SNMP Monitoring (Legacy)
Note
This functionality is labeled as legacy.
SNMP depends on labels known as Object Identifiers (OIDs). These are uniquely defined labels, organized in tree format. For AM, they are configured in a .mib
file named FORGEROCK-OPENAM-CTS.mib
, found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-7.1.4.jar
file of the AM deployment.
For detailed information on configured OIDs, see "SNMP CTS Object Identifiers".
With the OIDs in hand, you can set up an SNMP server to collect the data. You would also need SNMP utility commands with associated OIDs to measure the current state of a component.
Stop the AM instance or the container where it runs.
Download the AM 7.1.4 ZIP file from the ForgeRock BackStage download site.
Extract the contents of the ZIP file.
Navigate to the
/snmp
folder, and run theopendmk.jar
installer file. For example:$
java -jar opendmk.jar
Accept the License Agreement.
Select the install directory you want to install to. For example:
/tmp/opendmk
.Copy the
jdmkrt.jar
file from the/lib
folder of the extracted archive to the AM/WEB-INF/lib
folder. For example:$
cp /tmp/opendmk/OpenDMK-bin/lib/jdmkrt.jar /path/to/openam.war/WEB-INF/lib
Restart the AM instance or the container in which it runs.
Navigate to Configure > Global Services > Monitoring.
Set the Monitoring Status to enabled.
Set the Monitoring SNMP interface status property to Enabled. By default, AM will be set to let you listen on port 8085 for SNMP monitoring.
Click Save Changes.
Restart the AM instance for the change to take effect.
Once enabled, SNMP monitoring works over UDP by default. You may want to install one of many available network monitoring tools. For the purpose of this section, basic SNMP service and monitoring tools have been installed on a Unix-like system.
First, to verify the operation of SNMP on a GNU/Linux system, run the following command over port 8085 using SNMP version 2c:
# snmpstatus -c public -v 2c localhost
The output should normally specify communications over UDP. If you get a timeout
message, the SNMP service may not be running.
You can get the value for a specific OID. For example, the following command would retrieve the cumulative count for CTS create operations, over port 8085:
# snmpget -c public -v 2c :8085 enterprises.36733.1.2.3.3.1.1.1
If your version of the tool does not support the enterprises
OID string, use 1.3.6.1.4.1
instead, as in 1.3.6.1.4.1.36733.1.2.3.3.1.1.1
.
For one view of the tree of OIDs, you can use the snmpwalk command. For example, the following command lists all OIDs related to CTS:
# snmpwalk -c public -v 2c :8085 enterprises.36733.1.2.3
A number of CTS OIDs are listed with a Counter64
value. As defined in RFC 2578, an OID so configured has a maximum value of 2^64 - 1
.
SNMP Monitoring for Sessions
You can monitor CTS-based session statistics over SNMP. AM records statistics for up to a configurable number of recent sessions. (You can configure the number in the AM console under Configuration > System > Monitoring. For details, see the system configuration reference section, "Monitoring".)
SNMP monitoring is not available for client-based sessions.
SNMP uses OIDs defined in a .mib
file that specifies the statistics AM keeps for policy evaluation operations, the FORGEROCK-OPENAM-SESSION.mib
file. This file is found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-7.1.4.jar
file of the AM deployment.
When monitoring is active, AM records statistics about both the numbers of internal, remote, and CTS sessions, and also the times taken to process sessions.
The statistics are all read-only. The base OID for session statistics is enterprises.36733.1.2.1
. Times are expressed in nanoseconds rather than milliseconds, as many operations take less than one millisecond. The following table describes the values that you can read:
OID | Description | Syntax |
---|---|---|
| Total number of current internal sessions | |
| Average time it takes to refresh an internal session | |
| Average time it takes to logout an internal session | |
| Average time it takes to destroy an internal session | |
| Average time it takes to set a property on an internal session | |
| Total number of current remote sessions | |
| Average time it takes to refresh a remote session | |
| Average time it takes to logout a remote session | |
| Average time it takes to destroy a remote session | |
| Average time it takes to set a property on a remote session | |
| Total number of sessions currently in the Core Token Service (CTS) | |
| Average time it takes to refresh a CTS session | |
| Average time it takes to logout a CTS session | |
| Average time it takes to destroy a CTS session | |
| Average time it takes to set a property on a CTS session | |
SNMP Monitoring for Policy Evaluation
You can monitor policy evaluation performance over SNMP. AM records statistics for up to a number of recent policy evaluation requests. (You can configure the number in the AM console under Configuration > System > Monitoring.) For details, see the reference section "Monitoring".
SNMP uses OIDs defined in the .mib
file, FORGEROCK-OPENAM-POLICY.mib
, found inside the /path/to/tomcat/webapps/openam/WEB-INF/lib/openam-mib-schema-7.1.4.jar
file of the AM deployment. This file specifies the statistics AM keeps for policy evaluation operations.
When monitoring is active, AM records statistics about both the numbers and rates of policy evaluations performed, and also the time taken to process policy evaluations.
The statistics are all read-only. The base OID for policy evaluation statistics is enterprises.36733.1.2.2.1
. The following table describes the values that you can read:
OID | Description | Syntax |
---|---|---|
| Cumulative number of policy evaluations for specific resources (self) | |
| Average rate of policy evaluations for specific resources (self) | |
| Minimum rate of policy evaluations for specific resources (self) | |
| Maximum rate of policy evaluations for specific resources (self) | |
| Cumulative number of policy evaluations for a tree of resources (subtree) | |
| Average rate of policy evaluations for a tree of resources (subtree) | |
| Minimum rate of policy evaluations for a tree of resources (subtree) | |
| Maximum rate of policy evaluations for a tree of resources (subtree) | |
| Average length of time to evaluate a policy for a specific resource (self) | |
| Slowest evaluation time for a specific resource (self) | |
| Average length of time to evaluate a policy for a tree of resources (subtree) | |
| Slowest evaluation time for a tree of resources (subtree) | |
| Slowest individual policy evaluation time overall | |