When running a Policy Server this one might become unresponsive and
shows many log lines like :
[3632293/140440221234944][Tue Apr 30 2019 14:30:56][SmAuthorization.cpp:2248]
[INFO][sm-log-00000] Execution time exceeded threshold.
(CSmAz::ProcessActiveExpression, 6928, 5000, agent=myagent client=*10.0.0.1
server=https://myserver.mydomain.com resource=/myresource/image/image.gif action=GET user=)
When running Policy Server Trace Analyser against the Policy Server
traces (1), the top 2 processes that consume the maximum time are the
ones concerning CRL verification :
From the report produced with the Analyser :
11.1. Trans : Time Taken :322 sec
[05/10/2019][08:53:51.080][2359943][140382136428288][Enter function CServer::ProcessRequest]
[08:53:51][CServer.cpp:6186][CServer::ProcessRequest][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
5 mins spent here :
__[05/10/2019][08:53:51.094][2359943][140382136428288]
[FunctionStatus = 0, CheckCRLMask = 1a, currentCert.fullcert = 0][08:53:51]
[SmAuthCert.cpp:5261][ProcessCRL][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
__[05/10/2019][08:58:50.486][2359943][140382136428288]
[ Enter function isCertificateRevoked][08:58:50][SmAuthCert.cpp:1084]
[isCertificateRevoked][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][]
22 secs spend here :
__[05/10/2019][08:58:50.486][2359943][140382136428288][ Finding the CRL in the cache]
[08:58:50][CRLCache.cpp:180][CRLcache::isValid][][][][][][][][][][][][][][][][]
[][][][][][][][][][][2B 68 03 BC 00 00 00 0B 25 50][][http://certserver.com/crl/CA.crl]
[][][][][][][][][][][][][][][][][][][][][][][][][][][]
__[05/10/2019][08:59:12.680][2359943][140382136428288][ Checking Validity of CRL]
[08:59:12][CRLCache.cpp:260][isCRLValid][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/10/2019][08:59:13.265][2359943][140382136428288][LogMessage:INFO:
[sm-log-00000] Execution time exceeded threshold. (CServer::ProcessRequest,
322184, 5000, agent=myagent client=*10.0.0.1 server=https://myserver.mydomain.com
resource=/redirectSmartCard/ action=GET user=)][08:59:13][CServer.cpp:6372][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][]
Looking at the Normal and High Priority queues, there are only 0 or 1
request in each queue, nothing more. That means that the Web Agent has
big chance to fail to the next Policy Server because the request is
taking much too long time to process.
Policy Server 12.8 on RedHat 6;
Upgrade the Policy Server to 12.8SP3 to get the fix for CRL processing (2).
(1)
Siteminder Policy Trace Analysis
Siteminder Policy Trace Analysis Tool
Attached is a java Policy Log analysis tool that we have been
using in CA Support for a while now for analysis of various
SiteMinder logs.
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=824043#bm08008f22-0cbb-433d-916a-2dc4b1048062
(2)
Defects Fixed in 12.8.03
1248645, 1354677
DE394012, DE418651
Policy Server fails to work if a large CRL is used during certificate authentication
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8.html