A Sample SMSDK Custom Auth that redirects the java stdout and stderr to log files.

Document ID : KB000051837
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The Custom Auth scheme can turn on/off the logging dynamically, and when logging it will timestamp the log files and roll them at a set size. The main purpose of this is to assist in java debugging in production systems where it is often difficult to run the policy server from the command line.

Solution:

Using Custom Auth Scheme to redirect java Stdio

This is a HOWTO document explaining how to redirect the java stdio and stderr within SiteMinder. Often you can run the SiteMinder server smpolicysrv.exe from the command line, and view the stderr and stdout messages there, but sometimes that option is not suitable.

The following will redirect the stdout and stderr to a date/timestamp log files of fixed length.

Included with this distribution is a .zip file containing the needed files and a copy of this documentation, and additional documentation on how to compile the module.

Contents:

Installation
    Copy CustomAuth Jar file
    Edit JVMOptions.txt
Policy Configuration
    Create Start Redirect Custom Auth Scheme
    Create Stop Redirect Custom Auth Scheme
    Create Java Agent
    Create Doman for StdioRedirect
    Create Start Trigger Realm
    Create Stop Trigger Realm
Usage Via SM Test Tool
    Start Redirect
    Stop Redirect
Usage Via Remote Agent API Call
    Installation
    Start Redirect
    Stop Redirect

Installation

Copy CustomAuth Jar file

  • You will need to unzip the TEC529675.zip file provided package.

  • From it copy the RedirectStdOut.jar file to appropriate location:
    generally <SMInstallRoot>/lib/RedirectStdOut.jar will do

Note: The RedirectStdOut.jar file needs to be recompiled with the specific version of java and Siteminder SDK that matches your policy server. The current version is JDK 1.4 and SMSDK 6 SP4 to match the current requirement.

Edit JVMOptions.txt

  • Edit the <SMInstallRoot>/config/JVMOptions.txt file.

  • Check that it has a SmJavaApi.jar in the path, it will generally be:
    <SMInstallRoot>/ \bin\jars\SmJavaApi.jar

  • Add the new RedirectStdio.jar to the -Djava.class.path attribute. The new value can be added anywhere in the path, but in editing make sure it is all on one line still.
    -Djava.class.path= .... C:\ca\siteminder\lib\RedirectStdio.jar .....

Policy Configuration

Create Start Redirect Custom Auth Scheme

Name: CustStdioRedirectStart
Library: smjavaapi
Parameter: com.netegrity.sdk.example.redirectstdio.AuthApiSample Start prefix=C:\Test1_ rolloverSize=5000

Note: There is a space between each of the above elements.

The parameters are:

Class to Runcom.netegrity.sdk.example.redirectstdio.AuthApiSample
Command:Start
prefix for log fileprefix=C:\Test1_
Size to rollover log filerolloverSize=5000

The first is the cmd, the prefix will be the path used to place the stdio and stderr files, and the rolloverSize is the size at which the log file will rollover.

Figure 1

Create Stop Redirect Custom Auth Scheme

Name: CustStdioRedirectStart
Library: smjavaapi
Parameter: com.netegrity.sdk.example.redirectstdio.AuthApiSample Stop

Note: There is a space between each of the above elements.

The parameters are:

Class to Runcom.netegrity.sdk.example.redirectstdio.AuthApiSample
Command:Stop

Figure 2

Create Java Agent

Create a SM 4.x agent type that we can use via the Test Tool or from a java api call and put in a password.

The parameters are:

NameJavaagent
Support 4.x AgentsYes
HostnameAny
SecretAny but remember

Figure 3

Create Doman for StdioRedirect

Create a domain, that will only be available for our "javagent" so it will not be visible for any other webserver. Any user store can be used, we do not need to log onto it.

The parameters are:

NameRedirectDomain

Figure 4

Create Start Trigger Realm

The trigger realm is the URL that needs to be hit in order to start the redirecting process.

It will be access only via the SM Test Tool, or the Java Agent API using the special agent, it will not be available on any other webserver.

The parameters are:

AgentJavaagent
Resource Filter/startredirecttrigger
Auth SchemeCustStdioRedirectStart

Figure 5

Create Stop Trigger Realm

The trigger realm is the URL that returns logging back to normal.

The trigger realm is the URL that needs to be hit in order to start the redirecting process.

It will be access only via the SM Test Tool, or the Java Agent API using the special agent, it will not be available on any other webserver.

The parameters are:

AgentJavaagent
Resource Filter/stopredirecttrigger
Auth SchemeCustStdioRedirectStop

Figure 6

Usage Via SM Test Tool

Start Redirect

Using the SMTest tool connect the agent to the policy server using the java agent parameters,

The parameters are:

Agentjavaagent
Secret<as before>
Resource Filter/startredirecttrigger/index.html
Action:Get
UsernameAny value will do
PasswordAny value will do

Then using the start redirect URL do the:

  1. Connect Call
  2. IsProtected Call
  3. IsAuthenticated Call

The policy server should now have it's Stdio redirected to the files indicated, future java io should be redirected.

Figure 7

Stop Redirect

Using the SMTest tool connect the agent to the policy server using the java agent parameters,

The parameters are:

Agentjavaagent
Secret<as before>
Resource Filter/stopredirecttrigger/index.html
Action:Get
UsernameAny value will do
PasswordAny value will do

Then using the start redirect URL do the:

  1. Connect Call
  2. IsProtected Call
  3. IsAuthenticated Call

The policy server should now have it's Stdio redirected to the files indicated, future java io should be redirected.

Figure 8

Usage Via Remote Agent API Call

The trigger to redirect stdio can be delivered from a remote agent, as long as it is logged on as the "javaagent" identified before access the /stopredirect and /startredirect URL's provided.

The package TEC529675.zip contains a client package that can be installed on any workstation, as long as it has access to the policy server which you want to send the command to.

The version provided here requires Java 1.5, but otherwise is self contained.

Installation

  1. You will need to unzip the TEC529675.zip file provided package.

  2. Edit the runAgent.bat file.

  3. Set the following variable in the bat file appropriately for your environment.

    set JAVA_HOME=C:\Program Files\Java\jdk1.5.0_14

    Edit the webagent.properties file ensure the following setting s are correct:
    # Policy Server
    #policyServer=localhost
    #policyServer=127.0.0.1
    policyServer=192.168.10.176
     
    # Agent connect properties
    agentName =javaagent
    agentPassword =password
     
    # not really needed, in this case
    userName =user1
    userPassword=password

Start Redirect

To start the java stdio redirection type the following command:

     runAgent.sh Start

Stop Redirect

To stop the java stdio redirection type the following command:

     runAgent.sh Stop
File Attachments:
TEC529675.zip