DNS cache TTL in siteminder
Article ID: 132424
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
Could you please help me confirm the DNS cache TTL in siteminder? Currently our siteminder is connecting to ca directory via a load balancer , I would like to understand if the load balancer failover to its secondary node, how soon the policy manager can get the new ip.
Environment
Release:
Component: SMPLC
Component: SMPLC
Resolution
We do not believe the policy server caches DNS. The operating system might, you would need to check with the OS vendor for this.
Java can cache DNS, and does by default. This is configured with networkaddress.cache.ttl in <jre>\lib\security\java.security.
A positive value is the number of seconds it is cached for. 0 is never cache. A negative value means cache for the lifetime of the java process.
This is noted in the following for Access Gateway/SPS:
https://docops.ca.com/ca-single-sign-on/12-8/en/troubleshooting/ca-access-gateway-troubleshooting#CAAccessGatewayTroubleshooting-DNSisCachedforEveryRequest
I do not think it affects the policy server. However, it might be worth modifying this for the instance of java you use for the policy server anyway.
Java can cache DNS, and does by default. This is configured with networkaddress.cache.ttl in <jre>\lib\security\java.security.
A positive value is the number of seconds it is cached for. 0 is never cache. A negative value means cache for the lifetime of the java process.
This is noted in the following for Access Gateway/SPS:
https://docops.ca.com/ca-single-sign-on/12-8/en/troubleshooting/ca-access-gateway-troubleshooting#CAAccessGatewayTroubleshooting-DNSisCachedforEveryRequest
I do not think it affects the policy server. However, it might be worth modifying this for the instance of java you use for the policy server anyway.
Feedback
Yes
No
Powered by
