Policy Server :: Slow CRL Processing : Finding the CRL in the cache

book

Article ID: 133679

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When running a Policy Server this one might become unresponsive and
shows many log lines like :

  [3632293/140440221234944][Tue Apr 30 2019 14:30:56][SmAuthorization.cpp:2248]
  [INFO][sm-log-00000] Execution time exceeded threshold. 
  (CSmAz::ProcessActiveExpression, 6928, 5000, agent=myagent client=*10.0.0.1 
  server=https://myserver.mydomain.com resource=/myresource/image/image.gif action=GET user=)

 

Cause

 

When running Policy Server Trace Analyser against the Policy Server
traces (1), the top 2 processes that consume the maximum time are the
ones concerning CRL verification :

From the report produced with the Analyser :

11.1. Trans : Time Taken :322 sec

  [05/10/2019][08:53:51.080][2359943][140382136428288][Enter function CServer::ProcessRequest]
  [08:53:51][CServer.cpp:6186][CServer::ProcessRequest][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

5 mins spent here :

  __[05/10/2019][08:53:51.094][2359943][140382136428288]
  [FunctionStatus = 0, CheckCRLMask = 1a, currentCert.fullcert = 0][08:53:51]
  [SmAuthCert.cpp:5261][ProcessCRL][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  __[05/10/2019][08:58:50.486][2359943][140382136428288]
  [ Enter function isCertificateRevoked][08:58:50][SmAuthCert.cpp:1084]
  [isCertificateRevoked][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

22 secs spend here :

  __[05/10/2019][08:58:50.486][2359943][140382136428288][ Finding the CRL in the cache]
  [08:58:50][CRLCache.cpp:180][CRLcache::isValid][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][2B 68 03 BC 00 00 00 0B 25 50][][http://certserver.com/crl/CA.crl]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][]

  __[05/10/2019][08:59:12.680][2359943][140382136428288][ Checking Validity of CRL]
  [08:59:12][CRLCache.cpp:260][isCRLValid][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [05/10/2019][08:59:13.265][2359943][140382136428288][LogMessage:INFO:
  [sm-log-00000] Execution time exceeded threshold. (CServer::ProcessRequest, 
  322184, 5000, agent=myagent client=*10.0.0.1 server=https://myserver.mydomain.com 
  resource=/redirectSmartCard/ action=GET user=)][08:59:13][CServer.cpp:6372][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][]

Looking at the Normal and High Priority queues, there are only 0 or 1
request in each queue, nothing more. That means that the Web Agent has
big chance to fail to the next Policy Server because the request is
taking much too long time to process.

 

Environment

 

  Policy Server 12.8 on RedHat 6;

 

Resolution

 

Upgrade the Policy Server to 12.8SP3 to get the fix for CRL processing (2).

 

Additional Information

 

(1)

   Siteminder Policy Trace Analysis

     Siteminder Policy Trace Analysis Tool

     Attached is a java Policy Log analysis tool that we have been
     using in CA Support for a while now for analysis of various
     SiteMinder logs.

   https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=824043#bm08008f22-0cbb-433d-916a-2dc4b1048062

(2)

   Defects Fixed in 12.8.03

     1248645, 1354677
     DE394012, DE418651
     Policy Server fails to work if a large CRL is used during certificate authentication

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8.html