Search

NetIQ Communities

Cool Solutions

Monitoring NetIQ Access Manager using SNMP with Nagios

Usecase

Monitoring with SNMP feature is introduced in NetIQ Access Manager 4.0. Although, there could be many usecases derived out this feature, one such usecase is to monitor service status of NetIQ Identity provider and send email notification to administrator whenever service goes down. This is achieved with the help of Nagios as NMS (Network Management Software) using SNMP protocol.

Introduction

Now that Identity Providers (IDP) and Access Gateways (AG) components can be monitored using SNMP with any of external monitoring softwares such as Nagios, it becomes a easy integration point. Based on the architecture diagram shown below, the access is centralized to Administration Console, from which all of NAM devices can be monitored, that includes more than 100+ attributes altogether, such as free memory, incoming and outgoing requests, sessions details, etc. Each of these attributes can be queried using SNMP with unique identifier (OID).

usercaseSmall

In the background, IDP and AG devices keeps sending periodic monitoring statistics to Administration Console and same is available through SNMP master agent as well. Any external monitoring software can monitor IDP or AG devices by communicating to master agent using SNMP protocol.
In this document, we will talk about how to monitor service status of Identity provider using SNMP.

For more information regarding supported SNMP objects, querying with OID, configurations, etc please refer to Administration Console guide.

Administration Console configuration

Make sure SNMP is enabled in Administration Console, below are few steps to do in case not enabled.

  1. In the /opt/novell/devman/share/conf/platform.conf file, traverse to the vcdn module for SNMP. In <stringParam name=”enable” value=”false”, replace false with true. This enables monitoring between Access Manager devices.
<vcdnModule
name=”snmp” className=”com.volera.vcdn.platform.snmp.SnmpAgentInit” sequence=”3″>
<stringParam name=”enable” value=”true”/>
<stringParam name=”masterAgentIp” value=”127.0.0.1″/>
<stringParam name=”masterAgentPort” value=”705″/>
</vcdnModule>
  1. Change the default community name to any desired name in /opt/novell/devman/share/conf/snmp-master-agent.conf
  2. Start the Master Agent by using the /etc/init.d/novell-snmpd start command.
  3. Restart the Administration Console /etc/init.d/novell-ac restart

Configuring Nagios

Download configuration (nam.cfg)

As a prerequisite, Nagios server (http://www.nagios.org) is required to be installed in any Linux box. Additionally, net-snmp command line utility and Nagios SNMP plugin i.e check_snmp is required, if not present please install it, information is available at https://www.nagios-plugins.org
Also, make sure proper email address is configured as part of default email notification in Nagios contact configuration.

Additionally, few configurations are required in Nagios server and steps are mentioned below.

  1. Attached nam.cfg contains required configuration to monitor service status of IDP.
  2. Copy nam.cfg into any location or preferably to /etc/nagios/objects/
  3. Edit /etc/nagios/nagios.cfg and add a entry for newly added nam.cfg file location. for example cfg_file=/etc/nagios/objects/nam.cfg (make sure location path is correct).
  4. Edit nam.cfg and change Administration Console IP to real one and also the community name.

    _adminconsole_ip_address 164.99.86.188 ; IP address of Primary Administration Console _snmp_community_name netiq ;Community name of the SNMP service

     

  5. Change the IP address of Identity Provider. Please note that more than one Identity provider can be monitored just by adding additional host entires as mentioned below by mentioning different IP address. Rest of the required configurations are already present to make things easy.
define host {
host_name Identity Provider 1
use nam_base_host
address 10.240.100.27 # IP address of Identity Provider
 }
  1. Finally restart nagios service /etc/init.d/nagios restart

Verifying

Email will get triggered to default admin contact when IDP status goes RED. To test this, IDP can manually stopping from Administration. Here is how to do that.

  1. Login to Administration Console and got to Identity Servers page.
  2. Select the Identity server and click on “stop” button to bring down the service.
  3. Within few minutes, email notification from Nagios will be triggered.

Here is a Nagios screen shot, note that IDP service is stopped but Linux box is up.

nagios1

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: Nandakumar Natarajan
Feb 7, 2014
12:06 pm
Reads:
5,393
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow