Implementation Guide › Optimizing CA IdentityMinder › User Store Tuning

User Store Tuning

User store tuning involves a number of steps, including the following:

• Optimizing the structure of the user store
• Tuning underlying stores
• Implementing load balancing and replication

These steps depend on the type of user store that you are using. For tuning information in these areas, see the documentation for the database or directory that contains the user store.

In addition to the general tuning considerations, the following tuning considerations are specific to CA IdentityMinder:

• Measure user store search performance

  For optimum performance, CA IdentityMinder policy evaluation searches should complete within 10-20 milliseconds.

  To ensure that CA IdentityMinder can consistently complete these searches in the recommended time, consider testing search performance under multiple load conditions.

  You can also use this measurement to determine when a user store reaches its physical limits and additional servers are required for load balancing.

• Index attributes

  Index each attribute that is used in a role policy or identity policy. Indexing attributes can provide significant performance improvements.

  Note: For information about indexing attributes, see the documentation for the LDAP directory or relational database that contains the user store.

• Cache LDAP Binds

  In CA IdentityMinder, all directory LDAP binds are executed by the proxy user defined on the CA IdentityMinder Directory object. For each connection, the same LDAP bind occurs for this same user repeatedly.

  If you are using an LDAP directory as a user store, configure the directory to cache LDAP binds (or sessions), if the directory supports it.

• Enable user store caches

  When CA IdentityMinder evaluates the policy decisions for a user, that information is stored in an authorization cache. When the cached information expires, CA IdentityMinder evaluates all policies for that user again.

  To improve performance of user store searches in subsequent policy rule evaluations, enable the user store to cache searched data, if your user store supports it.

  CA Directory includes a cache, called dxCache, which is an in-memory database implementation that can search across cached data.

  Note: For more information about CA Directory, see the CA Directory Administrator Guide.