Identity Router Status Servlet Report

When queried by a load balancer, the identity router status servlet delivers a text-based report that describes usage and status of the hardware and services running on the identity router.

Note: This information does not apply to the identity router embedded in Authentication Manager.

Identity Router Status Servlet URLs

The status servlet is accessible at https://<identityroutermanagementIP><:port>/status/v2, where:

  • <identityroutermanagementIP> is the identity router management IP address

  • <:port> is :9786 for identity routers in the Amazon cloud, identity routers with one network interface, and identity routers deployed in Authentication Manager. This is not required for on-premises identity routers with two network interfaces.

Note: Alternatively, you can use http://<identityroutermanagementIP>:8080/status/v2. Traffic to port 8080 is blocked by the default identity router firewall rules. You must configure a custom firewall rule to access the status servlet on port 8080.

If High Availability is enabled for the cluster, you can also access the status servlet through the portal interface using the following URLs:

Portal Interface URL Returns
https://<portal hostname>/status/v2/lbstatus OK
https://<portal hostname>/status/v2 Full component-level status

See your load balancer documentation to configure status queries. Your load balancer must have specific capabilities to connect to the identity router. For more information, see Load Balancer Requirements.

Load Balancer Status

Load balancer status, /status/v2/lbstatus, returns OK when all resources and services on the identity router are working. Load balancer status is determined by the .status field of all the Status Indicators listed in /status/v2.

If the identity router cannot connect to the Cloud Authentication Service, the lbstatus is OK because the identity router can still reach the identity source and users can access applications that only require an LDAP directory password. Step-up authentication fails and an error message is logged.

Identity Router Status Servlet Report Description

The following table describes each section of the identity router status report.

Section Description Example
Global Status

General status of the identity router, and the date and time when the status report was last updated.

GlobalStatus.status returns OK when all resources and services on the identity router are working. Cross-site replication does not affect this status.

GlobalStatus.status is determined by the .status field of all the Status Indicators listed in /status/v2, except for CrossSiteReplStatus. If any .status field is Failed, then the GlobalStatus.status is also Failed.

#LAST UPDATE : Tue, 10 May 2016 23:26:20 +0000

GlobalStatus.status=OK

GlobalStatus.lastUpdate=1462922780254
SecurID Services

Status of SecurID services hosted by the identity router.

Active services list, and a count of services in each state (running, paused, stopped).

ServicesStatus.status returns OK when all SecurID services are working.

Services related to SSO Agent or RADIUS which are stopped or paused because those features are disabled do not affect this status.

### ServicesStatus ###

ServicesStatus.status=OK

ServicesStatus.runningServiceCount=73

ServicesStatus.runningServiceList=bootstrapService,

templateCacheService,templateService,spService,

networkBridge,updateConfigService,applicationServerService,

adapterService,dynamicLoaderService,ssoService,

customerService,dlpService,securityTokenService,

strongAuthenticationService,storageService,

clusterCacheStoreService,crossSiteClusterAdminService,

cacheFactoryService,clusterLockingService,

loginGuardService,cipherService,

tokenReplayPreventionService,sessionCacheService,

sessionService,delegatedAuthenticationService,

sessionsResource,sessionResource,sessionInfoService,

userProfileService,keychainsResource,keychainResource,

applicationKeyResource,backupService,

dataImportExportService,endUserCountService,

wsApiAccountService,auditService,

userStoresResource,userStoreResource,

portalConfigurationResource,applicationResource,

applianceSetupService,modsinglepointRequestServer,

applianceScheduleService,keystoreService,featuresService,

keychainUpdateService,keychainRetrievalService,

networkService,simpleLinkVpnService,

virtualUserStoreService,authorization,

authorizedApplicationsResource,authentication,

virtualIwaService,policyEngineService,

cookiePoolService,sloService,logoutService,

loginService,directAuthenticationService,

userPasswordManagerService,cookieFilterService,

userResource,provisioningService,provisioningPollingService,

customRouteService,portalImageService,

applicationsResource,customizedPortalImageService,

idpService,httpFedDirectLoginService,customerInfoService,

ServicesStatus.pausedServiceCount=0

ServicesStatus.stoppedServiceCount=0
System Services

Status of essential system services running on the identity router.

SystemServiceStatus.status returns OK when all essential system services are working.

SystemServiceStatus.ntp indicates if the NTP service is running on the identity router.

### SystemServiceStatus ###

SystemServiceStatus.status=OK

SystemServiceStatus.dnsmasq=true

SystemServiceStatus.syslog=true

SystemServiceStatus.ntp=true

SystemServiceStatus.apache2=true
Sessions

Status of user sessions being managed by the identity router.

Total active user sessions, and sessions rejected by the identity router.

SessionStatus.status returns OK when the identity router can retrieve session information.

### SessionStatus ###

SessionStatus.status=OK

SessionStatus.total=0

SessionStatus.rejected=0
System Memory

Status of system memory on the identity router.

Total system memory and the free memory space available.

SystemMemoryStatus.status returns OK when the system can retrieve virtual memory statistics.

SystemMemoryStatus.health returns the health status of the system memory.

