When accessing to WebAgent by multi threads, Policy Server output HandShake errors.

book

Article ID: 6640

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When increasing 'StartServers' value and accessing to WebAgent by multi threads, WebAgent send RST packets to Policy Server and Policy Server output HandShake errors. 

[4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1974][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3152 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1981][ERROR][sm-Tunnel-00030] Handshake error: Failed to receive client hello. Socket error 0 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:2147][ERROR][sm-Server-01070] Failed handshake with 10.131.xxx.xxx:57654

Cause

This problem is related to karnel side, not CA SSO.

In using Apache 'prefork' mode, when too many process are created (e.g increasing httpd.conf value regarding to the number of process, and accessing by many threads...etc), so many orphans child processes are likely to be existing.

Under this situation, there is some possibilities that these processes are reset immediately and warning is printed, by exceeding 'tcp_max_orphans' value at karnel side.

Environment

Release:
Component: SMAPC

Resolution

Change MPM mode and work as 'worker' mode, not 'prefork'.

Additional Information

tcp_max_orphans:

http://lartc.org/howto/lartc.kernel.obscure.html 

 

Apache MPM prefork:

http://www.su.t.u-tokyo.ac.jp/manual/ko/mod/prefork.html