This doc provides the basic fundamental methods for re-calculating and updating application lists for users during deployment and scheduling maintenance tasks in production. This technical document references folder paths in SSO version 8.1, but applies to previous releases as well.
The Policy Server Background Calculation Utility (PsBgc). As new applications are added and deleted, users' application lists can change therefore cache files should be updated periodically. The psbgc utility regenerates the application list cache as a background task, which reduces the SSO Server load and improves the SSO Client performance during peak times. The utility should be run on a regular basis. This means that the application list caches are always up-to-date, so users do not have to request a refresh of their application list as often
- PsBgc - Policy Server Background Calculation
- SSO - Single Sign On
- Client.ini - Single Sign On Client initialization file
- Ps-bgc - user with authority to run the PsBgc Utility. Located in the ps-ldap datastore. Default password is "ps-bgc"
- AD - Active Directory
- OU - Organizational Unit
The solution steps are provided below. Please fully understand the terminology and conditions that must be met when using this utility or troubleshooting issues as they arise. Please view figure #1 below for the command line interface and usage instructions. The figures below are taken from a Single-Sign On 8.0 server environment to show that the functionality exists in this version as it does in SSO v8.1, and future versions of SSO.
<Please see attached file for image>
You will need to have a test workstation available with the latest version of the SSO client installed. All Single-Sign On product components are available at support.ca.com It is already assumed that you have Single-Sign On configured and working in terms of both the server and the client. The client would already be able to authenticate to an SSO server in order to see results of using this utility.
- The PsBgc utility is located in the \\installdir$\\CA\\eTrust SSO\\Server\\bin directory.
- The Policy Server has a folder called psbgc. This is located in the \\installdir$\\CA\\eTrust SSO\\Server\\PsBgc directory.
- In the psbgc folder we store the application lists for each user who has logged on (or who is added to the system when the psbgc process is run).
- The psbgc application lists on the server are specific to each server. (This means if the psbgc is current on one server but not on another, therefore if the user is routed to a server with an old list they will get the old list.)
- The psbgc application lists on the SSO server are generated with one of the following methods.
- When the user logs in for the first time. (This is the first login to each server)
- When the psbgc is run on a specific SSO server for the User, group or location
- When the SSO Client starts or logs on it PULLS the application list from the SSO servers. If there is no list on the SSO Server it is generated at that time.
- When the SSO Client clicks on the "Refresh Application List" on the SSO Tools menu or from the SSO taskbar icon this will rebuild the application list ON the SSO Server but NOT on all SSO Servers. (You could get the old list if you are directed to another SSO Server during the next login as mentioned in the Facts section above).
- There are three locations an application list can be created or updated on the SSO Client machine.
- In the Windows Program Menu there is a SSO Programs submenu. This is defined by settings in the Client.ini file
- The SSO Tools menu which pulls the application list on the SSO Server when a user logs on. A refresh initiated from the SSO Client will rebuild the application list on the server and update the client machine.
- The SSO Launchbar (SSO icons) which pulls the application list on the SSO Server when the user logs on. A refresh initiated from the SSO Client will rebuild the application list on the server and update the client machine.
- If you add users to applications and run the psbgc each night you will not have performance issues, and offer consistent application lists.
Here is a basic example of the command usage of the PsBgc utility. See figure #2
<Please see attached file for image>
- Here we see an application list re-calculation for one specific user (User00146) found in the datastore "ad" in the "Users" container.
- If we remove the selection (-u "user00146") the utility will recalculate for the entire Users container. Bear in mind, depending on the size of the Container, Organizational Unit, or Group, this could be quite time-consuming. Please use this utility on large groups or containers off-hours or during low server usage hours.
- This functionality can be expanded to support Organizational Units multiple layers deep. For instance:
To recalculate the application list for users in the "testou3" OU, the command would be as follows:
>psbgc -a ps-bgc -p ps-bgc -d "ad" -c "ou=testou3,ou=testou2,ou=testou1"
- This will not however run for a group if it exists in the same OU. The PsBgc utility is looking for common names unless specified to look in groups by setting the "-g" switch, followed by the group name in quotes.
- The PsBgc process once completed on a single SSO server would need to be conducted again on any other farm member servers. You have the alternate option of copying the entire PsBgc folder directly to the remaining SSO servers.
- Provided below is a basic PsBgc for a group script (Windows only) that can be modified to suit your SSO enterprise:
---------------------------- Start script ----------------------------
rem Command file to run ps-bgc utility for a group
set server_bin_dir=C:\Program Files\CA\eTrust SSO\Server\bin
set sso_data_store_name= YourADdatastoreNameHere set sso_group_container_dn= YourContainerOrOrganizationalUnitNameHere
set sso_group_cn= YourGroupNameHere
if not "%passed_group%" == "" set sso_group_cn=%passed_group%
echo Run ps-bgc for group "cn=%sso_group_cn%,%sso_group_container_dn%" ...
"%psbgc_bin_path%" -i "%psbgc_ini_path%" -a "%sso_admin_user%" -p "%sso_admin_pwd%"
-d "%sso_data_store_name%" -c "%sso_group_container_dn%" -r -g "%sso_group_cn%"
---------------------------- End script ----------------------------
Alternatively, you may choose to have the SSO client refresh the application list based on a specified time interval. You can accomplish this in the Client.ini file present on every SSO client installation. The section below defines the rules that govern client-side caching of application lists. The defaults are currently displayed:
More information on the PsBgc utility and configuring the SSO Client can be found in the Single Sign-On documentation suite available on support.ca.com