×

IDMWORKS Blog

CA SiteMinder Agent Cache – Performance Best Practices


The CA SiteMinder Web Agent stores user session and resource information in cache memory. This technique improves the Web Agent efficiency because it does not have to retrieve information from the Policy Server each time a user requests access. Web Agents store contextual information pertaining to user access privileges in a session cache.

By tuning the cache settings, you can better manage how information is stored. The size of the cache is measured by the number of cache entries. The total number of entries in each cache can NOT exceed the maximum cache size specified.

Note: You have to restart the Web Server for changes in the Web Agent cache settings to take effect.

The following guidelines apply to cache management:

  • When a cache is full, new entries replace the least recently used entries.
  • For the resource cache, entries are removed when the value of the ResourceCacheTimeout parameter is reached.
  • For the user session cache, entries are removed based on the session timeout values that you set for each realm.

Note: SiteMinder empties cached resource information when you modify a policy. You can also empty the user and resource caches manually from the Administrative UI. For more information about session time-outs and cache management, see the Policy Server Administration Guide.

SiteMinder maintains an Agent Cache on each a SiteMinder Agent machine. The Agent Cache has two (2) components:

      1. Agent Resource Cache
      2. Agent User Cache

 

Multi-thread vs. Multi-process cache

Web Agents that use multi-threaded cache, such as IIS Web Agents, iPlanet 4.x and 6.0 Web Agents [on Windows operating systems, and Domino Web Agents (on Windows and UNIX operating systems)] add a session to the session cache, if the session cache size is greater than “0,” when a user is successfully authenticated.

If that user requests additional resources from the same realm, the Web Agent validates the user against the session cache, so the ValidationCount does NOT increase.

Apache and iPlanet 4.x/6.x Web Agents running on UNIX operating systems (utilizing multi-process cache) do NOT add the session cookie to the session cache until the user presents the cookie to the Web Agent during a request for another resource within the realm where he/she was authenticated. The Web Agent validates the first request made with a session cookie against the Policy Server, of which increases the ValidationCount.

Subsequent requests are validated against the cache.

Resource Cache

The Agent Resource Cache stores a record of accessed resources that are protected by various realms. This cache speeds up Agent -to- Policy Server communication(s) since the Agent knows about resources for which it has already processed requests – historically.

  • Caches the results of resource IsProtected calls
  • Session independent
  • Based upon full URL, agent name, and action
    • Also stores realm OID, protection type (auth scheme), and redirection URL
  • Entry size = length of URL + 1Kb of internal data
  • Ignored documents are not counted towards cache
  • Expensive to drop entries during a full cache situation
  • LRU (least recently used) algorithm to drop entries incurs greater overhead at larger cache sizes
  • Static URLs
    • Set maximum resource cache size to more than the number of possible URLs + 10%
    • Base cache timeout to expire resources before the cache fills
  • Dynamic URLs
    • More than 60% of URLs are unique (query string changes)
    • Limit maximum number of entries to reduce LRU cost
    • Lower cache timeout to reduce the chance of a LRU

User Session Cache

 

The Agent User Cache maintains users’ encrypted session tickets. It acts as a session cache by storing user, realm, and resource information. Entries in this cache are invalidated based on timeouts established by the realms a user accesses.

  • Caches authentication & authorization information that occurs for SSO
  • Authentication entries are based upon session ID & Realm
  • Authorization entries are based upon session ID & Resource
    • Only cache anonymous users on agents dedicated to anonymously protected content
  • Response information cached by each process is stored with a timestamp
    • Response configured
    • Max session
  • Maximum session time is stored for authentication entry clean-up
  • Static URLs
    • Set User Session Cache to 5 * Resource Cache
  • Dynamic URLs
    • Set User Session Cache to 2000

Recommended Settings:

  • Resource Cache = 20000
  • User Session Cache = 2000

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *