Verify number of connections on Siteminder Access Gateway
search cancel

Verify number of connections on Siteminder Access Gateway

book

Article ID: 272196

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

We are working on performance tuning of CA SPS and CA Siteminder Policy server . Can you please answer for the below provided questions.

 

1.How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command

2.How to find load on policy server and if max connections are reached and any command?

3.Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?

 

Environment

Release : 12.8.x

Resolution

**** Question 1 --> How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command


Access Gateway consists of 3 main components, apache , mod_jk and tomcat.
The below are some recommendations on how to check the connections 


1) Apache HTTPD Status
Enable mod_status (and mod_info) and monitor HTTPD instance status.
Develop tooling to monitor status on a periodic basis, e.g. query http://localhost/system-status?auto and append to a log file. 
https://httpd.apache.org/docs/2.4/mod/mod_status.html


In the server.conf file we mention the following --> 


# Metric Reporter to publish data to Prometheus Server
# can be used in kubernetes environments
# metricexporterurl is MetricExporter url which serves AG Metrics data to Prometheus
#   hostname is hostname where MetricsExporter is running
#   port is is port on which MetricExporter is running
# apachestatusurl  is url to pull Apache Metrics data after enabling Mod_status
#   Hostname is localhost
#   port is Apache port
<metric-reporter name="PrometheusMetricsReporter">
 class="com.ca.proxy.monitor.PrometheusMetricsReporter"
 enabled="no"
 # The below URL points to the MetricExporter Server
 metricexporterurl="http://localhost:9090/metrics/postdata"
 # The below URL points to the AcessGateway Apache Server
 apachestatusurl="http://localhost:88/server-status?auto"
</metric-reporter>

2) Apache Tomcat Status Worker
you can try enabling the status worker to observe and monitor the mod_jk AJP connection between Apache HTTPD and Apache Tomcat.
Lot of info on this online for the mod_jk status , see this on how you can configure --> https://stackoverflow.com/questions/20628865/mod-jk-status-page-not-working

3) another way is if you can use netstat to grep on the IP / pot of backend that you are forwarding to example :
Something like this 
netstat -np tcp | find "12.34.56.78:80"
netstat -np tcp | find "12.34.56.78:80" | find "ESTABLISHED"

 

**** Question 2 --> How to find load on policy server and if max connections are reached and any command?

For the policy Server , you will want to use the stats command to print the current / max and exceeded connections along some other helpful info . please see below links 


https://knowledge.broadcom.com/external/article/15867/policy-server-stats-information.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/Log-Policy-Server-Statistics-Periodically.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/policy-server-troubleshooting.html


**** Question 3 -->Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?


There is no specific formula since each client has its own configuration / load .
It really depends on the number of transactions that your Environment process . Fine tuning is out of support scope and it is done by our Special Services team that can be engaged through your account team.
With that being said , below are some helpful tips and KBs on what can be tuned on the Access Gateway and what to consider 


Remember that AG is based on Apache --> mod_jk --> tomcat ,think about it as a funnel , you do not want the mod_jk and tomcat to have less connection settings then  what is set on apache 
Example of a bad settings --> apache 500 Connection --> mod_jk 450 connection --> tomcat to backend 400 connection 
Example of a good Settings --> apache 500 Connection --> mod_jk 600  connection --> tomcat to backend 700 connection 

Access Gateway Tuning 


https://knowledge.broadcom.com/external/article/44209/how-to-siteminder-ca-access-gateway-sps.html

https://knowledge.broadcom.com/external/article/43275/ca-access-gateway-sps-commonly-tuned-pa.html