pre-con ed: who's minding the sso store?
TRANSCRIPT
![Page 1: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/1.jpg)
World®’16
Who’sMindingyourSSOStore?
JasonWilcoxSr.ServicesArchitect
SCX16E
SECURITY
![Page 2: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/2.jpg)
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
![Page 3: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/3.jpg)
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
AttheheartofyourenterprisesecurityinfrastructureisyourCASingleSignOnwebaccessmanagementenvironment.Sometakeitssimplicityforgranted,thesilentworkhorsethatprovidesagreatuserexperienceacrossyourappswithhighperformanceandreliability.ButwhoandwhatiskeepingtabsonyourCASSOapplication?
Inthissession,wewillexplorebestpractices,methodsandtoolsthatcanbedeployedtomonitorthehealthofyourmissioncriticalwebaccessmanagementsolution.Wewillcover:
ThekeyaspectsofwhatimpactstheperformanceandstabilityofyourCASingleSignOnsolutionHowtotraceaproblemtorootcauseusingtoolslikeCATraceLogReader,APMforSSO,Spylogix,andSplunk.HowtocreateamonitoringandalertingstrategyforyourCASingleSingOnSolution.HowtousemonitoringdatatotuneandoptimizeyourCASingleSignOnSolutioncomponents
JasonWilcox
CAtechnologiesSr.ServicesArchitect
![Page 4: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/4.jpg)
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
WHO’STALKINGTOMYPOLICYSERVER,ANDWHYDOICARE?
MST=T/ATT(S),YESMATHMATTERS
ESTABLISHINGAPROACTIVEMONITORINGPROGRAM
WHATARETHESSOKPI’S
HOWDOIMONITORTHOSEKPI’S
BUYWHYDOESITMATTER?
1
2
3
4
5
6
![Page 5: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/5.jpg)
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AgentsConnection
§ WebAgentopenstheTCPconnectiontothePolicyServer– Bydefault,underload,theweb
agentwillopenamaxof20sockets– Connectionsare“long-lived”
§ PolicyServerclosesconnections– IdleTimeout(minutes)in
SMConsole– Non-IdleTimeoutvia
AgentConnectionMaxLifetime inXPSObject
AgentsOpentheConnection,thePolicyServerCanClosetheConnection
Authoriza
tion
Authen
tication
Administratio
n
Accoun
ting
AdministrativeUIUserStore
PolicyServer
Protected Resources
PolicyStore
WebServer
WebAgent
![Page 6: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/6.jpg)
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AgentConversation
§ Individualsocketsaresynchronousconnections
§ OncetheWebAgent“asksaquestion”tothepolicyserver,thatsocketconnectionis“busy”untilthePolicyServerresponds
TheConversationisaRequest/ResponseModel,NoInterruptionsAllowed
Authoriza
tion
Authen
tication
Administratio
n
Accoun
ting
AdministrativeUIUserStore
PolicyServer
Protected Resources
PolicyStore
WebServer
WebAgent
![Page 7: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/7.jpg)
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AgentSecurity
§ AgentAPIinitiatesaconnectionwiththeTrustedHostNameandSharedSecret– Handshakeincludesestablishing
encryptedchannel– Retrievesoperationalparameters
fromtheHCO– Retrievesconfigurationparameters
fromtheACO(OrLocalConfig)
TheConversationStartswithAuthentication,andCreatedanEncryptedChannel
Authoriza
tion
Authen
tication
Administratio
n
Accoun
ting
AdministrativeUIUserStore
PolicyServer
Protected Resources
PolicyStore
WebServer
WebAgent
![Page 8: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/8.jpg)
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TopicstheyDiscuss
§ OverthisTCPconnectiontheWebAgentsendsthefollowingAgentAPIcommands:– isProtected()– isAuthenticated()– isAuthorized()
§ NottheonlycommandsbutthosearetheprimaryfunctionsoftheAgent.
