PSync Agent Configuration Best Practices
search cancel

PSync Agent Configuration Best Practices


Article ID: 52161


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


This KB discusses Best Practice recommendations to configure and optimize the PSync Agent functionality.

For a general discussion of how Password Sync works, please see KB 36131 Explaining Provisioning Server Reverse Password Sync Agent (PSYNC)



Component: IDMGR


There are several settings which are related to PSYNC password changes that can be adjusted.

Agent Timeout Threshold:

This value is set in the Provisioning Manager under: System/Domain Configuration/Password Synchronization.The default for this timeout is 600 seconds. This should be calibrated based on benchmark testing performed in the environment. You do not want to set this too low.If the value is too short then you could find yourself in a loop which used to be the problem prior to the introduction of this parameter and logic in the product.Such looping could cripple both the Provisioning Server and the DC, so be sure to test this parameter thoroughly prior to any production implementation.

The reason for 10 minutes as a default is because the value must be large enough to cover the time it takes for the PSYNC Agent password change to be processed by the Provisioning Server and propagated to all accounts. For environments with either a large number of associated accounts, slower access to the endpoints, or perhaps a large number of endpoints which require CAM/CAFT (which serialize on a per endpoint basis) it may in fact take 10 minutes or perhaps longer.

It is advised to perform testing to determine a proper value which is just enough to cover the longest length of time needed and to set the parameter to such a value.

"PSYNC Agent Is Installed" checkbox:

This setting is located in the Provisioning Manager on the acquired endpoint property page.
By default this is not set and is not automatically set when PSYNC Agent is remotely installed.
There is no negative impact to having this always set, even if no PSYNC Agent is installed.
Make sure this is enabled as necessary or enable always on all endpoints.


Any settings which may exist on the PSYNC Agent configuration files which determine what timeouts to use:

Whether to check password quality, and whether to block password changes if errors occur against the Provisioning Server (this is not usually enabled since most customers prefer to not block the changes from being allowed on the DC).

Settings in the Provisioning Server related to whether or not external password validation should be enabled:

If not enabled, any password quality will be done against the Provisioning Server's settings, so this should be enabled.

External Password Validation:

If this is enabled this means that the request which was sent from the PSYNC Agent to the Provisioning Server will need to be sent up to IM (and perhaps SM).
You will want to make sure your Inbound Notification timeout settings in the Provisioning Manager are set properly.
This may also cause you to recheck all the other timeout settings noted above so as to be large enough to handle the extra communications/processing done against the Identity Manager (and perhaps SM layers.

There may be additional configurable timeouts on per endpoint levels (i.e. CAM/CAFT timeouts) which could also need to be adjusted (but likely the defaults will suffice).

The communication flow:

Password Check:
PSYNC->Provisioning->IM->SM and then in reverse back to the DC where PSYNC is.

Password Change:
PSYNC->Provisioning->CCS/JCS->endpoints and then back to the DC where PSYNC is.
Also note that Provisioning->IM->SM and then back to the DC would occur.


There are a lot of settings at different layers that might need to be reviewed/adjusted. Please proceed with caution when modifying the above settings and always test in a lab environment prior to any production changes being made.