We are working on performance tuning of CA SPS and CA Siteminder Policy server . Can you please answer for the below provided questions.
1.How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command
2.How to find load on policy server and if max connections are reached and any command?
3.Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?
Release : 12.8.x
**** Question 1 --> How to find load on SPS and if max connections (like http_connection_pool_max_size) are reached for SPS? Any command
Access Gateway consists of 3 main components, apache , mod_jk and tomcat.
The below are some recommendations on how to check the connections
1) Apache HTTPD Status
Enable mod_status (and mod_info) and monitor HTTPD instance status.
Develop tooling to monitor status on a periodic basis, e.g. query http://localhost/system-status?auto and append to a log file.
https://httpd.apache.org/docs/2.4/mod/mod_status.html
In the server.conf file we mention the following -->
# Metric Reporter to publish data to Prometheus Server
# can be used in kubernetes environments
# metricexporterurl is MetricExporter url which serves AG Metrics data to Prometheus
# hostname is hostname where MetricsExporter is running
# port is is port on which MetricExporter is running
# apachestatusurl is url to pull Apache Metrics data after enabling Mod_status
# Hostname is localhost
# port is Apache port
<metric-reporter name="PrometheusMetricsReporter">
class="com.ca.proxy.monitor.PrometheusMetricsReporter"
enabled="no"
# The below URL points to the MetricExporter Server
metricexporterurl="http://localhost:9090/metrics/postdata"
# The below URL points to the AcessGateway Apache Server
apachestatusurl="http://localhost:88/server-status?auto"
</metric-reporter>
2) Apache Tomcat Status Worker
you can try enabling the status worker to observe and monitor the mod_jk AJP connection between Apache HTTPD and Apache Tomcat.
Lot of info on this online for the mod_jk status , see this on how you can configure --> https://stackoverflow.com/questions/20628865/mod-jk-status-page-not-working
3) another way is if you can use netstat to grep on the IP / pot of backend that you are forwarding to example :
Something like this
netstat -np tcp | find "10.0.0.1:80"
netstat -np tcp | find "10.0.0.1:80" | find "ESTABLISHED"
**** Question 2 --> How to find load on policy server and if max connections are reached and any command?
For the policy Server , you will want to use the stats command to print the current / max and exceeded connections along some other helpful info . please see below links
https://knowledge.broadcom.com/external/article/15867/policy-server-stats-information.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/Log-Policy-Server-Statistics-Periodically.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/policy-server-troubleshooting.html
**** Question 3 -->Any Formula or recommendations that CA can provide for setting different parameters like http_connection_pool_max_size in server.conf file?
There is no specific formula since each client has its own configuration / load .
It really depends on the number of transactions that your Environment process . Fine tuning is out of support scope and it is done by our Special Services team that can be engaged through your account team.
With that being said , below are some helpful tips and KBs on what can be tuned on the Access Gateway and what to consider
Remember that AG is based on Apache --> mod_jk --> tomcat ,think about it as a funnel , you do not want the mod_jk and tomcat to have less connection settings then what is set on apache
Example of a bad settings --> apache 500 Connection --> mod_jk 450 connection --> tomcat to backend 400 connection
Example of a good Settings --> apache 500 Connection --> mod_jk 600 connection --> tomcat to backend 700 connection
Access Gateway Tuning
https://knowledge.broadcom.com/external/article/44209/how-to-siteminder-ca-access-gateway-sps.html
https://knowledge.broadcom.com/external/article/43275/ca-access-gateway-sps-commonly-tuned-pa.html