Policy Server Guides › Policy Server Administration Guide › Cache Management

Cache Management

This section contains the following topics:

Cache Management Overview

CA SiteMinder® provides several caches that can be configured to maintain copies of recently accessed data (for example, user authorizations) to improve system performance. These caches should be configured to suit the nature of the data in your environment, but may also require periodic manual flushing.

CA SiteMinder® deployments can be configured to maintain the following cache on the Policy Server:

The User Authorization Cache stores user distinguished names (DNs) based on the user portion of policies and includes the users’ group membership.

CA SiteMinder® also maintains an Agent Cache on each a CA SiteMinder® Agent machine. The Agent Cache has two components:

The Agent Resource Cache stores a record of accessed resources that are protected by various realms. This cache speeds up Agent to Policy Server communication, since the Agent knows about resources for which it has already processed requests.
The Agent User Cache maintains users’ encrypted session tickets. It acts as a session cache by storing user, realm, and resource information. Entries in this cache are invalidated based on timeouts established by the realms a user accesses.

Manage Cache Updates

You can suspend and resume cache flush updates to help resolve policy evaluation issues. You manage cache updates using the Administrative UI or the smpolicysrv command.

If you change the cache update status, the central administration Policy Server issues the command to all secondary Policy Servers.

Note: Policy Server commands are processed according to a thread management model. As a result, changes to the cache status are not visible in the smps.log file immediately.

Manage Cache Updates Using the Administrative UI

View the status of and enable or disable Policy Server cache flush updates using the Administrative UI.

Follow these steps:

Log in to the Administrative UI.
Click Administration, Policy Server, Cache Management.
View the cache status in the Cache Updates section:
Cache updates are disabled: Cache flushing is disabled.

Cache updates are enabled: Cache flushing is enabled.
(Optional) Click the Enable/Disable button to switch cache updates.

Manage Cache Updates Using the smpolicysrv Command

View the status of and enable or disable Policy Server cache flush updates using the smpolicysrv command.

Follow these steps:

Open a command prompt.
Consider the following points on Windows systems:
- Do not run the smpolicysrv command from a remote desktop or Terminal Services window. The command depends on interprocess communications. If you run the smpolicysrv process from a remote desktop or Terminal Services window, these communications do not work.
- Be sure to open the command line window with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Enter one of the following commands:

smpolicysrv -disablecacheupdates

Disables cache flushing.

smpolicysrv -enablecacheupdates

Enables cache flushing.

smpolicysrv -statuscacheupdates

Reports the refresh status of Policy Server caches to the log file: smps.log.

Disabled: Cache flushing is disabled.

Enabled: Cache flushing is enabled.

Flush Caches

When you change CA SiteMinder® objects, CA SiteMinder® automatically flushes the appropriate cache entries. The cache settings also specify a regular interval for applying administrative changes. When making sensitive changes (for example, changing the access rights to highly critical information), you have the option of flushing CA SiteMinder® caches manually. This manual step helps ensure that unauthorized users cannot access protected resources based on information stored in the caches.

Cache Management features are accessible from the Policy Server Global Tools pane in the Administrative UI. They let you force an update of SiteMinder data by manually flushing the following caches:

All Caches: Enables you to flush all caches, including user sessions, resource information, and user directory caches (including certificate CRLs).
User Session Caches: Enables you to force users to reauthenticate when they try to access protected resources.
Resource Caches: Enables you to flush cached information about resources.

Flush All Caches

The Cache Management options provide a method for administrators to flush the contents of all caches. Flushing all caches can possibly adversely affect the performance of a Web site, since all requests immediately following the cache flush must retrieve information from user directories and the policy store. However, this action can be necessary if critical user privileges and policy changes must go into effect immediately.

Cache management features are only available to administrators who have either the Manage Users or Manage System and Domain Objects privileges. The Flush All button is only available for administrators with the Manage System and Domain Objects. This menu selection appears only when the account you used to log in has enough privileges to access the cache function.

To flush all caches

Log in to the Administrative UI.
Click Administration, Policy Server, Cache Management.
In the All Caches group box, click Flush All.
Note: The Flush All button is only enabled for administrators that have both the Manage Users and Manage the SiteMinder Objects privileges.

The Policy Server and associated SiteMinder Agents flush all caches. This process can take up to twice the time of your policy server poll interval while the Policy Server synchronizes caches.
Click Submit.
All caches are cleared.

Flush User Session Caches

When a user successfully authenticates, the Policy Server begins a session for the authenticated user. During the session, the web agent stores authorization information in the user cache.

Consider the following:

If you change user access rights, it can be necessary to force the Policy Server to flush user session information from the web agent cache.
The option to flush user caches is only enabled for administrators that have permission to manage users.

Follow these steps:

Log in to the Administrative UI.
Click Administration, Policy Server, Cache Management.
Select one of the following options in the User Session Caches section.
All

Flushes all user sessions from the user cache.

Specific User DN
Flushes a specific DN from the user cache.

If you select this option:
1. Select the user directory from the Directory list that contains the DN you want to remove.
2. Enter the distinguished name in the DN field. Specify a user DN, not a DN of a group. If you do not know the DN, click Lookup and search for the DN.
Click Flush.
CA SiteMinder® flushes the respective users from the user cache. This process takes up to twice the time specified by your Policy Server poll interval while the Policy Server synchronizes caches.
Click Submit.
The user session caches are cleared.

Flush Resource Caches

SiteMinder Web Agents stores information about specific resources that users access in a resource cache. The resource cache records the following:

Record of the Resources that have been accessed by users
Whether or not the resources are protected by SiteMinder
If a resource is protected, how the resource is protected

If you change rules or realms, you may want the changes to take effect immediately. If so, you must flush the resource cache.

Note: For detailed information about flushing resource caches for a realm or for a specific policy, see the Policy Server Configuration Guide.

To flush resource caches

Log into the Administrative UI.
Click Administration, Policy Server, Cache Management.
In the Resource Caches group box, click Flush.
This flushes all resource caches and forces Web Agents to authorize requests against the Policy Server. This process will take up to twice the time specified by your policy server poll interval while the Policy Server synchronizes caches.

Note: For an administrator with the Manage Domain Objects privilege for specific policy domains, flushing all resource caches only flushes the caches for the realms within the administrator’s policy domains.
Click Submit.
The resource cache are cleared.

Flush the Requests Queue on the Policy Server

Requests from CA SiteMinder® agents are set to time out after a certain interval. However, the Policy Server continues to process all agent requests in the queue, even those requests that have timed out, in the order that they were received. The following situations can cause the queue to fill with agent requests faster than the Policy Server can process them:

Network lag between the Policy Server and the policy store or user store databases
Heavy loads on the policy store or user store databases
Policy Server performance problems

When the Policy Server requests queue fills with agent requests, you can flush the timed-out agent requests from the queue, so that only the current agent requests remain. Only use this procedure in the following case:

Agent requests waiting in the Policy Server queue time out.
One or more Agents resend the timed-out requests, overfilling the queue.

Important! Do not use -flushrequests in normal operating conditions.

To flush the requests queue on the Policy Server

Open a command prompt on the Policy Server.
Run the following command:
```
smpolicysrv -flushrequests
```
The request queue is flushed.

Note: On Windows systems, do not run the smpolicysrv command from a remote desktop or Terminal Services window. The smpolicysrv command depends on inter-process communications that do not work if you run the smpolicysrv process from a remote desktop or Terminal Services window.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.