Understand Policy server user authorization cache

book

Article ID: 38246

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description 

Understanding User Authorization Cache; what it contains, what is the size of the cache, how are entries removed from cache.

 

Solution

Purpose: Stores information about policies applied to a given user. When a policy is bound to a user directory object such as a GROUP it is necessary to determine whether a particular user belongs to the group i.e. it is necessary to search the directory to get the user's membership list. The User Authorization Cache prevents this round trip to the directory. Note that if a policy is bound to a user name (or DN, OU, and O), the Authorization Cache is ineffective because in this case there is no need to search the directory in the first place.

Type: Key/Value map with timestamp for each entry. When cache limit is reached, 25% of random entries are removed. During a successful lookup the timestamp is checked and the entry is invalidated if it has expired.

 

Key: Directory+UserDN+PolicyUserFilter+PolicyResolution+PolicyFlags

Value: True (if a policy applies to the user), False otherwise

 

Entry added: Every time user-policy relationship is found.

Entry removed:

* When the cache limit is reached 25% random entries are removed.

* When the entry has expired. (Default 60 minutes)

* When the "FlushAll" or the "FlushUsers" commands are processed all entries are removed.

Configuration: UI: Policy Server management console, "Settings" tab,

"User Az Cache (MB)"

Registry Key: Ds\DsCacheParms

Value Name Description

DsInfoEnabled True

DsInfoMaxSizeMB 10 Size of cache in MB

DsInfoTimeoutSeconds 3600 Cache entry expiration time in seconds

Effects the cache changes in 6.0 SP5 CR011 and above?

DsInfoEnabled is part of DsCacheParams Values. This keys provide information about User authorization cache parameters that cannot all be set through smconsole. Only the User Authorization cache size can be set in the SMConsole > Settings Tab > Performance.

Location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\DsCacheParms

Name: DsInfoEnabled (Updated 6.0SP5 cr011)

Detail: Specifies whether User Authorization cache is enabled or disabled. DWORD=1 implies that User Authorization cache is enabled.
Type: REG_DWORD
Default Value: 0
Range: 0-3
Pre-existing: Yes

The values have the following meaning:

0: Cache Disabled.
1: Cache All.
2: Cache only if authorization is positive.
3: Cache only if authorization is negative.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: