In a production setup, session store record size keeps increasing, while policy server does not appear to clean them up on time or not fast enough.
Release : ALL SiteMinder Releases.
This particular use case is reported on 12.8.06a.
Out of box, all realm should have max/idle timeout configured. When max/idle timeout is NOT configured in a non-persistent realm, and user is authenticated between non-persistent and persistent realm, the session sometimes will be created/exchanged with a future time stamp (about 10 years validity).
Since policy server only deletes a session that is marked as expired, any session record that its smExpirationTime with a future time stamp will never be removed from store. Hence number of records keeps growing.
For example:
dn: smSessionId=//4AXRnyfXJe/T1b8VnfWAENwqY\=,o=example,c=us
objectClass: smSession
objectClass: top
smSessionId: //4AXRnyfXJe/T1b8VnfWAENwqY=
smIdleExpirationTime: 20230407211701Z
smMaxIdleTime: 86400
creatorsName: uid=myadmin,o=example,c=us
smSessionStatus: 0
smExpirationTime: 20380407211701Z
smLastAccessTime: 20230406211701Z
smSessionBlob: //4AXRnyfXJe/T1b8VnfWAENwqY=
createTimestamp: 20230406211701.549Z
First of all, all realms should have max/idle timeout configured. This will ensure smsession always have a valid reasonable Expiration Time.
SiteMinder admin should check how many records actually in the session store, please keep track of them daily.
From policy server, ~\siteminder\bin\ldapsearch -h computer-name -p 389 -D "UserID" -w password -b o=sessionstore objectclass=smSession dxEntryCount
Or
From DSA server bin, run as user DSA, dxsearch -h LDAP-computer-name -p 389 -b "o=sessionstore" objectclass=smSession dxEntryCount
smSessionId is the primary table where session master record is kept. Other entry or tables can be associated with existing smSessionId record, if a child record does not have links to smSessionId, chances are that they are already orphaned. e.g. refresh token is always tied to a smsessionid record. In fact, its dn PATH contains value of parent smsessionid.
For example:
dn: smSessionId=//4AXRnyfXJe/T1b8VnfWAENwqY\=,o=example,c=us
objectClass: smSession
objectClass: top
smSessionId: //4AXRnyfXJe/T1b8VnfWAENwqY=
smIdleExpirationTime: 20230407211701Z
smMaxIdleTime: 86400
creatorsName: uid=myadmin,o=example,c=us
smSessionStatus: 0
smExpirationTime: 20380407211701Z
smLastAccessTime: 20230406211701Z
smSessionBlob: //4AXRnyfXJe/T1b8VnfWAENwqY=
createTimestamp: 20230406211701.549Z
dn: cn=bIp9SqIXxxxxxxxxxxxxxxxxxxxxxxxxldKqreLIM\=,smSessionId=//4AXRnyfXJe/T1b8VnfWAENwqY\=,o=example,c=us
objectClass: smSessionVariable
objectClass: top
cn: bIp9SqIXxxxxxxxxxxxxxxxxxxxxxxxxxdKqreLIM=
smFullVariableName: refresh_token
smVariableName: refresh_token
creatorsName: uid=myadmin,o=example,c=us
createTimestamp: 20230406211701.551Z
smVariableValue: eyJjaWQiOiJNeUNhbm9uIiwidWlkIjoidXVpZD0zZDFhMTkyNjgzYTQyNmN
9uLGRjPWNvbSIsInJ1cmkiOiJodHRwczovL........................................MvTU95R
WR5TkNuVF......................................................OTdMMjEwPSIsImF1dGhM
ZXZlbCI6IjUifQ==
Here are LDAP command that will let you search and find out old expired smsessions (older than Sep 1, 2022) to be deleted.
Login as dsa on CA directory server /opt/CA/Directory/dxserver/bin
// return count
./dxsearch -h host -p port -b "o=example,c=us" "(&(objectclass=smSession)(createTimestamp<=20220901143415.351Z))" dxEntryCount
// return all results
./dxsearch -h host -p port -b "o=example,c=us" "(&(objectclass=smSession)(createTimestamp<=20220901143415.351Z))" > to_be_deleted.ldif
//only return cn of the object
./dxsearch -h host -p port -b "ou=smsession,o=example,c=us" "(&(objectclass=smSession)(createTimestamp<=20220901143415.351Z))" cn > to_delete.ldif
You can then verify the to_be_deleted.ldif content and confirm that they are old record and safe to delete.
The key is making sure search within (objectclass=smSession), otherwise, one could delete things that are not part of smsession object, result in data corruption.
Apply the same logic, one could delete older refresh_token if wants to, which belongs to (objectclass=smSessionVariable).
To actually delete the record, use command line tool like dxdelete, ldapdelete, or any other 3rd party LDAP tool.