### SystemMemoryStatus ###

SystemMemoryStatus.status=OK

SystemMemoryStatus.maxMemory=8193MB

SystemMemoryStatus.freeMemory=5133MB

SystemMemoryStatus.percentFree=62%

SystemMemoryStatus.health=HEALTHY
CPU

Status of the virtual CPUs on the identity router.

CpuStatus.status returns OK when the system can retrieve virtual processor statistics.

CpuStatus.health returns HEALTHY when the CPU Idle Percentage is less than 20%.

### CpuStatus ###

CpuStatus.status=OK

CpuStatus.health=HEALTHY

CpuStatus.userPercent=0.29643318

CpuStatus.sysPercent=0.21173798

CpuStatus.waitPercent=0.0038497816

CpuStatus.idlePercent=99.487976
Uptime

Uptime status for the identity router.

Days, hours, and minutes since the identity router was last powered on. Uptime in total seconds.

UptimeStatus.status returns OK when the system can retrieve uptime data from the /proc/uptime file.

### UptimeStatus ###

UptimeStatus.status=OK

UptimeStatus.uptimeDays=8

UptimeStatus.uptimeHours=22

UptimeStatus.uptimeMinutes=2

UptimeStatus.uptime=770572.41 (s)
Logging

Logging status for the identity router.

Current level of detail for identity router logs. Displays INFO or DEBUG.

LogStatus.status displays OK when the identity router can successfully generate audit logs.

### LogStatus ###

LogStatus.status=OK

LogStatus.logLevel=INFO
Cross-Site Replication

Cross-site replication status for the identity router.

Name of the configured backup cluster.

CrossSiteReplStatus.status returns OK when backup clusters are running and the number of replication failure entries is less than the error threshold.

CrossSiteReplStatus.siteReplStatus can return the following:

NOT_INIT - The backup cluster is not initialized.

OK - There are fewer than 10 failed replication entries.

WARN - There are more than 10 failed replication entries, but fewer than 100.

ERROR- There are more than 100 failed replication entries.

### CrossSiteReplStatus ###

CrossSiteReplStatus.status=OK

CrossSiteReplStatus.siteName=clusterDr

CrossSiteReplStatus.siteReplStatus=OK
Cluster

Cluster status for the identity router.

Number of identity routers in the cluster. Also indicates whether the identity router is operating in read-only or quorum mode, and if it is acting as the cluster coordinator.

ClusterStatus.status returns OK when the clusterCacheStoreService is running.

### ClusterStatus ###

ClusterStatus.status=OK

ClusterStatus.clusterSize=3

ClusterStatus.coordinator=true

ClusterStatus.readOnly=false

ClusterStatus.inQuorum=true

ClusterStatus.clusterNodeEnabled=true
File System

File system status for the identity router.

Total file storage space, and available free space.

FileSystemStatus.status returns OK when usable space is at least 10%.

### FileSystemStatus ###

FileSystemStatus.status=OK

FileSystemStatus.total=10078MB

FileSystemStatus.usable=6654MB
Java Memory

Java memory status for the identity router.

Total memory accessible to Java, Java memory currently in use, and the amount of free Java memory available.

JavaMemoryStatus.status returns OK when free Java memory is at least 10%.

### JavaMemoryStatus ###

JavaMemoryStatus.status=OK

JavaMemoryStatus.maximum=3183MB

JavaMemoryStatus.used=160MB

JavaMemoryStatus.free=3022MB
Authentication Load

Authentication load status for the identity router.

Average CPU and IO system load on the identity router over the last one, five, and ten minutes.

LoadStatus.status returns OK when the system can retrieve the load status.

### LoadStatus ###

LoadStatus.status=OK

LoadStatus.1m=0.57

LoadStatus.5m=0.44

LoadStatus.10m=0.42
Keychain Backup Storage

Keychain backup storage status for the identity router.

Indicates the configured storage destination for keychain backups, and whether a non-local storage location is ready, reachable, and writable.

StorageStatus.status returns OK when storageService is running.

StorageStatus.mode can return the following:

ERROR- No storage is configured.

NFS - NFS external storage is configured.

CIFS - CIFS external storage is configured.

LOCAL - Local storage.

INVALID/UNKNOWN - Storage other than above is configured.

### StorageStatus ###

StorageStatus.status=OK

StorageStatus.mode=LOCAL

StorageStatus.isReady=true

StorageStatus.isReachable=true

StorageStatus.isWritable=true
Cloud Connectivity Identity router status for Cloud Authentication Service connectivity. OK and HEALTHY status indicates the two components are connected.

### CloudConnectivityStatusMonitor ###

CloudConnectivityStatusMonitor.status=OK

CloudConnectivityStatusMonitor.health=HEALTHY

Identity Source

Identity router status for the identity source.

OK and HEALTHY status indicates that the identity router can reach all of the connected identity sources.

PARTIAL_HEALTHY status indicates that the identity router cannot reach all of the identity sources.

### IdentitySourceStatusMonitor ###

IdentitySourceStatusMonitor.status=OK

IdentitySourceStatusMonitor.health=PARTIAL_HEALTHY

DNS Connectivity

Identity router status for DNS connectivity. OK and HEALTHY status indicates the two components are connected.

### DnsConnectivityStatus ###

DnsConnectivityStatus.status=OK

DnsConnectivityStatus.health=HEALTHY

Cloud Time Check

Indicates whether time is synchronized for the identity router and the Cloud Authentication Service.

CloudTimeCheckStatusMonitor can return the following:

OK, HEALTHY - The two components are connected and time is synchronized.

UNHEALTHY - The time difference between the identity router and the Cloud Authentication Service is greater than 60 seconds.

### CloudTimeCheckStatusMonitor ###

CloudTimeCheckStatusMonitor.status=OK

CloudTimeCheckStatusMonitor.health=UNHEALTHY

NTP Indicates whether the identity router can reach the NTP server. OK and HEALTHY status indicates the two components are connected.

### NTPStatusMonitor ###

NTPStatusMonitor.status=OK

NTPStatusMonitor.health=UNHEALTHY

SID Connectivity Indicates whether the identity router can reach RSA Authentication Manager. OK and HEALTHY status indicates the two components are connected.

### SIDConnectivityStatusMonitor ###

SIDConnectivityStatusMonitor.status=OK

SIDConnectivityStatusMonitor.health=HEALTHY

Repo Connectivity

Identity router status for connections to the following repositories:

  • ZypperRepoConnectivityStatus.health - Status for identity router connectivity to the Software update repository.
  • MavenRepoConnectivityStatus.health - Status for identity router connectivity to the Adapter update repository.

OK and HEALTHY status indicates the identity router is connected to the repositories.

### RepoConnectivityStatusMonitor ###

RepoConnectivityStatusMonitor.status=OK

ZypperRepoConnectivityStatus.health=HEALTHY

MavenRepoConnectivityStatus.health=HEALTHY
Cloud Authentication Service Connections

CloudAuthenticationServiceConnectionsStatus can return the following:

OK, HEALTHY - The identity router can reach all Cloud Authentication Service IP addresses, including the currently used IP address and every alternate IP address.

UNHEALTHY - The identity router cannot reach either the currently used IP address or one or more of the alternate Cloud Authentication Service IP addresses.

AlternateIP.Reachability can return the following connection status for each alternate IP address:

REACHABLE - The identity router can reach the Cloud Authentication Service alternate IP address.

UNREACHABLE - The identity router cannot reach the Cloud Authentication Service alternate IP address.

EXPIRED_REMOTE_CERTS - The identity router can reach the Cloud Authentication Service alternate IP address, but the SSL certificates for the alternate IP address have expired.

INVALID_CERTS - The identity router can reach the Cloud Authentication Service alternate IP address, but the SSL certificates for the alternate IP address are invalid.

IP_BLOCKED_BY_PROXY_OR_FIREWALL - The Cloud Authentication Service alternate IP address and host port combination is blocked by a proxy server or an upstream firewall.

UNTRUSTED_MITM_PROXY_OR_INVALID_CERTS - The identity router does not trust SSL proxy certificates or the SSL proxy certificates are invalid for the Cloud Authentication Service alternate IP address.

INVALID_PROXY_DETAILS - The identity router cannot connect to the Cloud Authentication Service alternate IP address because proxy server details are invalid.

INVALID_PROXY_CRED - The identity router cannot authenticate to the Cloud Authentication Service alternate IP address because proxy server credentials are wrong.

INVALID_ENDPOINT - The identity router cannot connect because the Cloud Authentication Service alternate IP address is malformed.

UNKNOWN_ERROR - An unknown error occurred while the identity router tried to reach the Cloud Authentication Service alternate IP address.

### CloudAuthenticationServiceConnections ###

CloudAuthenticationServiceConnections.status=OK

CloudAuthenticationServiceConnections.health=HEALTHY

CurrentCloudIP.Reachability=REACHABLE

AlternateCloudIP.Reachability=REACHABLE

### CloudAuthenticationServiceConnections ###

CloudAuthenticationServiceConnections.status=OK

CloudAuthenticationServiceConnections.health=UNHEALTHY

CurrentCloudIP.Reachability=REACHABLE

AlternateCloudIP.Reachability=UNREACHABLE(unable to reach the target)

### CloudAuthenticationServiceConnections ###

CloudAuthenticationServiceConnections.status=OK

CloudAuthenticationServiceConnections.health=UNHEALTHY

CurrentCloudIP.Reachability=UNREACHABLE(unable to reach the target)

AlternateCloudIP.Reachability=REACHABLE

### CloudAuthenticationServiceConnections ###

CloudAuthenticationServiceConnections.status=OK

CloudAuthenticationServiceConnections.health=UNHEALTHY

CurrentCloudIP.Reachability=UNTRUSTED_MITM_PROXY_OR_INVALID_CERTS(SSL proxy certificates are not trusted or target URL certificates are invalid)

AlternateCloudIP.Reachability=UNTRUSTED_MITM_PROXY_OR_INVALID_CERTS(SSL proxy certificates are not trusted or target URL certificates are invalid)