AgenttoPolicyServerCommunicationisPrimarilyRequest/Response
Authoriza
tion
Authen
tication
Administratio
n
Accoun
ting
AdministrativeUIUserStore
PolicyServer
Protected Resources
PolicyStore
WebServer
WebAgent
![Page 9: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/9.jpg)
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThePolicyServerresponds
§ Wecanseethereactorthreadtakingtheserequestsandputtingtheminthequeue
§ Nowontheotherendofthequeue,wecanseewhatarecalled“Workerthreads”tohandlethework
WhentheAgentComesKnocking,WhoAnswers?
WebAgent
ReactorThread
WorkerThread
PolicyServer
![Page 10: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/10.jpg)
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ConfiguringWorkerThreads
§ Theworkerthreadsareconfiguredhereinthemanagementconsole– defaultisfor20worker
threadsinCASiteMinderR12.5x
§ Howmanydoyouneed?
ThreadsNeverDie,OnceReachedTheyWillAlwaysAtMax
![Page 11: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/11.jpg)
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatDoWorkerThreadsDo?
§ Workerthreadsdothework!
§ Theworkerthreadstaketheitemoffthequeue,andgototheUserStore,PolicyStore,SessionStore,cache,etc…
§ Workerthreadsgenerateassertions
§ Workerthreadsprocessxml
§ Workerthreadsdoeverythingthepolicyserverneedstodo
BeforeICantellYouHowManyYouNeed,WeNeedtoKnowWhattheyareDoing?
![Page 12: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/12.jpg)
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreadLocking
§ SimilartotheAgentsocketrequest,theworkerthreadwillcontinuehandlingtherequestuntilitiscomplete.– Forexample,iftheworkerthreadsneedtodoanisAuthenticate()call,
itwillgoouttotheLDAPdirectoryserver.Theworkerthreadwillbeblockeduntiltheldapsearch andbindiscomplete.
– IfanindividualworkerthreadneedstomakemultipleLDAPcalls,thosecallsareprocessedinasynchronousmannerwithinthatthread
– Thisthreadcannotbeusedforanythingelsewhileblocked
WorkerThreadsStartaTaskandareBusyUntiltheTaskisCompletedorTimesOut
![Page 13: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/13.jpg)
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControlWehavecontrolovertheagentconnections,thepolicyserversockets,andthenumberandlifetimeofeachofthem.
Wedon’thavecontroloverhowlongatasktakestocomplete.
AgentsAgentsinitiateasecureconnectiontothepolicyserver.
Eachagentconnectiontakesupasocketonthepolicyserver.
Eachagentconnectionperformsatask,andisbusyuntilthattaskiscompleted.
PolicyServerPolicyServersreceiverequestsfromtheagentswithareactorthread.Thereactorthreadputsrequestsinthequeueforworkerthreadstowork.Workerthreadsperformataskandareblockeduntilthetaskiscompleted
CheckpointWhatDoWeKnowSoFar?
![Page 14: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/14.jpg)
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MST=t/att(s),YesMathMatters
§ Withtheinformationwehave,wecanbuildapredictivemodelforperformanceandcapacity.
§ Wemustalsounderstandtheimpactsofthroughputonthatmodel,andtheimpactsoflatencyonthroughput.
§ UsingthiswecanidentifyKeyPerformanceIndicatorsthatshouldbeproactivelymonitored,managed,andreportedon.
