DSI Configuration Parameter Settings
Article ID: 111414
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
DSI configuration parameters do not specify default values
Some of the DSI configuration parameters do not specify default values, or are otherwise unclear, as indicated following -
For "connectionbufsize", the documentation states that the "value must be between 512 and 64M".
The presence of the "M" suggests that the value may be specified using a suffix of "M" and by implication (due to the range of values) by "K".
However, the example shows decimal digits only.
Can you please elaborate on how this setting is to be coded?
For "threads", the documentation states that the "number must be a positive integer". However, I observe in USS executable "/usr/lpp/caldap/rmtauthz" the following messages - SECIN22E CA DSI Server max threads "." less than mimimum of 2 SECIN23W CA DSI Server max threads "."
larger than twice the default
Since the documentation also states that "the default maximum number of worker threads is 32", this suggests that the range is 2-64, inclusive.
Please note that neither of these messages are documented.
For "GentleHup", there is no default indicated, and the default server response to a hangup signal is unclear.
For "GentleStop", there is no default indicated, and the default server response to a stop command is unclear.
For "logoffAfter", there is no default indicated. My suspicion is that the default is zero (0), and that when specified or defaulted, then the server will not generate a logoff request for an inactive user.
For "userid", there is no default indicated, and the default mapping is unclear.
Some of the DSI configuration parameters do not specify default values, or are otherwise unclear, as indicated following -
For "connectionbufsize", the documentation states that the "value must be between 512 and 64M".
The presence of the "M" suggests that the value may be specified using a suffix of "M" and by implication (due to the range of values) by "K".
However, the example shows decimal digits only.
Can you please elaborate on how this setting is to be coded?
For "threads", the documentation states that the "number must be a positive integer". However, I observe in USS executable "/usr/lpp/caldap/rmtauthz" the following messages - SECIN22E CA DSI Server max threads "." less than mimimum of 2 SECIN23W CA DSI Server max threads "."
larger than twice the default
Since the documentation also states that "the default maximum number of worker threads is 32", this suggests that the range is 2-64, inclusive.
Please note that neither of these messages are documented.
For "GentleHup", there is no default indicated, and the default server response to a hangup signal is unclear.
For "GentleStop", there is no default indicated, and the default server response to a stop command is unclear.
For "logoffAfter", there is no default indicated. My suspicion is that the default is zero (0), and that when specified or defaulted, then the server will not generate a logoff request for an inactive user.
For "userid", there is no default indicated, and the default mapping is unclear.
Environment
z/os
Resolution
connectionbufsize - the documentation states that the "value must be between 512 and 64M" This is correct, but we did not mean to imply that you can use K or M.
The value must be a whole number in this range (inclusive) without any letters threads -
The documentation states that the "number must be a positive integer" Notice the E and W in the message.
Yes the min is 2, but the max is not 64. This is just a warning that you are setting it extremely high, but DSI will take the value up to 4294967295.
In most client sites, anything above 32 is a waste and causes more thrashing than good.
Use the LE RPTSTG output to see actual high water marks of memory and thread usage before altering defaults.
While this section is under LDAP, it applies to DSI as well for tuning. https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/troubleshooting/troubleshooting-ca-ldap-server/experience-increased-cpu-utilization GentleHup - default is off, the default action for a SIGHUP is to shutdown GentleStop - default is off logoffAfter - default is 5 min userid - this one is actually doc'd, mixed
You can also see the values in use by issuing F DSIR15,STATUS.
For example: SECIN06I CA DSI Server Status: 957 Build Date 15.2014.1118 Security Product ACF2 v16.0 Debug Level 0 Syslog Level 0 Log File None Threads 32 Requests No limit Host Address Any Port 1899 Enable Verify No Logoff After 5 Gentle Hangup No Gentle Stop No Connect Buffer 512 Client charset Server charset Key Ring Name None Key Ring PW None Key Ring Stash None Cert Label None Min Protocol Lvl TLSv1 Verify Clients NEVER
The value must be a whole number in this range (inclusive) without any letters threads -
The documentation states that the "number must be a positive integer" Notice the E and W in the message.
Yes the min is 2, but the max is not 64. This is just a warning that you are setting it extremely high, but DSI will take the value up to 4294967295.
In most client sites, anything above 32 is a waste and causes more thrashing than good.
Use the LE RPTSTG output to see actual high water marks of memory and thread usage before altering defaults.
While this section is under LDAP, it applies to DSI as well for tuning. https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/troubleshooting/troubleshooting-ca-ldap-server/experience-increased-cpu-utilization GentleHup - default is off, the default action for a SIGHUP is to shutdown GentleStop - default is off logoffAfter - default is 5 min userid - this one is actually doc'd, mixed
You can also see the values in use by issuing F DSIR15,STATUS.
For example: SECIN06I CA DSI Server Status: 957 Build Date 15.2014.1118 Security Product ACF2 v16.0 Debug Level 0 Syslog Level 0 Log File None Threads 32 Requests No limit Host Address Any Port 1899 Enable Verify No Logoff After 5 Gentle Hangup No Gentle Stop No Connect Buffer 512 Client charset Server charset Key Ring Name None Key Ring PW None Key Ring Stash None Cert Label None Min Protocol Lvl TLSv1 Verify Clients NEVER
Additional Information
z/os
Feedback
Yes
No
Powered by
