Team,
I have been involved with several health checks for the IM/SM solutions and would like to provide guidance on what has worked well.
- Interviews
- 1 hour
- Top ten issues/concerns
- Infrastructure
- Data Tier (Dir/DB)
- Mid-Tier (IMPS/SMPS)
- J2EE-Tier (JBoss)
- Presentation Tier – (WS/SMWA)
- Business Logic
- Technology / Solution
- IM (OOTB-IdP/PX/MX)
- IM (Custom – BLTH/LAH/EL)
- IM (WebServices-External)
- IM –(PR/AT/CX/CX-OB)
- Data Flows
- People & Processes
- Output
- Summary / Table(s) / PPT
- List of Errors
- Impacts (Hi/Med/Low)
- Priorities
- Resolution Steps Recommendations
- Presentation
- Executive Summary
- Above info
- Additional Recommendations
- Include Training Recommendations (formal/informal) for R&O Business Analysts & Technical Analysts
- Knowledge transfer
- Supporting Artifacts.
- Logs
- Screen Shots
- Delta Files
Processes:
- - Review Current Logs
- Capture ANY ERRORS
- Create spreadsheet with
- item #, label (short descriptive), priority (1-3), impact (hi-med-low), description of error, how to resolve/next steps (include date stamp & initials of updates), ownership (CA or customer)
- - Delta between configuration of peer servers
- Zip/tar folders on peer servers
- Download to workstation
- Have customer upload to a CA Support Ticket
- Open the CA Support Ticket with the label “Files for Services”, level 4
- If unable to open on web, call into support to have the “Support Help Desk open the ticket, level 4"
- Need the customer siteID. (Use SalesForce to lookup if unknown or prior support tickets)
- Use tool BeyondCompare to isolate the deltas in configuration files
- Disable the default switches of “date/size” checks; use Rule/CRC check only of the body/contents of files.
- This will eliminate false positives.
- Update date spreadsheet of errors; of mis-configurations; include hostname and data path to configuration files in description
- - Delta between userstores (IMCD / IMPD)
- Follow information provided in this link https://communities.ca.com/thread/101745203
- To dump immediately, uncomment the below line; and issue acommand: VERY Useful
- NOTE: This process must happen at near same time on ALL Directory Servers
- Assuming using CA Directory not only for IMPD (IM provisioning directory) but IMCD (IM corporate directory/aka IM userstore)
- Use putty/ssh to open N number of windows; and su – dsa
- Prepare the system with the update of dump dxgrid-db; in a settings file (use existing or new settings file)
- Issue the dxserver intial all on ALL servers at once, this will ensure the “snapshot” is very close in time with minimal deltas.
- Other approach is to use time setting of dump dxgrid-db; but the value-to-time for “health check” is minimal with this approach; avoid “waiting”.
- Create LDIF extract with dxdumpdb command AND the –z switch
- Example
- dxdumpdb -z -f %datestr%_%COMPUTERNAME%-impd-main.ldif %COMPUTERNAME%-impd-main
- Use ldifdelta command between peer LDIF extract to identify deltas.
- su – dsa (if on unix; or navigate to DXHOME\dxserver\bin folder)
- ldifdelta –x -v DSA_NAME_HERE #1_HOSTNAME_LDIF_FILE_NAME_HERE.ldif #2_HOSTNAME_LDIF_FILE_NAME_HERE.ldif DELTA_BETWEEN_HOSTNAME_#1_AND_#2_HERE.ldif
- -x ignore DSA “housekeeping / operations attributes”
- -v verbose
- Download LDIF output/extract to workstation and review DELTAS
- < 100 lines - minimal out-of-sync
- > 100 lines - Need to schedule a sync if the attribute in question are passwords hashes or other high priority attributes
- Sync may be done through normal use-case; e.g. last update “wins”; and would update both systems.
- > 1000 lines - Need to schedule a DSA sync as recommendation
- Review for out-of-sync password hashs
- Review for out-of-sync access (PR names)
- - Extract Business Logic from IM (Higher Value; Longer time to value; Not priority at this time)
- Follow the information in this link. https://communities.ca.com/thread/98226131
- Use IM Management Console to extract ZIP file.
- Use Notepad++ or other tools to pull and separate the IdP/PX/MX Rules
- Place these objects in a spreadsheet table and order them by their “TRIGGER” (aka IM TASKNAME) and order of execution.
- Review for any PX that uses MODIFY EVENT or has conflicts.
- Create data model for process flows.
- - Database Performance
- Work with customer’s DBA team and IDM team to schedule 1 hour period to capture snapshot of time of queries/updates to execute.
- Identify and isolate those queries/updates that take longer than 100msec.
- Next Steps: determine missing if any indexes or I/O relocation of disks for dB
- Ensure TP table’s row count is < 100,000.
- Ensure TP Clean Task is executing every day with NO issues, e.g. duplicate records.
- SM (SiteMinder) Integration
- Validate IM Library files is deployed on all SM Policy Servers under 3rdparty libraries folder
- Including update to sm.registry
- Capture full XPSExport -xb -npass -vT XPSExport_xb_npass_vT__SM_and_IM_integration_prior_to_any_work.xml
- Perform the same export on prior environments to compare.
- Compare Tool: CA Community Site: SM PolicyReader. (by Mark O'Donohue)
SMPolicyReader-4_0-ALPHA-316_bin.zip
- - Validate Load Balancing
- Data Tier
- Use Jxplorer; (or similar tool)
- Open session to ALL Directory Servers and navigate to one user account.
- Update one attribute on one user account
- Observe that the attribute was updated on ALL servers
- Re-execute the test from all servers; to ensure Multi-Write is working for the “peer” group.
- J2EE Tier
- Use IM User Console using the J2EE Port (not the web server or VIP addresses) on ALL J2EE servers.
- Ensure the browser is USING INCOGNITO WINDOW (PRIVATE MODE) (to avoid sharing sessions) or use different browsers (IE/FF/Chrome/Opera/etc.)
- Chrome (control shift N)
- IE / FF (control shift P)
- Navigate to a IM Admin Task / IM Admin Role Screen
- Update / Create a IM Admin Task / IM Admin Role
- Use the other browsers to search and observe the updated object.
- This ensure the J2EE JMS queue was working and the other J2EE are aware to go look up entries in the ObjectStore instead of relying on cache entries.
- - Performance
- This is out-of-scope for this session.
- Directory Tier
- CA Dxsoak (ldap)
- Open Source Jmeter (ldap)
- Mid Tier (IMPS)
- J2EE Tier
- Open Source Jmeter (http)
- HP LoadRunner (http)
Automation (backup):
- - Business Logic – IM
- - Data Tier – IM
Will update later with additional info