Rememberthatteacherwhosaidsomedaythiswillsaveyourlife?Yeahitwon’tbutmathstillmatters
![Page 15: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/15.jpg)
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BuildingOurModel
§ Throughput– Totaltransactionspersecondthepolicyserverisfulfilling(persecond)
§ Latency– Howlongdoeseachtransactiontaketobeprocessed
§ ThreadLatency – howlongbeforeaworkerthreadpullstherequestfromthequeue
§ ExecutionLatency– howmuchtimedoesthatworkerthreadtakeinprocessingtherequest
![Page 16: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/16.jpg)
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheRelationshipofThreads,ThroughputandLatency
§ Onanysystemwithasetnumberofthreads,throughputandlatencyareinterrelated– Aslatencygoesupthethroughputgoesdown– Asthroughputgoesdownadditionalrequestsarequeuedcausing
increasedlatency
MaximumServerThroughput= !"#$%&'()*!,-!./$('$1)
![Page 17: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/17.jpg)
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WeControlThreads,butNotThreadorExecutionLatency
§ TherearetwoprimaryreasonsforPolicyServerslowdown1. ToomanyAgentAPIrequestscominginforthePolicyServer2. Responsetimefromtheuserdirectory
§ IftoomanyAgentAPIrequestsarecomingin,thethreadlatencywillincreaseiftherearen’tenoughthreadstoservicetheminatimelymanner.
§ Iftheresponsetimefortheuserdirectoryincreasesexecutionlatencyincreases,whichinturncausesthreadlatencytoincrease.
![Page 18: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/18.jpg)
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TooManyAgentAPIRequests
§ Asinglewebpagedoesn’tmeanasinglerequest.
§ HCOsettingslimitingthenumberofagentconnectionsaren’tapplicabledependingontheapachethreadingmodel.
§ Iftheapplicationteamshaveconfiguredtoallow2000maxclients,butyouaresaying20maxconnections….itwillbe2000maxconnections.
§ Atpeaktimes,ifnotproperlymanaged,yourwebserverscanoverloadyourpolicyserverandsignificantlyincreasethreadlatency.
![Page 19: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/19.jpg)
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DirectoryLatencyAffectsThroughputwhichAffectsSingleSign-OnPerformance§ Assumptions
– 15threads
– Averageof7LDAPqueriespertransaction– AverageLDAP(includingthenetwork)latencyis10ms
– Goal:125transactions/sec
§ Averagetransactiontimemustbeatleast70Ms(LDAP)+30msprocessing=100ms (0.1sec)
§ 15threads/0.1seconds=150transactions/secmaximum
§ WhenLDAPgoesto15msthemaximumthroughputdropsto111txns/sec
Using:MaximumServerThroughput=
![Page 20: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/20.jpg)
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeepingLowTransactionalLatency
§ Rightsizeconnections,threads,andagentratio’sforloadandhardware.
§ Minimizecustom/thirdpartycodeandoptimizeanycalloutsthatcodemakestoremotesystems
§ UsesmartLDAPsearchesandoptimizeddatabasequeries
§ KeepAgenttoPolicyserverandPolicyservertouserdirectoryconnectionsoverfastconnections– possiblyinsamedatacenter
§ Workwithuserdirectoryteamstoensurethedirectoriesareperformingasrequired
![Page 21: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/21.jpg)
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThroughputWecanmodelthroughputtoproperlyplanforcapacity.
Wecanmodelwhatevenasmallchangeinthenetworkordirectoryperformancewilldo.
Wecanusethesemodelstobecomeproactiveandpredictive.
ThreadLatencyCanbeaffectedbyalargevolumeofrequests
Canbeaffectedbyhighexecutionlatency
Youmustdothemathinadvanceandrightsizefortheexpectedpeakloads
ExecutionLatencyPoorPolicyDesigncanincreasecallstothedirectorySSOisusuallythevictim,butunlessyoucanproveit,thatdoesn’tmatter.Increasingthenumberofthreadsisnotalwaystheanswer.
CheckpointWhatDoWeKnowSoFar?
![Page 22: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/22.jpg)
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhataretheSSOKPI’s
§ Withtheinformationwehave,wecanbuildapredictivemodelforperformanceandcapacity.
§ Wemustalsounderstandtheimpactsofthroughputonthatmodel,andtheimpactsoflatencyonthroughput.
§ UsingthiswecanidentifyKeyPerformanceIndicatorsthatshouldbeproactivelymonitored,managed,andreportedon.
Knowledgeishalfthebattle,butyouwillstillloseifthat’sallyouhave.
![Page 23: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/23.jpg)
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatdoyouNeedTrack?
