Monitoring Tivoli® Access Manager WebSEAL server transactions using Tivoli® Composite Application Manager for Response Time Tracking

Tivoli® Access Manager WebSEAL, Tivoli® Composite Application Manager for Response Time Tracking and Tivoli Monitoring integration


Following are the topics covered in this article:

  • Introduction
  • Usage scenario
    • Scenario highlights
  • IBM® Tivoli® Access Manager WebSEAL server
    • Overview
    • Highlights
    • Product architecture
  • IBM Tivoli Composite Application Manager for Response Time Tracking (ITCAM RTT)
    • Overview
    • Highlights
    • Product architecture
  • ARM
  • WebSEAL integration with ITCAM for RTT
    • TAM-WebSEAL installation and configuration
    • ITCAM for RTT installation
    • WebSEAL integration steps
    • Installing the ITCAM RTT management agent
    • ITCAM for RTT configuration
    • Discoverying and listening to transactions on the management server
    • Viewing the results in the ITCAM for RTT management console.
  • Integration of ITCAM RTT with IBM® Tivoli Monitoring Server
    • Installation of IBM Tivoli Monitoring Server.
    • Installation of ITCAM Tivoli Enterprise management agent.
    • Motoring reports
  • Conclusion
  • Resources

IBM Tivoli Composite Application Manager (CAM)for Response Time Tracking is a product for measuring the response time of transactions; both real user and synthetic, as they pass through the application environment. One of the primary technologies used to track transactions is application response measurement (ARM). With ARM, a correlator (token) is created when the transaction hits the edge of the monitoring environment and is passed through the components of the application. The CAM management server then collects all the measurement data and can provide response time analysis for the transactions and sub-transactions within the application.

IBM Tivoli Access Manager WebSEAL is a secure reverse Web proxy server that provides authentication, single sign-on (SSO), and authorization services for your Web application environment. In a typical deployment, WebSEAL is deployed in front of the applications server layer in a customer's environment. It is therefore, often the natural edge of the composite application. With the release of version 6.0, WebSEAL can be configured to emit ARM records. This allows us to monitor transaction response times from clients through WebSEAL to the back-end application.

The following table shows the name, acronyms and version for the products that are part of this article.

Table 1. Product list
Product name Acronym Version
IBM® Java runtime environmentIBM® JRE1.4.2
IBM® DB2 Enterprise Server EditionIBM® DB28.2
IBM® Tivoli Directory ServerITDS6.0
IBM® WebSphere Application ServerWAS6.0 Fixpack 2
IBM® Tivoli Access Manager for e-BusinessITAM6.0 Fixpack 9
IBM® Tivoli Composite Application Manager ITCAM6.1
IBM® Tivoli Enterprise Monitoring ITM6.1 Vol 1 Fix Pack 001

Usage scenario

This section outlines an approach for integrating ITCAM for RTT and TAM WebSEAL server. Following is the scenario for this article.

In a typical WebSEAL installation, WebSEAL is the first piece of software that a customer's transaction passes through (in some cases, the request might go through a load balancing device first). WebSEAL, along with the rest of the TAM components, handles authentication and authorization for the request. The request is then passed on via a junction to a back-end application. Typically this junction will handle an SSO that is needed and passes along credentials and extended attributes.

In a typical ITCAM for Response Time Tracking installation, monitoring begins when the transaction hits the Web server, which is running a WebSphere plug-in. The transaction is then tracked through the application servers all the way back to any databases or transaction processing components (CICS, IMS). Using ARM correlators, sub transaction timing is provided for each piece along the transaction's path. Thresholds can be set on whole transactions or sub-transactions and events can be triggered to enable operations to understand which piece of the system is having problems.

If WebSEAL is present, it will most likely be in front of the Web server component. With the new ARM capabilities in WebSEAL 6.0, we can track the transaction starting in WebSEAL, and not just at the Web server. This effectively pushes out our edge one layer further.

Figure 1. Typical scenario
The Virtual Path Junction
The Virtual Path Junction
Figure 2. Integration scenario considered for this article
The Virtual path junction
The Virtual path junction

Scenario highlights

1. More complete transaction visibility. We now can see transaction information for more pieces of the composite application, which allows an operator to better diagnose an application problem.

