Authentication delays for some agent connections PS 12.7

Article Id: 143035
Status: Published
Updated On: 14-01-2020 02:19
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On Agents (SiteMinder) , SITEMINDER , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER
Issue/Introduction:

 

We're running a Policy Server and we see intermittent authentication
delays. The smps.log reports :

  [1436/8584][Thu Dec 12 2019
  12:34:36][SmAuthUser.cpp:947][INFO][sm-log-00000] Execution time
  exceeded threshold. (AuthenticateDsUser, 10265, 10000, agent=
  client=10.0.0.1 server= resource=/myresource action=GET user=myuser)

  [1436/8584][Thu Dec 12 2019
  12:34:36][SmAuthDir.cpp:90][INFO][sm-log-00000] Execution time
  exceeded threshold. (SmAuthenticate, 10265, 10000, agent=
  client=10.0.0.1 server= resource=/myresource action=GET user=myuser)

How can we fix this ?

 

Cause:

 

The problem is that the LDAP server doesn't answer for 10 seconds, and
as such the Policy Server has to rebuild the connection to the LDAP
Server.

smtracedefault.log

  [1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Authenticating
  user by the auth
  scheme][][][myuser][][][][LDAP://myldap.mydomain.com
  myldap.mydomain.com,myldap.mydomain.com
  myldap.mydomain.com/cn=MYUSER,dc=training,dc=com][][][][]
  [][][][SmAuthUser.cpp:5437]
  [CSmAuthUser::Authenticate][][]

  [1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Start of call
  AuthenticateUser.][][][][][][][][User ='cn=MYUSER,dc=training,dc=com'][]
  [][][][][][SmDsUser.cpp:229][CSmDsUser::Authenticate][][]

  [1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user
  connection (seq: 51546) myldap.mydomain.com:636 as Close
  Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapCon
  nMgr::AddDeadHandleList][][]

  [1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user
  connection (seq: 51548) myldap.mydomain.com:636 as Close
  Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapCon
  nMgr::AddDeadHandleList][][]

  [1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][Reconnect to
  server 'myldap.mydomain.com:636' as it's previous connections
  are closed and it is available for connecting
  now][][][][][][][][][][][][][][][SmDsLdapFunctionImpl.cpp:2151][CSmDsLdapP
  rovider::RebindServer][][]

  [1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][LogMessage:WARN:[sm
  -Ldap-02910]
  SSLv3 client protocol is disabled. If connection fails configure
  LDAP server to support TLS
  protocols.][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:758][][][]

  [1436][6028][11:49:20][11:49:20.549][12/20/2019][][][][Successful V3
  Bind
  server][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:909][IsAvailable][][]

  [1436][6028][11:49:21][11:49:21.611][12/20/2019][][][][LogMessage:INFO:[sm
  -log-00000]
  Execution time exceeded threshold. (AuthenticateDsUser, 10953,
  10000, agent= client=10.0.0.1 server= resource=/myresource action=GET
  user=myuser)][][][][][][][][][][][][][][][SmAuthUser.cpp:947][][][]

  [1436][6028][11:49:21][11:49:21.611][12/20/2019][monitoringagent][s5869125
  /r5][][**
  Status:
  Authenticated. ][][][myuser][][][][][][][][][][][][Sm_Auth_Message.cpp:4835][
  CSm_Auth_Message::SendReply][][]

This delay is due to the 10 seconds timeout for the ldap ping
request :

LDAPPingTimeout 

  Specifies the LDAP ping timeout value in seconds.

  By default, this time period is 10 seconds even though the registry
  key does not exist. To change the value, add the registry key and
  configure a value.

  DWORD Base_Location\Debug Seconds

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration-files/list-of-policy-server-registry-keys.html

RE: Explaining SiteMinder/LDAP communication

  Is there a concept of idle timeout for 'Bind'/any connections? where
  is it controlled?

  No policy server does not close the connection to the User Store
  unless one of the following occurs:

  - An LDAP request returns with a network error. The connections are
    then re- initialized.

  - The ping thread detects that an LDAP server in the same fail-over
    group located before the current server is now available. For
    example, if a user and a search connection to S2 were created and at
    some point S1 becomes available, then the connections will be re-
    initialized to S1.

  - The ping thread detects that the server is unavailable. The
    connections are then re- initialized.

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=715231

LDAP Stores :: Failover

  Failover:

  The Connection Manager maintains the status of the directory
  instances using a dedicated "Ping Server threads". The Ping Server
  thread periodically checks the health status of each directory every
  30 seconds. It validates the connection by doing an ldap search as :

  Search Filter is objectclass=*

  With each search, the Ping Server thread waits a default maximum of
  ten (10) seconds.

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=49848

 

Environment:

 

  Policy Server 12.7 on Linux;

 

Resolution:

 

Investigate the LDAP Store and the firewall to understand why LDAP
connections are initiated constantly and why occasionally LDAP is not
providing response during LDAP ping timeout period.