UserStoreAccess PolicyStoreAccess Session StoreAccess
CacheSuccessRate CacheMissRate SocketCounts
Max QueueLength CurrentNormalQueueLength HighPriority QueueLength
Avg Authorization Time Avg AuthenticationTime Avg ValidationTime
Avg IsProtected Time MaxSockets TransactionCounts
AgentTransactionTimes AgentCachesettings
![Page 24: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/24.jpg)
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HowCanWeMonitorSSOKPI’s
§ CASMTraceTool
§ CAOneView Monitor
§ CAAPMforSSO
§ SNMP(Splunk,UIM,AnytoolthatcanissueSNMPGET)
§ Spylogix forCASSO
It’snotabouthowyougetthedata,butwhatyoudowithit
![Page 25: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/25.jpg)
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SMTraceToolUnlockingtheDatainYourCASSOLogs
§ LoadandparselogsfromallCASSOcomponents
§ Generatesreportsdetailingperformanceforthatpointintime
§ Identifiespotentialbottlenecks
§ Let’stakealook!!!
![Page 26: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/26.jpg)
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OneView Monitor
§ CentrallyreportsKPI’s
§ Gathersdatafromagentsandpolicyservers
§ Youneedtorecordandgatherthedata
§ Let’stakealook!!!
TheDataisthere,ifYouGoandGetit
![Page 27: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/27.jpg)
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAPMWhenYouPreferthoseKPI’sWrappedupinaBow
§ BuiltinCASSODashboards
§ Knowinstantlyifthereisaproblem,drilldowntoRCA
§ Dataandanalysiscomestoyou.
§ Let’stakealook!!!
![Page 28: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/28.jpg)
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SNMPIntegratewithYourPreferredTool
§ 60ObjectsaccessiblebySNMPGET
§ 17EventsavailabletobesentviaSNMPTrap
§ Presentthedatahowyouwantitpresented
§ Let’slookatsomesamplesfromSplunk!
![Page 29: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/29.jpg)
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SpyLogix forCASSOCertifiedCASolution
§ FullAnalyticsplatformforCASSO
§ Builtindashboardsforperformance,systemsmanagementandutilization
§ FocusedonMTTRandMTBSI
![Page 30: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/30.jpg)
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhyDoesitMatter?HowwillthisDataHelpMe?
§ User’sarecomplainingabout‘slow’SSOperformance– Whatisthedefinitionofslow?– CanyoushowwhattheperformanceofSSOistocombatthat
impression?– Doestheirdefinitionofslowincludetheloadtimefortheapplication
page?Howdoyoushowifyouareaffectingthat?– Canyoushowhistoricalevidenceofperformanceandstability?
§ MaybeSSOishavinganissue,canyoupinpointwhereitis?
Realworldscenario’s
![Page 31: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/31.jpg)
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HavingAccesstotheDataImprovesYourResponse
§ Herearegraphsshowingthecustomerqueuedepth
§ Fromthesechartswecanseethequeuekeepsgrowing– Eithertheloadhasincreased,
or– Thebackendcannotkeepup
![Page 32: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/32.jpg)
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
NowIKnowthereisanIssue,What’sCausingit?
§ Needtoanswertwoquestions– HowdowedeterminewhichofthetwoconditionsthePolicyServeris
in?§ Arewequeuingtherequestbecausetherearetoomanyincomingrequests?
§ Arewequeuingtherequestbecausethetransactionsaretakingtoolongtoprocess?
– Howcanweeasilyanswerthosequestions?
![Page 33: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/33.jpg)
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SMTraceToolisAbletoIdentifySlowLDAPResponseTimes§ Wecanseethedistribution
ofLDAPresponseswhichhaveamajorinfluenceonCASiteMinderthroughput
§ Wehadtogogetthisdata,whatifwehadbeenalertedwhentheaveragestartedincreasing,beforeuserscomplained?
![Page 34: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/34.jpg)
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APMforCASSOShowstheSameTypeofSlowdowns
§ Weseeadifferentrepresentationofthesameproblem.
