3.3 Monitoring connectivity
MyID supports sending SNMP trap notifications from the server, and provides its own SNMP agent to allow external software to monitor the status of MyID's systems.
By default, both methods are disabled. You must enable them before you can use them.
Note: MyID currently supports only SNMP v1 and v2c versions of the SNMP protocol.
If the monitoring system detects a problem, you can use the MyID System Events workflow to find additional information about the problem. For KeyServer or HSM issues, the Windows event log may provide additional details.
3.3.1 Supported monitoring
MyID supports the following monitoring methods:
|
MyID Component |
Description |
SNMP trap |
|
SNMP agent |
|---|---|---|---|---|
|
eKeySrv |
KeyServer used for encryption and decryption. |
✔ |
|
✔ |
|
Edefice_DAL |
Database access layer. |
|
|
✔ |
|
eCS |
Certificate authority access layer. |
✔ |
✔ |
✔ |
3.3.2 SNMP attributes
Each component currently supports the same SNMP attributes, as defined in the MyIDMIB file.
|
Name |
Description |
|---|---|
|
Error ID |
A unique, per component, value for the error. |
|
Error Description |
A short descriptive name for the associated error ID. |
|
Error Message |
The original error message associated with this error. |
The eCS component has the following possible errors:
|
Error |
Description |
|---|---|
|
1 |
Unknown error |
|
2 |
Certificate Authority unavailable |
The eKeySrv component has the following possible error:
|
Error |
Description |
|---|---|
|
1 |
Unknown error |
The Edefice_DAL component has the following possible errors:
|
Error |
Description |
|---|---|
|
1 |
Unknown error |
|
2 |
Could not connect |
|
3 |
Access violation |
3.3.2.1 MIB definition file
MyID provides a MyIDMIB.mib file, which provides a standard MIB definition format of all the MIB objects that the MyID can report. Load this file into your external SNMP monitoring system so that it can identify the objects and attributes being reported.
The MIB file is installed to the Utilities folder on the MyID application server; by default, this is:
C:\Program Files\Intercede\MyID\Utilities
3.3.3 SNMP trap notifications
MyID provides the ability to send SNMP Trap notifications from the following systems:
-
KeyServer – used to provide secure encryption and decryption. Used for communication with HSMs.
-
Certificate Server – used to communicate with certificate authorities.
To enable the SNMP trap on a component, you must update the Notifications table in the MyID database to enable notifications and set the destination of the IP address of the external monitoring system.
The following notifications are used:
-
Certificate Server Status
-
KeyServer Status
For example:
UPDATE [Notifications] SET [Enabled] = 1, [Destination] = '192.168.1.1'
WHERE [Name] = 'Certificate Server Status' AND [Type] = 'SNMP';
UPDATE [Notifications] SET [Enabled] = 1, [Destination] = '192.168.1.1'
WHERE [Name] = 'KeyServer Status' AND [Type] = 'SNMP';Replace 192.168.1.1 with the IP address of your external monitoring system.
3.3.4 Email notifications
In addition to the notifications with a Type of SNMP, for certificate server status notifications MyID provides a backup notification with a Type of EMAIL – this notification contains the same information. If you have configured your system to send email (see section 5, Setting up email) MyID will send email notifications at the same time as it sends SNMP trap notifications. To enable these notifications, use the following SQL statements on the MyID database:
UPDATE [Notifications] SET [Enabled] = 1
WHERE [Name] = 'Certificate Server Status' AND [Type] = 'EMAIL';These email notifications use the following email template, which you can edit using the Email Templates workflow:
-
Certificate Server Status (ID 156)
This email template contain substitution codes for the appropriate error messages.
3.3.5 SNMP Agent notifications
MyID provides an SNMP Agent to allow you to use an external system to monitor the status of MyID's systems. By default, this agent is disabled.
To set up the SNMP Agent, you must edit the following file on the MyID application server:
C:\Program Files\Intercede\MyID\Components\SnmpAgent\myid.config
You can set the following options:
|
Name |
Description |
Default value |
|---|---|---|
|
IP |
The IP address on which the agent should listen. |
127.0.0.1 |
|
Port |
The port on which the agent should listen. |
161 |
|
SNMPVersions |
A comma separated list of SNMP versions that are supported. Possible values: 1 – Version 1. 2 – Version 2c. 1,2 – Versions 1 and 2c. Note: Only SNMP versions 1 and 2c are currently supported. |
2 |
|
Community |
The SNMP community value. This must match the value configured on the monitoring software. |
intercede |
|
PrivacyUsername |
Reserved for future use. |
|
|
PrivacyPassword |
Reserved for future use. |
|
|
PrivacyAlgorithm |
Reserved for future use. |
|
|
AuthAlgorithm |
Reserved for future use. |
|
|
AuthPassword |
Reserved for future use. |
|
Once you have saved the configuration file, you must enable the monitoring for each component in the registry on the MyID application server.
In the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice\SNMP
there is a single DWORD value for each component. Set the value to 1 to enable monitoring, and 0 to disable monitoring for this component.
3.3.6 Notification reminders
The initial notification is sent when the monitoring service registers the problem. If the problem is not resolved, the notification is sent again after the following intervals:
-
10 minutes
-
30 minutes
-
1 hour
-
4 hours
-
12 hours
-
1 day
After the final notification is sent after 1 day, no further notifications are sent.