Following a recent upgrade of CA SiteMinder Policy Server and CA Access Gateway from version(s) 12.8.X to version 12.9, downloading of files through the Access Gateway it is taking a long time.

For instance

CA Access Gateway 12.8 SP6

C:\Users\<username>>curl -k https://server.example.com/Download/Download-Test-File/(MMA)-100MB.zip --output test
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100  100M  100  100M    0     0  3777k      0  0:00:27  0:00:27 --:--:-- 3764k

CA Access Gateway 12.9 

C:\Users\<username>>curl -k  https://server2.example.com/Download/Download-Test-File/(MMA)-100MB.zip --output test
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100  100M  100  100M    0     0   637k      0  0:02:42  0:02:42 --:--:--  585k

CA SiteMinder 12.9, policy server and Access Gateway

This is due to a change made in CA SiteMinder 12.9 to upgrade the Httpclient to version 5.x. 

In Apache HttpClient 5.x, the recommended buffer size for socket operations, particularly when reading from an HttpEntity (e.g., getContent().read(buffer)), depends on several factors, including the network environment, expected data size, and system resources. Unlike HttpClient 4.x, HttpClient 5.x is designed with modern features like HTTP/2 and asynchronous I/O, which can influence buffer size considerations.

A buffer size of 8 KB (8192 bytes) is a commonly recommended starting point for HttpClient 5.x, as it balances memory usage and I/O efficiency for most use cases. This size aligns with typical TCP socket buffer sizes and is effective for both small and medium data transfers.

Large Payloads or High Throughput: For large files or streaming scenarios (e.g., downloads), a larger buffer like 32 KB (32768 bytes) or letting the system decide the best value may improve performance by reducing the frequency of read operations.

The following steps should resolve the issue:

• Stop CA Access Gateway if running (sps-ctl stop)
• Navigate to <CA_Access_Gateway_Home>/secure-proxy/proxy-engine/conf folder
• Take back of server.conf
• Open server.conf to add below entry in <Service name="forward"> right after http_connection_pool_max_size="420"

http_socket_buffer_size="0"

• Save file server.conf

After adding the above entry the configuration appears like the following

<Service name="forward">
class="org.tigris.noodle.Noodle"

# Enables support for multiple protocols if set to true. Currently only
# http and https is supported.  If set to false only http is supported.
protocol.multiple="true"
http_connection_pool_max_size="420"
http_socket_buffer_size="0"

....

• Start Access Gateway (sps-ctl startssl)
• Ensure the server.log file displays a message about http_socket_buffer_size with the new value. That is:

Example : [INFO] -     http_socket_buffer_size                            = 0

Setting http_socket_buffer_size  to 0 means that the OS will decide the buffer size based on OS. If this does not work correctly, other large values beyond the default 8192 can be used, such as 32768