This section contains the following topics:
CA SiteMinder® provides several caches that can be configured to maintain copies of recently accessed data (for example, user authorizations) to improve system performance. These caches should be configured to suit the nature of the data in your environment, but may also require periodic manual flushing.
CA SiteMinder® deployments can be configured to maintain the following cache on the Policy Server:
CA SiteMinder® also maintains an Agent Cache on each a CA SiteMinder® Agent machine. The Agent Cache has two components:
You can suspend and resume cache flush updates to help resolve policy evaluation issues. You manage cache updates using the Administrative UI or the smpolicysrv command.
If you change the cache update status, the central administration Policy Server issues the command to all secondary Policy Servers.
Note: Policy Server commands are processed according to a thread management model. As a result, changes to the cache status are not visible in the smps.log file immediately.
View the status of and enable or disable Policy Server cache flush updates using the Administrative UI.
Follow these steps:
Cache updates are disabled: Cache flushing is disabled.
Cache updates are enabled: Cache flushing is enabled.
View the status of and enable or disable Policy Server cache flush updates using the smpolicysrv command.
Follow these steps:
Consider the following points on Windows systems:
Disables cache flushing.
Enables cache flushing.
Reports the refresh status of Policy Server caches to the log file: smps.log.
Disabled: Cache flushing is disabled.
Enabled: Cache flushing is enabled.
When you change CA SiteMinder® objects, CA SiteMinder® automatically flushes the appropriate cache entries. The cache settings also specify a regular interval for applying administrative changes. When making sensitive changes (for example, changing the access rights to highly critical information), you have the option of flushing CA SiteMinder® caches manually. This manual step helps ensure that unauthorized users cannot access protected resources based on information stored in the caches.
Cache Management features are accessible from the Policy Server Global Tools pane in the Administrative UI. They let you force an update of SiteMinder data by manually flushing the following caches:
Enables you to flush all caches, including user sessions, resource information, and user directory caches (including certificate CRLs).
Enables you to force users to reauthenticate when they try to access protected resources.
Enables you to flush cached information about resources.
The Cache Management options provide a method for administrators to flush the contents of all caches. Flushing all caches can possibly adversely affect the performance of a Web site, since all requests immediately following the cache flush must retrieve information from user directories and the policy store. However, this action can be necessary if critical user privileges and policy changes must go into effect immediately.
Cache management features are only available to administrators who have either the Manage Users or Manage System and Domain Objects privileges. The Flush All button is only available for administrators with the Manage System and Domain Objects. This menu selection appears only when the account you used to log in has enough privileges to access the cache function.
To flush all caches
Note: The Flush All button is only enabled for administrators that have both the Manage Users and Manage the SiteMinder Objects privileges.
The Policy Server and associated SiteMinder Agents flush all caches. This process can take up to twice the time of your policy server poll interval while the Policy Server synchronizes caches.
All caches are cleared.
When a user successfully authenticates, the Policy Server begins a session for the authenticated user. During the session, the web agent stores authorization information in the user cache.
Consider the following:
Follow these steps:
Flushes all user sessions from the user cache.
Flushes a specific DN from the user cache.
If you select this option:
CA SiteMinder® flushes the respective users from the user cache. This process takes up to twice the time specified by your Policy Server poll interval while the Policy Server synchronizes caches.
The user session caches are cleared.
SiteMinder Web Agents stores information about specific resources that users access in a resource cache. The resource cache records the following:
If you change rules or realms, you may want the changes to take effect immediately. If so, you must flush the resource cache.
Note: For detailed information about flushing resource caches for a realm or for a specific policy, see the Policy Server Configuration Guide.
To flush resource caches
This flushes all resource caches and forces Web Agents to authorize requests against the Policy Server. This process will take up to twice the time specified by your policy server poll interval while the Policy Server synchronizes caches.
Note: For an administrator with the Manage Domain Objects privilege for specific policy domains, flushing all resource caches only flushes the caches for the realms within the administrator’s policy domains.
The resource cache are cleared.
Requests from CA SiteMinder® agents are set to time out after a certain interval. However, the Policy Server continues to process all agent requests in the queue, even those requests that have timed out, in the order that they were received. The following situations can cause the queue to fill with agent requests faster than the Policy Server can process them:
When the Policy Server requests queue fills with agent requests, you can flush the timed-out agent requests from the queue, so that only the current agent requests remain. Only use this procedure in the following case:
Important! Do not use -flushrequests in normal operating conditions.
smpolicysrv -flushrequests
The request queue is flushed.
Note: On Windows systems, do not run the smpolicysrv command from a remote desktop or Terminal Services window. The smpolicysrv command depends on inter-process communications that do not work if you run the smpolicysrv process from a remote desktop or Terminal Services window.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Copyright © 2013 CA.
All rights reserved.
|
|