As a senior architect with CA Services, I collaborate with a lot of customers on their security environments. Lately, I’ve noticed that CA Access Gateway (formerly CA Secure Proxy Server), which is a component of CA Single Sign-On (CA SSO), is quickly becoming the mechanism of choice for enforcing CA SSO policies. Not only does it allow our customers to consolidate agents, which makes it easier for them to manage their environments, but it’s also their platform of choice for extending CA SSO’s functionality.
While our traditional CA SSO Web Agents continue to receive updates to support new platforms and ensure the security of customer environments, CA Access Gateway has seen enhancements like authentication and authorization web services, integration with Office 365, a purpose-built STS, enhanced session assurance, and most recently, services that support OAuth- and OIDC-based applications.
CA Access Gateway’s growing value makes it more and more important to monitor it, ensure that its performance meets SLAs, and see that it delivers the optimal customer experience. For years, CA Application Performance Management (CA APM) customers have had the benefit of an APM product that can be integrated with and is specifically dedicated to CA SSO. What has been a well-kept secret (one I’m determined to spread the word about) is that all the way back to version 12.5, CA Access Gateway could natively integrate with CA APM.
While CA SSO Policy Server and agents need a plug-in, CA Access Gateway needs to point to an EP agent application to report base web agent statistics, including:
- User and resource caching
- Bad and expired cookie hits
- Bad URL and cross-site scripting hits
- Standard web agent operations (Is Protected, Authorize, Validate, Logon)
These statistics are great for understanding the web agent side of Access Gateway, but we also need to understand the proxy’s other operations. So with this integration, CA APM can also report on:
- The number of proxy rules files
- SPS wait time
- Average HTTP client time
- Average Java web agent time
- Average post-agent session write
- Average proxy rule filter time
- Average session discovery time
- Average response time from back-end servers
It’s Even Simpler Than 1-2-3
Enabling the built-in monitor is as simple as a two-line change in the server.conf, where you will find the configuration fragment:
1. Change enabled="no" to enabled="yes"
2. Change endpoint="http://localhost:8886" to endpoint="http://<EPAgent Endpoint>"
The endpoint can be any EP agent, although pointing it to a local EP agent would give you the rest of the local machine data. Upon restart, your enterprise manager will give performance and health data from CA Access Gateway. This enables you to baseline your performance, build alerts, and integrate the data into your performance management plans.
Inquiring minds want to know: Do you use APM for monitoring your CA Single Sign-On environment? If not, does it sound like a clever idea, or do you have a better idea? Let us know your thoughts!