Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.

search cancel

Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.

book

Article ID: 4089

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Policy Server reports Error 82 during cache rebuilds:

[17987/4011699056][Fri Oct 16 2015 08:45:01][SmObjProvider.cpp:187][ERROR][sm-Server-03090] Policy store failed operation 'MultipleSearch' for object type 'UserDirectory' . LDAP Error Doing UserDirectory_Fetch: 82: Local error

These errors are encountered on other object types as well such as "UserDirectory", "TrustedHost", "PropertyCollection", and "ServerCommand" to name a few.

Environment

SiteMinder Policy Server : R12.52 SP1 Policy Store : CA Directory version >= R12.0.14 and < R12.0.17 CR1

Cause

CA directory has setting dxgrid-queue and the issue may occur when this setting set to true. Pre-SP14, it was set to ‘false’ by default, Post-SP14, it is set to ‘true’ by default.

These failed searches are the result of a packet/memory corruption issue in CA Directory R12.0.14 through R12.0.17 with 'set dxgrid-queue=true' (default).

This error is reported by LDAP SDK on the Policy Server side due to malformed packet received from CA Directory.

Resolution

This issue is resolved in CA Directory R12.0.17 CR-01. So, to resolve this issue and still be able to use the dxgrid-queue upgrade CA Directory to version R12.0.17 CR-01 or later.

Workaround:

1. Disable dxgrid-queue by adding following configuration in your DSA initialization file (.dxi ) :

set dxgrid-queue=false

<Please see attached file for image>

style="" src="/servlet/servlet.FileDownload?file=0150c000004AKHWAA4" alt="dxi.jpg">

2. Restart DSA

However, please note , disabling the dxgrid-queue comes with the penalty of loosing the following benefits which comes with the dxgrid-queue :

Improves performance of concurrent search and update requests.
Allows abandoning of searches that are not performed yet (due to reasons such as client disconnect or timeout).
Increases thread utilization, thus allowing better throughput.
Allows the set interrupt-searches = true|false; command to be used to prevent long running searches blocking updates. See the set interrupt-searches command for more details.

Additional Information

https://docops.ca.com/ca-directory/12-0-17/en/reference/commands-reference/set-dxgrid-queue-command-add-a-queue-in-front-of-data-store
https://docops.ca.com/ca-directory/12-0-17/en/release-notes/defects-fixed-in-ca-directory-12-0-17-cr1

Attachments

1558708580063000004089_sktwi1f5rjvs16r4q.jpeg get_app

Feedback

thumb_up Yes

thumb_down No