We are working on performance tuning of CA SPS and CA Siteminder Policy server . Can you please answer for the below provided questions.

1.How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command

2.How to find load on policy server and if max connections are reached and any command?

3.Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?

Release : 12.8.x

**** Question 1 --> How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command

Access Gateway consists of 3 main components, apache , mod_jk and tomcat.
The below are some recommendations on how to check the connections 

1) Apache HTTPD Status

**** Action 1 --> httpd.conf changes 

1) backup httpd.conf of the Apache access Gateway under AG_home/httpd/conf
1) Modify httpd.conf and add the following 
 

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule info_module modules/mod_info.so
LoadModule status_module modules/mod_status.so

<Location "/server-status">
    SetHandler server-status
    Require ip 127.0.0.1
</Location>

The above authz_host_module, info_module and status_module will need to be loaded as indicated below.
in the Location /server-status, you see that I set the require ip to be 127.0.0.1  which means you only be able to access the status URL from the local host for security reason using curl.
You will not be able to access this Status URL from anywhere else.

You can change the IP to whatever machine you want to allow access.

**** Action 2 --> Print status 

Print the status of Apache from the localhost server using the curl.
A sample below will refresh each 2 seconds and print the AG apache's status 

watch -n 2  "curl -k --silent  'https://127.0.0.1/server-status?auto'"

Output will be as follows where BusyWorkers will give you the number of workers threads opened at a time 

ServerVersion: Apache/2.4.52 (Unix) OpenSSL/1.0.2za-fips mod_jk/1.2.48
ServerMPM: worker
Server Built: Dec 30 2021 03:28:32
CurrentTime: Wednesday, 11-Dec-2024 15:44:14 UTC
RestartTime: Wednesday, 11-Dec-2024 15:35:11 UTC
ParentServerConfigGeneration: 1
ParentServerMPMGeneration: 0
ServerUptimeSeconds: 542
ServerUptime: 9 minutes 2 seconds
Load1: 1.69
Load5: 0.99
Load15: 0.59
Total Accesses: 236600
Total kBytes: 37144
Total Duration: 1353549
CPUUser: 77.26
CPUSystem: 22.23
CPUChildrenUser: 16.37
CPUChildrenSystem: 3.02
CPULoad: 21.9336
Uptime: 542
ReqPerSec: 436.531
BytesPerSec: 70176.1
BytesPerReq: 160.758
DurationPerReq: 5.72083
BusyWorkers: 81
IdleWorkers: 169
Scoreboard: __KKK_K_......
TLSSessionCacheStatus
CacheType: SHMCB
CacheSharedMemory: 512000
CacheCurrentEntries: 184
CacheSubcaches: 32
CacheIndexesPerSubcaches: 88
CacheTimeLeftOldestAvg: 71
CacheTimeLeftOldestMin: 1
CacheTimeLeftOldestMax: 287
CacheIndexUsage: 6%
CacheUsage: 8%
CacheStoreCount: 301
CacheReplaceCount: 0
CacheExpireCount: 117
CacheDiscardCount: 0
CacheRetrieveHitCount: 0
CacheRetrieveMissCount: 20
CacheRemoveHitCount: 0
CacheRemoveMissCount: 0

Also in the Within the server.conf file we mention the following --> 

# Metric Reporter to publish data to Prometheus Server
# can be used in kubernetes environments
# metricexporterurl is MetricExporter url which serves AG Metrics data to Prometheus
#   hostname is hostname where MetricsExporter is running
#   port is is port on which MetricExporter is running
# apachestatusurl  is url to pull Apache Metrics data after enabling Mod_status
#   Hostname is localhost
#   port is Apache port
<metric-reporter name="PrometheusMetricsReporter">
 class="com.ca.proxy.monitor.PrometheusMetricsReporter"
 enabled="no"
 # The below URL points to the MetricExporter Server
 metricexporterurl="http://localhost:9090/metrics/postdata"
 # The below URL points to the AcessGateway Apache Server
 apachestatusurl="http://localhost:88/server-status?auto"
</metric-reporter>

Make sure you Modify the apachestatusurl above to match your host name and port 

2) Apache Tomcat Status Worker
you can try enabling the status worker to observe and monitor the mod_jk AJP connection between Apache HTTPD and Apache Tomcat.
Lot of info on this online for the mod_jk status , see this on how you can configure --> https://stackoverflow.com/questions/20628865/mod-jk-status-page-not-working

3) another way is if you can use netstat to grep on the IP / pot of backend that you are forwarding to example :
Something like this 
netstat -np tcp | find "10.0.0.1:80"
netstat -np tcp | find "10.0.0.1:80" | find "ESTABLISHED"

**** Question 2 --> How to find load on policy server and if max connections are reached and any command?

For the policy Server , you will want to use the stats command to print the current / max and exceeded connections along some other helpful info . please see below links 

https://knowledge.broadcom.com/external/article/15867/policy-server-stats-information.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/Log-Policy-Server-Statistics-Periodically.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/policy-server-troubleshooting.html

**** Question 3 -->Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?

There is no specific formula since each client has its own configuration / load .
It really depends on the number of transactions that your Environment process . Fine tuning is out of support scope and it is done by our Special Services team that can be engaged through your account team.
With that being said , below are some helpful tips and KBs on what can be tuned on the Access Gateway and what to consider 

Remember that AG is based on Apache --> mod_jk --> tomcat ,think about it as a funnel , you do not want the mod_jk and tomcat to have less connection settings then  what is set on apache 
Example of a bad settings --> apache 500 Connection --> mod_jk 450 connection --> tomcat to backend 400 connection 
Example of a good Settings --> apache 500 Connection --> mod_jk 600  connection --> tomcat to backend 700 connection 

Access Gateway Tuning 

https://knowledge.broadcom.com/external/article/44209/how-to-siteminder-ca-access-gateway-sps.html

https://knowledge.broadcom.com/external/article/43275/ca-access-gateway-sps-commonly-tuned-pa.html