CA Access Gateway (formerly Secure Proxy Server): Commonly Tuned Parameters


Article ID: 43275


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



- This article gives an overview of parameters that are able to be tuned within the CA Access Gateway (formerly CA Secure Proxy Server) and its various components

- The CA Access Gateway is comprised of an HTTP Listener (Apache module) and a Tomcat Servlet container

- There are four specific tuneable sections of the CA Access Gateway:

  1. Apache
  2. Apache-Tomcat connector
  3. HttpClient Connection Pool
  4. JVM



1. Apache:


Since Apache (version 2.2.6) is acting as an Http-Listener inside SPS, it can be tuned from the perspective of number of threads or max clients it can support concurrently.

The Apache server ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. The MPM modules with which Apache (used inside SPS) has been built are as follows: 

For Windows platform: mpm_winnt (The tunable parameters are available inside httpd.conf)

For UNIX platform: worker (The tunable parameters are available inside httpd-mpm.conf)

Below is the list of the important parameters that need to be tuned from the perspective of number of Threads or max clients it can support:


ParameterDescriptionDefault Value

This parameter sets the number of threads created by each child process. The child creates these threads at startup and never creates more. This parameter holds significance for Windows platform since there is only one child process.

This parameter should be high enough to handle the entire load of the server. For UNIX platform, where there are multiple child processes, the corresponding parameter would be MaxClients.

Consider increasing this value on Windows if more number of concurrent connections/requests are expected.

250 (Windows)

25 (Unix)


This parameter sets the maximum configured value for ThreadsPerChild for the lifetime of the Apache process.

This value is not present by default in the conf files. 

1920 (Windows)

64 (Unix)


This parameter sets the limit on the number of simultaneous requests that will be served. Once a child process is freed at the end of a different request, the connection will then be serviced. It is only available for UNIX platform

Consider increasing this value if more number of concurrent connections/requests are expected.
150 (Unix)




2. Tomcat Connector:



Tomcat ajp13 connector receives the requests that are forwarded by Apache via mod_jk.

The Tomcat initialization is customized so it does not allow deployment of any external applications or servlets. The standard Tomcat xml (server.xml) is not used for initialization.

The tunable parameters for Tomcat Ajp13 Connector are available inside server.conf (<sps_home>/secure-proxy/proxy-engine/conf/server.conf).

Below is the list of the parameters: 

ParameterDescriptionDefault Value

Number of request waiting in queue (queue length):

This represents the maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full are refused.

Number of threads created at initialization time:

This represents the number of request processing threads that will be created when this connector is initialized.

This attribute should be set to a value smaller than that set for worker.ajp13.max_threads

Maximum number of concurrent connections possible:

This represents the maximum number of request processing threads to be created by this connector, which therefore determines the maximum number of simultaneous requests that can be handled.

The maximum time (milliseconds) that can elapse between any two packets received from proxy engine after which the connection between HTTP listener and proxy engine is dropped.  A value of zero makes it to wait indefinitely until response is received (default)

The parameter value should be kept equivalent to the 

0 (infinite/never timeout)

The maximum number of times that the worker will send a request to Proxy Engine in case of a communication error.

Each retry will be done over another connection. The first time already gets counted, so retries=2 means one retry after error


3. HttpClient Connection Pool:


The HTTP client component is used by the SPS to send requests over the wire to the backend server and receive responses from the backend server.

HttpClient ConnectionPool is a pool that maintains the connections that are made with the backend web server by HttpClient component.

Below is the list of the tunable parameters that are available inside server.conf (<sps_home>/secure-proxy/proxy-engine/conf/server.conf).


ParameterDescriptionDefault Value

The minimum number of connections to a single destination server that will be maintained by the SPS and available for processing user requests.

It defines the minimum number of connections that would be created when the first request is made to a particular backend web server. 

The maximum number of connections between the SPS and a destination server.

It defines the maximum number of connections that can be made with a particular backend web server at a given point of time. These connections would be available in the pool. If all the connections are busy then the request will have to wait for any of the connections to be available.

Note: Each connection established by the SPS creates a socket. For UNIX operating systems, if the maximum size of the connection pool is large, you might need to increase the operating system’s limit on file descriptors to accommodate the large number of sockets

The increment factor when creating the connections.

It defines the number of connections that would be added (in case the http_connection_pool_max_size has not reached) to the pool if all the connections that are already present in the pool are being used to process requests.
http_connection_pool_connection_timeoutThis parameter defines the Idle time for a connection (in minutes or seconds as specified by the parameter http_connection_pool_connection_timeout_unit) after which the connection is closed and removed from the pool.1

This parameter defines whether the value specified in the http_connection_pool_connection_timeout is to be considered in minutes or seconds.


Timeout (in milliseconds) to be used to wait for an available connection.

If all the connections present in the pool are busy at a given point of time and the http_connection_pool_max_size limit has reached then the request would wait for this much amount of time before getting timed out.

A timeout of zero means wait indefinitely.
0 (infinite/never timeout)

Number of attempts to obtain a connection from the pool.

A value of zero causes it to attempt indefinitely.

This parameter is only applicable if wait timeout is not zero

Timeout (in milliseconds) to be used for creating connections and reading responses.

This parameter defines the socket timeout as well as it limits the time that would be spent in establishing a connection to backend web server. This would include the time spent doing the host name translation and establishing the connection with the backend web server when creating sockets.

A timeout of zero means wait indefinitely.

The parameter value should be kept equivalent to the worker.ajp13.reply_timeout.



4. JVM:

The JVM tuning parameters can have major impact on performance especially on UNIX.

The JVM settings can be tuned via the (<sps_home>/secure-proxy/proxy-engine/conf/ on Windows platform and via the (<sps_home>\secure-proxy\proxy-engine\ for UNIX platform.

Most important parameters are:

–Xms (default --256m)

–Xmx (default --512m)

to define proper memory usage by CA Access Gateway

-Xms - This setting tells the JVM to set its initial heap size. By telling the JVM how much memory it should initially allocate for the heap, we save it from growing the heap size frequently

-Xmx - This setting tells the JVM, the maximum amount of memory it should use for the heap. Placing a hard upper limit on this number means that the Java process cannot consume more memory than physical RAM available. This limit can be raised on systems with more memory.


 Note: Do not set this value to near or greater than the amount of physical RAM in your system or it will cause severe swapping during runtime.


Component: SMSPS