a way to measure the below parameters on SPS or does it report these metrics in particular already?

1. The number of threads opened by Apache

2. Connection pool size of proxy engine.

3. Number of ajp13 threads

4. Number of connections to Policy server., response time for requests to policy server

[User] ----> [SPS (Apache ---> mod_jk ---> Tomcat Proxy-Engine)] ---> PolicyServer or Backend Web/App Servers

11-27-2018 01:04 PM

Glad to hear you are using it Greg.

There isn't a doc that really explains them, but I agree that would be very helpful. Let me take this back to the team and see if there is more info we could put in the documentation or if there is a technote that can be put together.

 

J

11-27-2018 12:57 PM

Good information, Jason.  We are using the integration.  Just wondering if there is a document that would describe what the metrics are actually measuring, like "Average Java web agent time"?

06-29-2018 11:08 AM

Thanks for the info, Jason.

06-28-2018 12:09 PM

Hi Shrikanth,

The SSO Agent portions of the data are available via SNMP through the existing SSO SNMP support. The internals of the Access Gateway isn't exposed except via the integration with APM.

That being said, the integration with APM is simply posting a JSON message to a listener on the EPA Agent. If you have another source that could accept the post and parse the JSON body you could still extract that data and utilize it.

 

Hope that helps!! 

06-28-2018 11:49 AM

Hi Jason,

Good info. Completely agree that CA Access Gateway is becoming a very important part of CA SSO env and must be monitored.

 

I was wondering if similar performance metrics (of access gateway) can be configured using SNMP protocol and send it over to performance monitoring tool?

If so, does CA have any documentation or article shedding light on this?

Thanks!