2. The ability to diagnose problems with load-balanced junctions. In most deployments, a single WebSEAL instance junctions to multiple back-end Web servers running the same applications. If one of those back-end instances suffers performance problems, it is difficult to diagnose. With ITCAM for RTT, we can determine that a specific request was routed to a specific back-end Web server, and we can more quickly diagnose the problem.

3. The ability to track a TAM user name in a transaction. When the user authenticates to WebSEAL as a part of the transaction, that user name is placed into the ARM record. This makes it easier for the Help Desk to match a particular instance of a failed transaction with the user submitting the complaint.

IBM® Tivoli® Composite Application Manager for Response Time Tracking

IBM Tivoli Composite Application Manager (ITCAM) for Response Time offers an integrated platform for understanding end-to-end performance information related to your key customer applications. By measuring performance from complementary real-time and robotics monitors then integrating the information to facilitate rapid responses, ITCAM for Response Time helps you optimize service and simultaneously manage ownership costs.

Additionally, because ITCAM for Response Time is an IBM Tivoli Enterprise Portal-based solution, it enables you to integrate response time information with a wide variety of management tools to further improve the effectiveness and efficiency of service management.

ITCAM for Response Time helps you integrate response time and resource monitoring because it is one of several Tivoli Enterprise Portal-based solutions, which include other ITCAM, IBM Tivoli Monitoring and IBM Tivoli OMEGAMON products. Tivoli Enterprise Portal integrates data and events from these solutions to enable comprehensive management of your business applications from a single user interface.


1. Tracks transactions across the components of a composite application

2. Measures transaction performance and success

3. Can trigger events if thresholds are violated

4. Tracks transactions using ARM, which is a standard from the Open Group


1. Integrates real-time monitoring and robotics simulations into a single interface to obtain a comprehensive view of user experiences

2. Combines response-time monitoring with resource monitoring and other management tools using a fully customizable portal

3. Helps minimize the time spent identifying, diagnosing, resolving and preventing performance problems to optimize IT efficiency, service levels and customer satisfaction

Product architecture

Figure 3. ITCAM-RTT components
The ITCAM-RTT components
The ITCAM-RTT components

The management server: ITCAM for Response Time Tracking is controlled from the management server. The management server provides a centralized repository of policy, configuration, and data for the ITCAM for Response Time Tracking environment.

Store and forward agent: The store and forward agent acts as an intermediary between management server and management agent.

Management agents: The management agent runs in a Java virtual machine on the managed server.

It typically performs the following functions:

  • Starting and stopping the management components
  • Collecting monitoring and scheduling information from the management server, informing the management components about what to perform
  • Caching response time data in the temporary directory
  • Uploading response time data as requested by the management server, at regular collection time or on demand

Tivoli Enterprise Monitoring Agent:The agent for Tivoli Enterprise Monitoring Server for ITCAM for Response Time Tracking is provided as a separate installable feature. The key task of this agent is to provide appropriate information to Tivoli Enterprise Monitoring Server.

IBM® Tivoli Access Manager WebSEAL server


IBM® Tivoli Access Manager for e-business is a robust and secure centralized policy management solution for e-business and distributed applications.

IBM® Tivoli Access Manager WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy.

WebSEAL usually acts as a reverse Web proxy by receiving HTTP/HTTPS requests from a Web browser and delivering content from its own Web server or from junctioned back-end Web application servers. Requests passing through WebSEAL are evaluated by the Tivoli Access Manager authorization service to determine whether the user is authorized to access the requested resource.


1. Supports multiple authentication methods. Built-in and plug-in architectures allow flexibility in supporting a variety of authentication mechanisms.

2. Integrates Tivoli Access Manager authorization service.

3. Accepts HTTP and HTTPS requests.

4. Integrates and protects back-end server resources through WebSEAL junction technology. Provides unified view of combined protected object space.

5. Manages fine-grained access control for the local and back-end server resources. Supported resources include URLs, URL-based regular expressions, CGI programs, HTML files, Java servlets, and Java class files.

6. Performs as a reverse Web proxy. WebSEAL appears as a Web server to clients and appears as a Web browser to the junctioned back-end servers it is protecting.

7. Provides single sign on capabilities.

Product architecture

Figure 4. TAMeB components
The TAMeB components
The TAMeB components

User registry: The user registry provides centralized repository of user data, which TAM uses for authentication.

TAM policy server: The policy server maintains the policy database that provides data for authorization to its resource managers.

