search cancel

Policy Server :: Slow CRL Processing : Finding the CRL in the cache


Article ID: 133679


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



When running a Policy Server this one might become unresponsive and
shows many log lines like :

  [3632293/140440221234944][Tue Apr 30 2019 14:30:56][SmAuthorization.cpp:2248]
  [INFO][sm-log-00000] Execution time exceeded threshold. 
  (CSmAz::ProcessActiveExpression, 6928, 5000, agent=myagent client=* 
  server= resource=/myresource/image/image.gif action=GET user=)




  Policy Server 12.8 on RedHat 6;




When running Policy Server Trace Analyser against the Policy Server
traces (1), the top 2 processes that consume the maximum time are the
ones concerning CRL verification :

From the report produced with the Analyser :

11.1. Trans : Time Taken :322 sec

  [05/10/2019][08:53:51.080][2359943][140382136428288][Enter function CServer::ProcessRequest]

5 mins spent here :

  [FunctionStatus = 0, CheckCRLMask = 1a, currentCert.fullcert = 0][08:53:51]

  [ Enter function isCertificateRevoked][08:58:50][SmAuthCert.cpp:1084]

22 secs spend here :

  __[05/10/2019][08:58:50.486][2359943][140382136428288][ Finding the CRL in the cache]
  [][][][][][][][][][][2B 68 03 BC 00 00 00 0B 25 50][][]

  __[05/10/2019][08:59:12.680][2359943][140382136428288][ Checking Validity of CRL]

  [sm-log-00000] Execution time exceeded threshold. (CServer::ProcessRequest, 
  322184, 5000, agent=myagent client=* server= 
  resource=/redirectSmartCard/ action=GET user=)][08:59:13][CServer.cpp:6372][][]

Looking at the Normal and High Priority queues, there are only 0 or 1
request in each queue, nothing more. That means that the Web Agent has
big chance to fail to the next Policy Server because the request is
taking much too long time to process.




Upgrade the Policy Server to 12.8SP3 to get the fix for CRL processing (2).


Additional Information



   Siteminder Policy Trace Analysis

     Siteminder Policy Trace Analysis Tool

     Attached is a java Policy Log analysis tool that we have been
     using in CA Support for a while now for analysis of various
     SiteMinder logs.


   Defects Fixed in 12.8.03

     1248645, 1354677
     DE394012, DE418651
     Policy Server fails to work if a large CRL is used during certificate authentication