PAM Client takes a while to load GUI

book

Article ID: 140229

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

PAM Client is taking 20 seconds or so to load PAM GUI.

Why does it take that much time?

Cause

The time taken from clicking on "SUBMIT" button on PAM GUI for logon until you get the full GUI screen can take various time but in general it can be from 15~2x seconds.


The thing that usually take time are as below:

1. Time taken for Authentication

==> Depending on what Authentication Type you select, this may require backend communication to the userstore you may be using.

==> If LDAP Authentication is used, then the time taken between PAM and your LDAP to successfully get a response would affect the overall time spent.


2. Network

==> In case if you are using PAM Certificate issued by a Certificate Authority and if the certificate is configured for CRL or OCSP then that may also contribute in how much time it will take to verify the certificate.

==> Also if the network bandwidth is saturated, that would obviously slow down the loading the PAM GUI

==> If network has issue and frequent TCP Retransmission takes place then that will slowdown or break the PAM communication.

3. I/O

==> PAM Client bundles many applications that need to be extracted and loaded which will depend on the underlying filesystem performance



Environment

Release : All versions

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Recommendation is to test twice to collect 2 sets of logs.log file.

1. Without "log.user.properties" file

2. With "log.user.properties" file


logs.log without "log.user.properties" file will be smaller in size and captures just enough data to use as pointers to say where the time is spent.

If you want to understand more on what was going on during that time frame, you can collect new logs.log file with "log.user.properties" file created in the PAM Client folder (empty file) and you will need to close and launch PAM Client each time.

Following is an abstract of what is going on in the logs.log file


Click "Submit" button on PAM Client.

2019-11-08 10:13:01 INFO  - Creation ExtendedProxySelector with configuration ProxyConfiguration [mode=SYSTEM, manualConfiguration=null, pacScriptUrl=null]     com.ca.client.proxy.a [AWT-EventQueue-0]

2019-11-08 10:13:01 INFO  - Applying new Proxy Selector based on config ProxyConfiguration [mode=SYSTEM, manualConfiguration=null, pacScriptUrl=null]     com.ca.client.proxy.a [AWT-EventQueue-0]

2019-11-08 10:13:01 DEBUG - OPERATING SYSTEM locale is [en-US]     com.ca.client.ui.ar [SwingWorker-pool-1-thread-3]


4 seconds required for user authentication.

2019-11-08 10:13:01 DEBUG - http-outgoing-1 >> Accept-Encoding: gzip,deflate     org.apache.http.headers [SwingWorker-pool-1-thread-3]

2019-11-08 10:13:04 DEBUG - http-outgoing-1 << HTTP/1.1 302 Found     org.apache.http.headers [SwingWorker-pool-1-thread-3]


This could be normal considering the LDAP Authentication will require PAM communicating with AD.


PAM Client to extract jxbrowser from jar files and bunch of other files required by the jxplorer and this took 5 seconds.

PAM Client launches jxplorer and access PAM.

2019-11-08 10:13:04 DEBUG - Extracting C:\Users\User1\xceedium\web\utils-win-32.dll     com.ca.xsuite.app.xbrowser.screenshooter.LibraryExtractor [SwingWorker-pool-1-thread-4]

2019-11-08 10:13:09 DEBUG - [ Navigation Started ] https://192.168.0.103/cspm/home     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]


Then there is a bunch of communication between PAM Client and PAM Server which took 1 second.

2019-11-08 10:13:09 DEBUG - [ Navigation Started ] https://192.168.0.103/cspm/home     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]

2019-11-08 10:13:10 DEBUG - [ Navigation Started ] https://192.168.0.103/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]



PAM Client is downloading the content of the PAM server GUI components which takes about 8 seconds to download all.

About 8 seconds later the screen starts to display (this is where you start to see the PAM GUI Screen such as the logo.

2019-11-08 10:13:10 INFO  - URL checking: current URL does not match checkUrl     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]

2019-11-08 10:13:18 DEBUG - [ Navigation Finished ] https://192.168.0.103/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]

2019-11-08 10:13:18 DEBUG - [ Navigation Finished ] https://192.168.0.103/cspm/home     com.ca.xsuite.client.XsuiteClientBrowser [Browser Events Thread]

2019-11-08 10:13:18 DEBUG - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.0.103 found     com.ca.xsuite.client.XsuiteClientBrowser [SwingWorker-pool-1-thread-6]



PAM Client displays the PAM GUI.

The time taken 

2019-11-08 10:13:19 INFO  -      syserr [Thread-7]

2019-11-08 10:13:24 INFO  - Nov 08, 2019 10:13:24 AM com.ca.xsuite.common.util.CommonUtils logConsole




So the main delay in this use case is the delay from 10:13:10 to 10:13:24 which is about 14 seconds.

And this time was spent on getting the application contents down to PAM Client to make up the GUI screen.

The other 10 seconds before that was basically 4 seconds for LDAP Authentication and 6 seconds on extracing jar files, launching jxplorer and loading libraries.