TAM Policy proxy server: As the name suggests, it is an optional component that helps to hide the real policy server. It provides one more level of security to policy server.

TAM authorization server:The authorization server has an authorization engine that uses data stored in policy database to take authorization decisions.

TAM WebSEAL server:WebSEAL is the protector for Web-based resources.

Back-end server:These are the servers that are protected by TAM WebSEAL server.

ARM - Application Response Measurement

Figure 5. ARM

Application Response Measurement (ARM) is an Open Group standard for measuring the response time of a custom transaction. The ARM API provides a means to indicate the start and stop of a transaction that can then be measured to show response time in a distributed system. The current specification allows correlation between multiple components of the application to show response time components. ARM can be used to instrument a simple application as shown in the figure above.

Find the current ARM specifications.

To use ARM, the application program must:

  • Initialize the ARM environment
  • Collect the ARM correlator (optional)
  • Indicate the start of the transaction
  • Pass the ARM correlator to the subtransaction (optional)
  • Indicate the end of the transaction
  • Clean up ARM resources

The ARM API provides an implementation specification for both C language and Java-based programs. In this article, WebSEAL is the application using C APIs for response measurement.

WebSEAL integration with ITCAM for RTT

This section shows how WebSEAL is integrated with ITCAM for RTT. It gives the configuration details only. For installation details, refer tto the link provided.

1. TAM-WebSEAL installation and configuration.

Refer to the following link for the Tivoli Access Manager Installation and Configuration Guide.

2. ITCAM for RTT installation

Refer to the following link for the Tivoli Composite Application Manager for RTT Installation Guide.

3. WebSEAL integration steps

Enable ARM in WebSEAL by doing the following:

Add stanza [arm] to the configuration file of webseal server instance.

Listing 1. WebSEAL configuration file webseald-instance_name.conf changes
enable = yes
report-transactions = yes
accept-correlators = no
library = /usr/lib/
app-group = webseal
app-instance = PlantsByWebSphere

Note:For Windows® use  C:\WINDOWS\system32\libarm4.dll library

The following is a description of each [arm] stanza entry:

enable (default value- no): When set to 'yes' WebSEAL registers itself as an Application to ARM and it registers all the transactions' names.

report-transactions (default value- no): When set to 'yes' WebSEAL starts to report each Transaction. This setting can be changed at any time using the new WebSEAL arm pdadmin command.

accept-correlators (default value- no): When set to 'yes' WebSEAL looks for a header called "ARMCorrelator" in client requests and, if present, it parses it and passes it with the reporting of the "WebRequest Transaction". This allows upstream applications to correlate their transactions with WebSEAL transactions.

library (default value- libarm.[so|a|lib|sl]): When set, it is used as the name of the ARM client library used by WebSEAL to register and report transactions. It must provide ARM 4.0 API. WebSEAL dynamically loads this shared library (Dynamically Linked Library) and locates the required functions within it. This library is installed (and symlinked into /usr/lib) by the RTT MA installer.

app-group (default value- none): ARM allows applications to report themselves as a member of a Group of Applications. This value is passed to ARM when WebSEAL registers itself as an ARM application.

app-instance (default supplied by ARM): ARM allows an application instance to name itself. This value is passed to ARM when WebSEAL registers itself as an ARM application. If the value is not provided, then ARM provides a value, usually the hostname of the machine WebSEAL is running on.

WebSEAL junction with back-end WebSphere Application Server

Create junction with back-end application server either by using pdadmin command or you can use WPM for same.

Listing 2. WebSEAL junction
 TCP Junction 
pdadmin sec_master>server task <webseal instance> create -t tcp -h 
<backend_server_hostname> -p 9080 /jct
SSL Junction 
pdadmin sec_master>server task <webseal instance> create -t ssl -h 
<backend_server_hostname> -p 9443 /jct

Note: WebSEAL SSL junction is required when you have enabled security of back-end WebSphere® Application Server

Listing 3. Start/Stop ARM transactions in WebSEAL
pdadmin sec_master>server task <webseal instance> arm on
pdadmin sec_master>server task <webseal instance> arm off

4. Installing the ITCAM RTT management agent

Install the ITCAM for RTT MA using the instructions provided in the URL:

5. ITCAM for RTT configuration

In this section, we will see the sequence of tasks that are required for configuring ITCAM response time tracking with WebSEAL server.