§ Butinsteadofbeingalertedtotheproblembyusers,APMforSSOcanalertusbeforebecomesaproblem.
![Page 35: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/35.jpg)
35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EstablishingaProactiveMonitoringProgram
§ Wecannotrelyonusererrorstotelluswhenthereisaproblem,itsoftentoolate
§ YoumusthavethedatareadilyavailabletoadvertiseSSO’ssuccess
§ YoumusthavethedatareadilyavailabletoactwhenSSOhasanissue.
Usersarenotyourfirstlineofalerting
![Page 36: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/36.jpg)
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SingleSign-OnisMissionCritical
§ SingleSign-Ontouchesmanyapplicationsacrosstheenterprise– BothinternalemployeeandConsumertransactions
§ IfSingleSign-Onstops,theapplicationsstopaswell
§ Whenaproblemoccurswemustknowwhysoactioncanbetaken– Needtoidentifyproblemsthatareintermittent– Needtoidentifypossibleproblemsbeforetheycauseoutages
![Page 37: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/37.jpg)
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OrganizationsNeedtoIdentifyProblemsQuickly
§ SingleSign-Oncancrossmanyorganizations– Applicationteams– Directoryteams– SingleSign-Onteams
§ Whenaproblemoccurswetendtoplayorganizationalblamegames
§ SinceSingleSign-Ontouchesmanycomponentsitoftengetsblamedevenifitisnotatfault
![Page 38: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/38.jpg)
38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ManyDifferentWaysto“Monitor”
§ “Monitor”canmeanmanydifferentthings– ComponentsUp/Down– System“health”– Useractivity– AdministrativeActivity
§ Yourprogrammustincorporateelementsofalltobemosteffective
![Page 39: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/39.jpg)
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SyntheticTransactions(CAAppSyntheticMonitor)
§ ToolstoAutomatically“login”andaccessapage
§ Seesthesitefromanenduserperspective
§ Becarefulwhengeographicallydistributed– Themonitorbecomesthefailurepoint
§ Becarefulofmonitoringbecomingthebiggestuserofthesystem.
![Page 40: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/40.jpg)
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SyntheticTransactions(CAAppSyntheticMonitor)
§ Whatittellsyou– Isyourwebsiterespondingtologins– Logintransactionandfirstpageloadtimes.
§ Benefits– Looksacrossentiresite
§ Drawbacks– Unknownwhatthepathisforthetransaction
§ Failover,roundrobin,internalcomponentfailuresarehidden– Cancreateextraloadonsystem
Tip:asinglewebsiteoneachpolicyserverwithasingleagentthatonlycommunicatestothatpolicyserver
![Page 41: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/41.jpg)
41 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ServerErrorFile ACOSetting
§ ExistingACOsettingtoeitherdisplayafriendlyHTMLpageorredirectonaWebAgent Error
§ Usetheredirectabilitytoredirectuserstoafriendlypageonaseparatewebserver– Createaseparatelogforerrorsforallagentsinasinglespot– Collecttheerrorcode(Querystring)– Collectthereferrer(HTTPheaders)
§ Logtheseandanalyzeweekly.
![Page 42: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/42.jpg)
42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ServerErrorFile ACOSetting
§ Whatittellsyou– HasaWebAgentencounteredanerror
§ Whattheerrorcodeis§ Whichwebsite
§ Benefits– Realtimeinformation– cantriggeranalert– Usefulincalculatingintermittentissues– Canalsodisplayafriendlyerrorpage
§ Drawbacks– Ifyouaren’tanalyzingthedata,thereisnovalue
![Page 43: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/43.jpg)
43 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
NetworkVisualization(CAApplicationDeliveryAnalysis(ADA))
§ NetworkLayerMonitoringtool
§ PlugsintonetworkswitchesandlooksatTCPTraffic
§ Canexaminecommunicationsto/frommultiplesystemsandunderstandlatencyofthesecomponents
![Page 44: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/44.jpg)
44 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
NetworkVisualization(CAApplicationDeliveryAnalysis(ADA))§ Whatittellsyou
– Latencyofcommunicationsbetweenmultiplecomponents
§ Benefits– Canquicklyidentifycomponenthavetrouble– Canidentifyifitisthenetworkortheapplication
§ Drawbacks– NotincludedinCoreSingleSign-OnLicense– NotaSingleSign-Onspecificsolution– Overkillinsmallenvironments
![Page 45: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/45.jpg)
45 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPerformanceIndicators
§ Oneview/APM/SNMP/SpyLogix
§ Onecomponentofacomprehensivesolution
§ Oftenthisisthemissingcomponentinacomprehensivemonitoringsolution.
