Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.

book

Article ID: 4089

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Policy Server reports Error 82 during cache rebuilds:


[17987/4011699056][Fri Oct 16 2015 08:45:01][SmObjProvider.cpp:187][ERROR][sm-Server-03090] Policy store failed operation 'MultipleSearch' for object type 'UserDirectory' . LDAP Error Doing UserDirectory_Fetch: 82: Local error

These errors are encountered on other object types as well such as "UserDirectory", "TrustedHost", "PropertyCollection", and "ServerCommand" to name a few.

Cause

CA directory has setting dxgrid-queue and the issue may occur when this setting set to true. Pre-SP14, it was set to ‘false’ by default, Post-SP14, it is set to ‘true’ by default. 

These failed searches are the result of a packet/memory corruption issue in CA Directory R12.0.14 through R12.0.17 with 'set dxgrid-queue=true' (default).

This error is reported by LDAP SDK on the Policy Server side due to malformed packet received from CA Directory.

Environment

SiteMinder Policy Server : R12.52 SP1 Policy Store : CA Directory version >= R12.0.14 and < R12.0.17 CR1

Resolution

This issue is resolved in CA Directory R12.0.17 CR-01.  So, to resolve this issue and still be able to use the dxgrid-queue upgrade CA Directory to version R12.0.17 CR-01 or later.

Workaround:

1. Disable dxgrid-queue by adding following configuration in your DSA initialization file (.dxi ) :

    set dxgrid-queue=false

<Please see attached file for image>

style="" src="/servlet/servlet.FileDownload?file=0150c000004AKHWAA4" alt="dxi.jpg">

2. Restart DSA

 

However, please note , disabling the dxgrid-queue comes with the penalty of loosing the following benefits which comes with the dxgrid-queue :

  • Improves performance of concurrent search and update requests.
  • Allows abandoning of searches that are not performed yet (due to reasons such as client disconnect or timeout).
  • Increases thread utilization, thus allowing better throughput.
  • Allows the set interrupt-searches = true|false; command to be used to prevent long running searches blocking updates. See the set interrupt-searches command for more details.

Additional Information

Attachments

1558708580063000004089_sktwi1f5rjvs16r4q.jpeg get_app