Policy server hangs and crashes with very high memory and CPU utilization.

book

Article ID: 51648

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

If an underlying ODBC data store returns huge amount of data (e.g.-
configured response attribute returns huge data from underlying odbc
user store) then Policy server may hang/crash while trying to fetch
the larger number of records from underlying ODBC database.

This would result in very high CPU utilization and memory utilization.

 

Resolution

 

  IMPORTANT: This article contains information about modifying the registry.

  Before you modify the registry, make sure to create back up of the
  registry and ensure that you understand how to restore the registry if
  a problem may occur.

  For more information about how to back up, restore, and edit the
  registry, please review the relevant Microsoft Knowledge Base articles
  on support.microsoft.com.

In order to restrict the number of records fetched from underlying
ODBC data store, a new registry key "MaxResults" is introduced to just
read the defined number of records from record set and stop fetching
excessive data from the DB. The number of records fetched from
database is controlled by this registry key (1).

When this registry key is set, in addition to restricting the number
of records fetched from underlying ODBC store a warning message is
also logged in the policy server SMPS log when the size of a
configured response data is larger than a defined size limit.

This message will alert the user to the fact that they might be
returning an invalid amount of data for a request. They can then
review the results and determine where they wish to raise the limit if
applicable or to change the statement that returned the value.

  =====================

  The registry has to be manually added in the following registry
  location : 

    \SiteMinder\CurrentVersion\Ds\ODBCProvider\MaxResults

  Note:- The key ODBCProvider doesn't exist by default, the key has to
  be added manually and the registry key should be created in it.

  =====================

When the registry key is set to a value greater than 0, a warning
message will appear in the SMPS logs if the total number of attributes
fetched from the ODBC user directory is greater than the value of
registry key.

If the registry is not set or set to zero, no warning message will
appear in the policy server SMPS logs irrespective of the number of
attributes fetched from the ODBC database.

For example, registry can be added at

  \SiteMinder\CurrentVersion\Ds\ODBCProvider
  MaxResults = 2
  ==== Message in SMPS log=====

    [3856/3728][Mon Aug 03 2009
    16:16:51][SmDsOdbcProvider.cpp:837][INFO] Warning: The number of
    results (8) returned by the Query 'Select Name, 'Group' as Class
    from SmGroup order by Name' exceeded the maximum allowed value of
    (2)

  =========================

 

Additional Information

 

(1)

    Limit the Number of Records Returned by a SQL Query

      Adding the registry key, MaxResults, does not change the number of
      records returned. Adding the key does warn you when the number of
      results exceeds a limit that you set. You can use this feedback to
      modify your SQL queries and fine-tune the number of records
      returned, as needed.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/configure-policy-server-data-storage-options/configure-odbc-data-store-options.html