Agent and monitoring configuration

Select the Agent from the System Administration Section from the left menu to view the Agent list

Default status of Agent is Online and Component Status is Blank (Not enabled).

Deploy following monitoring components on agent.

  • Deploy J2EE as monitoring component on agent

Deploy J2EE monitoring components on Agent where you have ITCAM Server installed and running.

  • Deploy ARM as the monitoring component on agent

If you are using WebSEAL on a remote machine having a junction created to WAS, then deploy the Monitor component called ARM on agent, where you have the ITCAM Server installed and running.

(1) Deploy J2EE as monitoring component on Agent

Select Monitoring components from the System Administration Section of the left menu.

Before deploying the Monitoring component of J2EE, make sure that WAS is running.

Select the J2EE radio button, select Deploy Monitoring Component from the drop-down menu, and click Go.

Figure 6. Deploy J2EE monitor

Select the appropriate WebSphere Application Server version and click Next.

Figure 7. Select WAS version to deploy J2EE Monitor

Select the agent, where WebSphere Application Server is installed.

Figure 8. Select the node on which the agent is running

Specify the path of WebSphere Application Server, this is a required parameter.

If the WebSphere Application Server global security is enabled, then specify the user name and password for that before you click the Add button.

Figure 9. Specify the application server's home location

ITCAM will try to discover the WebSphere instances that you have installed.

Figure 10. Agent discovery in progress

After discovery is complete, select the checkbox next to the appropriate WebSphere profile and the check box to restart the server, and click Finish. NOTE: In this graphic, the WAS Server is not running so it appears greyed out.

Figure 11. Agent discovery finished

Here Agent status will appear as "Online" and Component status will appear as "Running"

Figure 12. Deploy J2EE monitor finished

(2) Deploy ARM as monitoring component on Agent

In a similar way, deploy the ARM monitoring component on Agent; when deployed, the Agent will appear as "Online" and Component status as "Enabled".

Figure 13. Agent status

6. Discovering and listening to transactions on the management server

Monitoring real user transactions with ITCAM for RTT is a two-step process.

  • Discovering WebSEAL transaction
  • Listening monitor for the transactions

All discovery and listening monitors are configured at what is called the edge of the transaction. The edge is the place where the transaction first comes into contact with your monitoring environment.

  • Discovering WebSEAL transaction

You need to discover transactions that are flowing through your environment.

Nevigate Discovery from Configuration on the left menu.

Select ARM from the drop-down menu and click create new button.

Take all the defaults in the wizard, except for the AgentGroup page where you will need to create a new agent group containing the WebSEAL host.

Figure 14. Configuration section continued

Specify a name for Discovery and click Finish.

Generate traffic

Now you will need to generate lots of transactions of WebSEAL by Web browser or scripts.

Figure 15. Generate traffic through browser

In this example, the machine is our WebSEAL server, and we are accessing the PlantsByWebSphere demo application via the junction /jct.

  • Listening monitor for the transaction .

Create a listening monitor from the discovered transactions.

Navigate back to the discovery page from the Configuration menu.

Before viewing the transactions discovered, you need to create Reporting Groups

Click Reporting Group from the Configuration section.

Create a new reporting group.

Figure 16. Creation of a new reporting group

Click Apply to save configuration

Select your Discovery Monitor, select View Discovered Transactions from the drop-down menu, and click Go.

Figure 17. View discovered transactions

Select the WebSEAL transaction, select Create listening monitor from the drop-down menu, and click G.

Note: If you do not see any transactions, you might need to click on the database icon in the upper left to force a data roll-up from the agent

Take all the defaults (make sure sampling rate is 100%).

7. Viewing the Results in the ITCAM for RTT management console

This includes two important sections

  • View the transaction results
  • View the transaction topology
  • View the Transaction results

We are done with the configuration steps, now it is time to view the transactions that come through the WebSEAL system.

Navigate the Dashboard from Reports in the ITCAM RTT management server console

Select your listening mnitor, and then click on the graphic to the right of the lstening mnitor name from the next screen, and select Response time and availability from the pop-up menu.

Click on the graphic to the right of the WebRequest from next screen and select Response time Barchart from the pop-up menu.

Figure 18. New reporting group in reports

You will be able to see Time vs. SecondsS graph for all the requests generated through WebSEAL.

