Issue: 

Transactions are taking too long to complete, applications team reporting timeouts on requests from the agent to the policy server. Add persistent realms and session store to the environment

Environment: 

• Policy Server Linux R12.52 SP1 CR1
• CA Directory Server as sessions store R12 SP18

Cause:

SSO Policy server trace logs analysis tool shows significant delays when processing the logout functions for persistent sessions.

The log snippet below illustrates where this bottleneck/delay occurs. 

How logout for persistent session is processed:

1. User logs into a persistent session – session is inserted to the session store
2. User access logoff uri – session set to LOGOFF
3. Policy server removes session from session store
4. Policy server issue agent command for ALL agents to flush the user from cache

Under heavy load the task of processing agent commands adds/reads/deletes for every logout can cause significant delays as well as increasing the policy store DB size for each user logout

Log Example:

• [05/24/2016][09:53:03.643][10883][2845064048][Dequeuing a Normal Priority message, from IP ::ffff:10.130.158.80 with Port No 43340. Current count is 0][CServer.cpp:1423][ThreadPool::Run][00:00:00.000044]
• [05/24/2016][09:53:03.643][10883][2845064048][Enter function CServer::ProcessRequest][CServer.cpp:5747][CServer::ProcessRequest]
• .
• .
• [05/24/2016][09:53:03.659][10883][2845064048][    ** Status: Logged out. ][Sm_Auth_Message.cpp:4700][CSm_Auth_Message::SendReply][s16/r3253]
• [05/24/2016][09:53:03.659][10883][2845064048][  Leave function CSm_Auth_Message::SendReply][Sm_Auth_Message.cpp:4704][CSm_Auth_Message::SendReply][00:00:00.000049]
• [05/24/2016][09:53:07.666][10883][2845064048][  Retrieve an object from the object cache.][SmObjCache.cpp:824][CSmObjCache::Fetch][0e-0001a340-920e-13e2-aa82-9e4e0a82d04b]
• [05/24/2016][09:53:07.666][10883][2845064048][  Saving 'AgentCommand' object.][SmObjProvider.cpp:984][CSmObjProvider::Save][14-000a2bbd-5cc3-1744-9b81-9e4e0a82d04b]
• .
• .
• [05/24/2016][09:53:07.670][10883][2845064048][Leave function CServer::ProcessRequest][CServer.cpp:5933][CServer::ProcessRequest][00:00:04.026461][104]

Resolution:

Upgrade Policy server to R12.52 SP1 CR5 – First GA release that has the agent cache flush turned off by default for persistent session logoffs

Registry setting to enable/disable flush add a new DWORD

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer

EnableFlushUserCmdOnLogout

Specifies whether users are flushed from the session store cache on logout.

Values: 0 (disabled) or 1 (enabled)

Default: 0

Additional Information:

The purpose of the agent flush was an additional precaution to minimize cookie replay attacks.

Replay: Web Agent does not flush a user from the Agent Cache when the user hits the LogOffURI with a persistent session, allowing a stolen SMSESSION cookie to be replayed until the Session Validation Period is hit.  It was discovered that the agent flush was still susceptible to a replay up to 60 seconds (2 pspollinterval – default 30 seconds * 2 = 60 seconds)

Moving forward it is suggestion to set validation time at the realm level to 60 seconds to achive the same precaution as agent flush

NOTE: The client browser will only be able to access the resource previously accesses for up to seconds after logout, once logout is called the session is deleted from the session store.