ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Failing back LDAP store type #1 to server 10.0.0.1:8000

book

Article ID: 132530

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We're running a Policy Server and we see the Policy Server writing
logs line like :

  [smldaputils.cpp:1029][INFO][sm-Server-04410] Failing back LDAP 
  store type #1 to server '10.0.0.1:8000'. 

At that time, you observe high response time. The Policy Store shows 
statistics of : 

  [0] 20190514.065800.849 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ 
  0/0 Active 1 Ops 6 Entries 4 Mem 23/14 CPU Seconds 60/60 CPU kTicks 
  1 

  [0] 20190514.042000.358 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ 
  0/0 Active 1 Ops 6 Entries 4 Mem 21/14 CPU Seconds 60/60 CPU kTicks 
  1 

  [0] 20190514.022000.846 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ 
  0/0 Active 0 Ops 6 Entries 4 Mem 21/14 CPU Seconds 60/60 CPU kTicks 
  1 

This issue occurs at night with traffic at the lowest. 

Why the fail back occurs ?

Environment

Release: MSPPSF99000-12.51-Single Sign-On-Agent for Oracle PeopleSoft-MSP
Component:

Resolution

At first glance, this can occur indeed if the Key Store closes 
connection. As per design, Policy Server won't terminate a connection 
when the Policy or Key Store closes the connection on its ends. 

As such the Policy Server will still try to use the broken connection, 
and seeing that it is broken, it will report an LDAP error and make a 
new connection to the same server right after. 

You should consider to investigate if something happens on the OS or
on the network, as we see the same line almost exactly 2 hours later.

Additional Information

Further reading about the related topics : 

  Policy Server reports error : Error# '81' during search: 'error: Can't contact LDAP server' 
  https://comm.support.ca.com/kb/policy-server-reports-error-error-81-during-search-error-cant-contact-ldap-server/kb000008010 

  SMPS logs is reporting failover and failback, however can?t determine which type of repository is failing over 
  https://comm.support.ca.com/kb/smps-logs-is-reporting-failover-and-failback-however-cant-determine-which-type-of-repository-is-failing-over/kb000038541 

  LDAP Stores :: Failover 
  https://comm.support.ca.com/kb/ldap-stores-failover/kb000049848 

  How to Configure a CA Directory Key Store 
  https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-key-store/how-to-configure-a-ca-directory-key-store 

  Defects Fixed in 12.52 SP1 CR09 
  00849582    DE317504    
  Policy Server intermittently fails to connect to CA Directory policy store, session store, and user store, and displays the LDAP Error 81 error. 
  https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09