![Page 46: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/46.jpg)
46 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Step1– BaselineYourEnvironment
§ Onceyouhavechosenyourtoolsetidentifyyourbaseline– Capturedatawithoutalertingfor2– 4weeks
§ Focusonatimeframethatspanskeypeakusageperiods– Monthlyorquarterlyspikes
§ Discussthegoalswithyourcustomersandstakeholders– Theyoftenhaveinsightsintotheirusagethatyoumaynotknow.
![Page 47: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/47.jpg)
47 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Step2– Createhabitstoreviewdata
§ Createhabitsandcarveouttimefordatatobereviewed– Thishelpsidentifynewarea’sforcoverage– Identifiespreviouslyunknownandunmonitorederrors– Themoreyoureviewasystem,thebetteryouknowit
§ Asnewerrorsarefound,createaknowledgebaseandkeepitupdated– Sharethatdataandstepstoresolve.Themorepeoplethatknowthebetter.
Thisisaboutensuringagoodcustomerexperience.
§ Incentivizefindingnewitems.Rewardyourteamforfindingnewissuesandtheirresolution,makeitcultural
![Page 48: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/48.jpg)
48 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Step3– Createalertsbasedonthebaselinedata
§ Whenperformancedegradedmorethanx%warn
§ WhenperformancedegradesmorethanXX%alert
§ Warnyourteamsotheycanactbeforeaproblem
§ Alertbroadandwide.Transparencybuildstrust,trustbuildsconfidence.
§ Continuetofinetunealerts
![Page 49: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/49.jpg)
49 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Step4– CreateDashboards
§ Createdashboardstohelpyourteamstayontopofthesolution.
§ Identifythemostcriticalitemsandputtheminfirst
§ Identifythemosttroublesomeandputtheminsecond
§ Makesureeveryoneknowshowtogettothemandhowtoreadthem.
![Page 50: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/50.jpg)
50 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Step5– Advertise,Engage,andSell
§ Createdashboardsforyour‘customer’tosee– Generalonesthatareacrossthewholesolution– Specificapplicationbaseddashboardsforlargerapps
§ Createanexecutivereportandsenditoutregularlytoyourcustomers,theirchainofcommandandyourchainofcomment.– Advertiseyoursuccess.
§ Considerasubscriptionmodeltoyoursuccessesandchallenges– Internaltwitterfeedswherecustomerscansubscribeandjustseewhatis
goingon.
![Page 51: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/51.jpg)
51 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX12EPre-ConEd:FiveEasyStepsforMigratingtoCADirectory
11/15/2016at3:30pm
SCT44TWebAccessManagementandFederation–TwoGreatTastesthatTasteGoodTogether
11/16/2016at11:30am
SCX20SCARoadmap:Authentication,SingleSign-On,Directory
11/17/2016 at 01:45pm
![Page 52: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/52.jpg)
52 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WeWanttoHearFromYou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.
§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.
Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired
![Page 53: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/53.jpg)
53 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
![Page 54: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/54.jpg)
54 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
![Page 55: Pre-Con Ed: Who's minding the SSO store?](https://reader031.vdocuments.mx/reader031/viewer/2022020301/587269211a28ab31498b54d7/html5/thumbnails/55.jpg)
55 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Security
FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw