There have been numerous posts and tweets coming from the NonStop vendor community following RUG events worldwide: ETBC,...
SENTRA – Monitoring Cryptographic Authentication
Insider Technologies’ Sentra enterprise monitoring solution provides real-time monitoring of all elements of an Authentication Server cryptographic environment, including applications, certificates, the Daemon and the cryptographic infrastructure.
Sentra maintains a centralised database of performance data from one or more Authentication Server environments and provides real-time analysis. The outcome is a collection of dashboards that represent the monitored environments, incorporating real-time performance, service level alerts and graphs representing nominated metrics.
Sentra utilises agents known as ‘extraction clients’, to read the required information from the target environment and relay it back to its server.
As the Sentra database is being updated by the extraction clients, the information can be processed in real-time by a variety of techniques, e.g.:
Rules to analyse the data and alert to a dashboard, an enterprise manager or mobile technologies.
- The rule can be as simple as checking the level of a value in a table row or scanning for a particular key word in a log entry.
- More complicated rules based on aggregating data from a number of rows, or tables, or systems, or over time can also be built.
Graphs and charts can be linked together to create a drill down approach to identifying the root cause of any issues identified.
The Authentication Server environment provides authentication services to applications which forward user requests to it. This will often take the form of a user wanting to authenticate via chip and PIN for example, which will send an EMV request for the authentication server to process.
The processing of this operation may involve objects such as cryptographic keys and certificates stored on a dedicated piece of hardware such as a Cryptographic Module. This requires communication with a database and CRL or an OCSP (a 3rd party Online Certificate Status Protocol service), for certain other kinds of operations such as verifying the signature of an incoming request.
The authentication environment may also output logs to disk and produce JMX performance counters.
Sentra for authentication utilises these extraction clients (agents) to gather data from all parts of this complex and critical system and store it within the central Sentra database, ready for analysis.
Sentra is installed on its own Windows server with an attached SQL database. A number of extraction clients are then utilised, e.g.:
Authentication Log Monitoring – Disk
This client is installed within the Authentication Server environment to read the contents of any Authentication Server log.
The contents of each log file entry are parsed into their component parts, such as timestamp, channel, service name , message. This information is written to Sentra SQL tables for evaluation and reporting.
Authentication Log Monitoring – Database
This client performs in exactly the same manner as ‘Log Monitoring – Disk’. Instead of reading from disk, it reads log file and table information directly from the Authentication Server SQL Database.
Authentication Devices Monitoring
This client is installed onto the Authentication Server environment. It reads device information from cryptographic devices using the pkcs11.dll. Data is then written to the Sentra SQL Database for alerting and reporting purposes.
Authentication Device Objects Monitoring
This client is installed onto the Authentication Server environment. It reads device object (keys, cert etc.) information from the cryptographic devices using the pkcs11.dll. Data written to the Sentra SQL Database for alerting and reporting purposes.
This client is installed onto the Authentication Server environment. It reads JMX performance counters and attributes from the Daemon process. Performance data is written to the Sentra SQL Database for evaluation and reporting purposes.
Windows Event Log / Performance Monitoring
This client represents a number of clients that can be installed on the platform where the Authentication Server application is running.
They can be used to read hardware performance data, subsystem performance data such as SQL Server performance metrics, and event log information. Data is written to the Sentra SQL database for evaluation and reporting purposes.
Benefits of Sentra for Authentication Monitoring
A number of these are summarised below:
- Single Point of Contact for Monitoring & Alerting
- Restricted Access to Sentra Functions
- Simple Access to Disparate Data
- Real Time Alerting to Potential Issues
- Automated Issue Resolution
- No Access to Sensitive Information
- Performance Improvements
Two example scenarios illustrate the advantages of installing Sentra to monitor and manage an Authentication Server environment.
How do I Monitor Pool Usage without Turning on Debugging?
Your Authentication Server environment has been installed and running for some time you are unsure of the impact a potential increase in transactions will have on your environment.
Database pools running out of connections to the database may result in failed transactions during busy periods.
As this is a production server you are unable to interrupt the service you provide to your customers in order to re-tart the Authentication Server environment; business is reluctant to run the environment with debugging turned on, as this would increase the overhead on the service and would require downtime to restart the authentication server with the new settings.
Solution – Use a Sentra Hypervisor to Display Pool Metrics
A Sentra Hypervisor can be configured to provide an overall view of the Authentication Server environment.
This initial view consists of linked icons that represent elements of the Authentication Server environment, such as channels, pools or cryptographic devices. The view can also display simple graphs that provide an indication of performance metrics such as TPS or pool utilisation.
By clicking on the icons in this Hypervisor, further drill-down views can be launched that will display detailed information relating to the selected element. A drill-down view for a channel or pool could display information relating to minimum, maximum and current pool allocation that is updated in real time. This will give an ‘at a glance’ indication of the current and historical state of the pools.
Rules can be configured to monitor these values. If the rule criteria is broken an alert will be fired, causing the relevant Hypervisor icons to flash, indicating that a threshold is about to be breached, providing advanced warning of any configuration changes that may be required.
Problem – How do I Monitor Cryptographic Memory Utilisation?
You are unaware of the number of certificates and data objects that are stored on each of the cryptographic devices, or servers within your Authentication Server environment but you suspect that they may be nearing capacity.
It will require constant manual intervention, and exposes functions that you do not want made available to the general user population.
Solution – Deploy the Sentra Authentication Extraction Client
The Sentra for Authentication application includes an extraction client that will automatically poll your cryptographic and/or server environments at a specified interval and retrieve information relating to memory utilisation and certificate counts.
As with all information written to the Sentra Database, this information can be interrogated and charted on a Hypervisor view to give a real time and historical view of these values for each cryptographic environment.
If you would like further information on Sentra for Authentication Monitoring, then please contact Insider Technologies Limited:
+44 161 876 6606