This also shows statistics as below :-

(1) Transaction volume statistics

  • Good transactions
  • Bad transactions
  • Abort transactions
  • Transaction availability

(2) Response time statistics

  • Average value
  • Minimum value
  • Maximum value
Figure 19. Response time barchart

For the extended view of the report, navigate to General Reports from Reports in the RTT management server console.

(2) View the transaction topology

This step is to view the transaction topology used between USER, WebSEAL and WebSphere through the Junction.

Click on your listening monitor, and then click on the graphic to the right of the Listening Monitor name from the next screen and select Response time and availability from the pop-up menu.

Click on your Response time and availability, and then click on the graphic to the right of WebRequest name from the next screen and select the Transaction topology from the pop-up menu.

In the resulting transaction topology, you will note several interesting things:-

This transaction topology includes three topologies:

  • WebRequest topology
  • Authenticate topology
  • Junction request topology

(1) WebRequest topology

You can see the transaction that passed from WebSEAL through a junction to WebSphere.

This webRequest topology includes the inspector showing the statistics as follow :-

Figure 20. Webrequest topology

(2) Junction request topology

The Junction request method contains the junction name (/jct) as well as the back-end hostname, which in the case is Junctions can be used to find performance problems on specific back-end systems.

Figure 21. Junction request topology

(3) Authenticate topology

If you look at the details of the Authenticate topology, you will see the user that authenticated to WebSEAL (sec_master in this case).

Figure 22. Authentication topology

Integration of ITCAM RTT with IBM® Tivoli Monitoring server

Integration of ITCAM RTT with IBM® Tivoli Monitoring Server

This section covers the integration of ITCAM for RTT with Tivoli Monitoring Server. It provides the configuration details, for installation information refer to the URL provided

1. Installation of IBM®Tivoli Monitoring Server

Installing Tivoli Monitoring Server 6.1. This include following components.

  • IBM® Tivoli Enterprise Monitoring Server
  • IBM® Tivoli Enterprise Monitoring Agents(Universal and OS)
  • IBM® Tivoli Enterprise Portal Server

You can follow the instructions given in the link below for installation of Tivoli Monitoring Server 6.1.

After successful installation, check the following link:

  • http://HOSTNAME:1920///cnp/kdh/lib/cnp.html

Login with sysadmin/password (This is set during Installation).

2. Installation of ITCAM Tivoli Enterprise Management Agent

Select the ITCAM Agent from the Agent list.

Select protocol IP.PIPE and specify the hostname and port (Default is 1918)

At the end of installation, you are asked for the information below. Fill in the information that you have collected before installing the management agent and Click OK

Figure 23. ITCAM for RTT management server identity

Click the Response Time Tracking Agent Configuration Options tab

Figure 24. RTT agent configuration options

Click the Response Time Tracking Managing Server Database Configuration Options tab.

Figure 25. RTT server database configuration options

Click OK and configure the rest with default values.

After installation, check the URL.

  • http://HOSTNAME:1920///cnp/kdh/lib/cnp.html

This will add the RTT agent into the existing agent list as shown below.

Figure 26. Tivoli portal enterprise view of agents

After this you should see the Agent Details, Response Time Agent Server details and Agent messages in the following graphic.

Figure 27. Response time agent server details and agent messages

3. Motoring reports

Login to Tivoli Enterprise portal with your username and password.

Click Reporting group from Enterprise to Windows or Linux® System to Hostname to Response Time Tracking to Reporting Group.

You will see the attribute item from the attribute group named as ITCAM_TT_Policy_Groups_Status_Summary.

Figure 28. List of attribute items

The user will be able to see the Table view, Pie Chart view, Bar Chart view, Plot Chart view, Circular Gauge view, Linear Gauge view, and so on.

Below is the Circular Gauge view, including all attribute items selected.

Figure 29. Circular Gauge view

Below is Bar Chart view including all attributes selected.

Figure 30. Bar Chart view

This will show the actual count of each attribute, when you move the cursor to the specific color.


This document provides the steps to set up a solution to have monitoring for Tivoli Access Manager WebSEAL server using IBM® Tivoli Composite Application Manager for Response Time Tracking.

Downloadable resources

Related topics


Sign in or register to add and subscribe to comments.

Zone=Security, Tivoli (service management), Tivoli
ArticleTitle=Monitoring Tivoli Access Manager WebSEAL server transactions using Tivoli Composite Application Manager for Response Time Tracking