Symantec IGA

 View Only

IM Health Checks - Examples - Outline and Processes - Including Outputs (Presentation & Doc)

  • 1.  IM Health Checks - Examples - Outline and Processes - Including Outputs (Presentation & Doc)

    Posted Nov 10, 2015 07:11 PM



    I have been involved with several health checks for the IM/SM solutions and would like to provide guidance on what has worked well.



    1. Interviews
      1. 1 hour
      2. Top ten issues/concerns
    2. Infrastructure
      1. Data Tier (Dir/DB)
      2. Mid-Tier (IMPS/SMPS)
      3. J2EE-Tier (JBoss)
      4. Presentation Tier – (WS/SMWA)
    3. Business Logic
      1. Technology / Solution
        1. IM (OOTB-IdP/PX/MX)
        2. IM (Custom – BLTH/LAH/EL)
        3. IM (WebServices-External)
        4. IM –(PR/AT/CX/CX-OB)
        5. Data Flows
      2. People & Processes
    4. Output
      1. Summary / Table(s) / PPT
        1. List of Errors
        2. Impacts (Hi/Med/Low)
        3. Priorities
        4. Resolution Steps Recommendations
      2. Presentation
        1. Executive Summary
        2. Above info
        3. Additional Recommendations
          1. Include Training Recommendations (formal/informal) for R&O Business Analysts & Technical Analysts
        4. Knowledge transfer
        5. Supporting Artifacts.
          1. Logs
          2. Screen Shots
          3. Delta Files







      • - Review Current Logs 
        • Capture ANY ERRORS
          • NO ERRORS is the goal
        • Create spreadsheet with
          • item #, label (short descriptive), priority (1-3), impact (hi-med-low), description of error, how to resolve/next steps (include date stamp & initials of updates), ownership (CA or customer)
      • - Delta between configuration of peer servers
        • Zip/tar folders on peer servers
        • Download to workstation
          • Have customer upload to a CA Support Ticket
            • Open the CA Support Ticket with the label “Files for Services”, level 4
            • If unable to open on web, call into support to have the “Support Help Desk open the ticket, level 4"
              • Need the customer siteID.   (Use SalesForce to lookup if unknown or prior support tickets)
        • Use tool BeyondCompare to isolate the deltas in configuration files
          • Disable the default switches of “date/size” checks; use Rule/CRC check only of the body/contents of files.
            • This will eliminate false positives.
        • Update date spreadsheet of errors; of mis-configurations; include hostname and data path to configuration files in description
      • - Delta between userstores  (IMCD / IMPD)
        • Follow information provided in this link
        • To dump immediately, uncomment the below line; and issue acommand: VERY Useful
          • NOTE:  This process must happen at near same time on ALL Directory Servers
            • Assuming using CA Directory not only for IMPD (IM provisioning directory) but IMCD (IM corporate directory/aka IM userstore)
              • Use putty/ssh to open N number of windows; and su – dsa
              • Prepare the system with the update of dump dxgrid-db; in a settings file (use existing or new settings file)
              • Issue the dxserver intial all on ALL servers at once, this will ensure the “snapshot” is very close in time with minimal deltas.
                • Other approach is to use time setting of dump dxgrid-db; but the value-to-time for “health check” is minimal with this approach; avoid “waiting”.
        • Create LDIF extract with dxdumpdb command AND the –z switch
          • Example
          • dxdumpdb -z -f %datestr%_%COMPUTERNAME%-impd-main.ldif  %COMPUTERNAME%-impd-main
        • Use ldifdelta command between peer LDIF extract to identify deltas.
          • su – dsa  (if on unix; or navigate to DXHOME\dxserver\bin folder)
            • -x ignore DSA “housekeeping / operations attributes”
            • -v verbose
            • Download LDIF output/extract to workstation and review DELTAS
              • < 100 lines -  minimal out-of-sync
              • > 100 lines - Need to schedule a sync if the attribute in question are passwords hashes or other high priority attributes
                • Sync may be done through normal use-case; e.g. last update “wins”; and would update both systems.
                • > 1000 lines -  Need to schedule a DSA sync as recommendation
                  • Review for out-of-sync password hashs
                  • Review for out-of-sync access (PR names)
      • - Extract Business Logic from IM  (Higher Value; Longer time to value;  Not priority at this time)
        • Follow the information in this link.
        • Use IM Management Console to extract ZIP file.
        • Use Notepad++ or other tools to pull and separate the IdP/PX/MX Rules
        • Place these objects in a spreadsheet table and order them by their “TRIGGER” (aka IM TASKNAME) and order of execution.
        • Review for any PX that uses MODIFY EVENT or has conflicts.
        • Create data model for process flows.
      • - Database Performance
        • Work with customer’s DBA team and IDM team to schedule 1 hour period to capture snapshot of time of queries/updates to execute.
        • Identify and isolate those queries/updates that take longer than 100msec.
        • Next Steps:  determine missing if any indexes or I/O relocation of disks for dB
        • Ensure TP table’s row count is < 100,000.
          • Ensure TP Clean Task is executing every day with NO issues, e.g. duplicate records.
      • SM (SiteMinder) Integration
        • Validate IM Library files is deployed on all SM Policy Servers under 3rdparty libraries folder
          • Including update to sm.registry
        • Capture full XPSExport  -xb  -npass -vT   XPSExport_xb_npass_vT__SM_and_IM_integration_prior_to_any_work.xml
        • Perform the same export on prior environments to compare. 
        • Compare Tool:   CA Community Site:  SM PolicyReader.  (by Mark O'Donohue)
      • - Validate Load Balancing
        • Data Tier
          • Use Jxplorer; (or similar tool)
          • Open session to ALL Directory Servers and navigate to one user account.
          • Update one attribute on one user account
          • Observe that the attribute was updated on ALL servers
          • Re-execute the test from all servers; to ensure Multi-Write is working for the “peer” group.
        • J2EE Tier
          • Use IM User Console using the J2EE Port (not the web server or VIP addresses) on ALL J2EE servers.
          • Ensure the browser is USING INCOGNITO WINDOW (PRIVATE MODE) (to avoid sharing sessions) or use different browsers (IE/FF/Chrome/Opera/etc.)
            • Chrome (control shift N)
            • IE / FF (control shift P)
            • Navigate to a IM Admin Task / IM Admin Role Screen
            • Update / Create a IM Admin Task / IM Admin Role
            • Use the other browsers to search and observe the updated object.
              • This ensure the J2EE JMS queue was working and the other J2EE are aware to go look up entries in the ObjectStore instead of relying on cache entries.
      • - Performance
        • This is out-of-scope for this session.
        • Directory Tier
          • CA Dxsoak (ldap)
            • DSA format
          • Open Source Jmeter (ldap)
            • DSA format
        • Mid Tier (IMPS)
          • TCP 20389/20390 (ldap)
            • GU format
        • J2EE Tier
          • Open Source Jmeter (http)
          • HP LoadRunner (http)







      Automation (backup):


      Will update later with additional info