Previous Topic: Web Tier PerformanceNext Topic: Data Tier Performance


Application Tier Performance

Policy Servers evaluate polices in the application tier and user credentials and attributes in the data tier to protect resources. Consider the following guidelines to performance tune the application tier:

CA SiteMinder® Policy Design and Performance

CA SiteMinder® policies define how users interact with resources. When you create CA SiteMinder® policies in the Administrative UI, you link together (bind) objects that identify users, resources, and actions associated with the resources.

You can improve or degrade performance in the way you configure specific CA SiteMinder® components or by choosing to enable optional features. A performance strategy includes:

The business rules and security requirements of your enterprise should ultimately dictate your CA SiteMinder® policy design. The following guidelines are available to help you balance CA SiteMinder® performance, while meeting these requirements.

CA SiteMinder® Policy Objects and Performance Roadmap

CA SiteMinder® requires that you configure core CA SiteMinder® policy objects in a specific order. The following diagram lists this order, where shaded items represents objects that affect performance during user authentication or authorization.

Note: The Host Configuration Object (HCO) and Agent Configuration Object (ACO) affect the performance of your Web tier.

Diagram illustrating policy components

More information:

Web Tier Performance

Applications

You can improve or degrade performance during authentication and authorization in the way you configure applications.

An application is a Policy Server object that defines a complete security policy for one or more related web services. Applications associate web service resources with user roles to specify entitlement policies that determine what web service users can access what web service application resources.

When you create an application, you bind it to one or more user directory connections against which the Policy Server attempts to authenticate users. Therefore, the number of directory connections, and order in which they are listed, directly affects CA SiteMinder® performance during authentication.

The number of web service ports and operations that are defined as protected resources in an application correlates to CA SiteMinder® performance during authorization.

Resources can be bound to one or more responses. When a resource is accessed, the associated response returns information to an agent, such as user attributes, DN attributes, static text, or customized active responses.

The types of responses you bind to web service resources directly correlate to CA SiteMinder® performance during authorization.

Domains

You can improve or degrade performance during authentication in the way you configure domains.

A CA SiteMinder® policy domain is a logical grouping of resources associated with one or more user directories. When you create a domain, you bind one or more user directory connections to the domain.

The Policy Server attempts to authenticate users using these directory connections. Therefore, the number of directory connections, and order in which they are listed, directly correlates to CA SiteMinder® performance during authentication.

Note: For more information about configuring domains, see the Policy Server Configuration Guide.

More information:

Group Resources into Domains or EPM Applications

Domains and Authentication Performance

Realms

You can improve or degrade performance during authentication in the way you configure realms.

You group the resources in a domain into one or more realms. A realm is a set of resources (URLs) with a common security (authentication) requirement. The resource filter you define and the authentication scheme you select directly correlate to performance during authentication:

Realm settings also determine:

Note: For more information about realms, see the Policy Server Configuration Guide. For more information about authentication schemes, see the Policy Server Configuration Guide.

More information:

Group Resources into Realms or EPM Components

Realms and Authentication Performance

Rules and Rule Groups

You can improve or degrade performance during authorization in the way you configure realms.

You create rules or rule groups in the context of a realm. Rules:

The resource filter you define in the rule, which is prefixed with the realm filter, identifies the resource that requires protection.

The Policy Server evaluates rules to determine which resource filter best matches the requested resource. Upon a match, the Policy Server fires the policies to which the rule is bound to determine if the user is authorized to access the resource.

The number of rules within a realm and how you define each of the resource filters directly correlates to CA SiteMinder® performance during authorization.

Note: For more information about rules, see the Policy Server Configuration Guide.

More information:

Rules and Authorization Performance

Responses

You can improve or degrade performance during authorization in the way you configure responses.

Responses or response groups are bound to specific rule or rule groups. When a rule fires, a response can:

Policies rules can be bound to one or more responses. The types of responses you bind to CA SiteMinder® policy rules directly correlates to CA SiteMinder® performance during authorization.

Note: For more information about responses, see the Policy Server Configuration Guide.

More information:

Responses and Authorization Performance

Authentication Guidelines

CA SiteMinder® performance during the authentication (IsAuthenticated?) step typically correlates with:

CA SiteMinder® Policy Objects and Performance Roadmap

Authentication performance can improve or degrade depending on how you configure specific CA SiteMinder® policy objects or by choosing to enable optional features associated with those objects.

CA SiteMinder® requires that you configure core CA SiteMinder® policy objects in a specific order. The following diagram lists this order, where shaded items represent objects that affect performance during user authentication.

Diagram of the policy objects that affect performance during authentication

User Directories and Authentication Performance

Configuring a domain requires that you bind one or more user directory connections to the domain. The Policy Server uses the search criteria you specify in the user directory connection to verify user credentials during the authentication step.

Note: For more information about configuring user directory connections, see the Policy Server Configuration Guide.

The following factors affect user authentication performance at the directory level:

CA SiteMinder® Web Services Security Authentication Schemes and Authentication Performance

Different CA SiteMinder® Web Services Security authentication schemes impose different level of WSS Agent processing overhead, which can also vary between WSS Agent types.

In general, authentication throughput is greater for authentication schemes that do not require digital signature verification or payload confidentiality.

Digital signature verification is more CPU- and data-intensive on WSS Agent for Web Servers, but also slightly impacts WSS Agents for application servers.

Domains and Authentication Performance

The following factors affect user authentication performance at the domain (or application object general) level:

Realms and Authentication Performance

The following factors affect user authentication performance at the realm (or application object component) level. Consider each as you configure realms:

Authorization Guidelines

CA SiteMinder® performance during the authorization step typically correlates with:

The complexity of your CA SiteMinder® policy design affects each of these areas.

Policy Objects and Performance

You can improve or degrade authentication performance in the way you configure specific CA SiteMinder® policy objects or by choosing to enable optional features associated with those objects. The following policy objects can affect performance during user authorization:

Rules and Authorization Performance

The following factors affect user authorization performance at the rule (or application object resource) level:

Note: For more information about rules, see the Policy Server Configuration Guide.

The following filters are listed in the order in which they have the smallest affect on performance:

Responses and Authorization Performance

The type of response attributes bound to rules in a CA SiteMinder® policy affect performance. The following response types are listed in the order in which they have the smallest affect on performance:

CA SiteMinder® Policy Membership and Authorization Performance

Policy membership is the part of a CA SiteMinder® policy that specifies which users apply to the policy. CA SiteMinder® policies are stored in domains, and as a result, you use filters to apply CA SiteMinder® policy membership to any or all users stored in the user directories bound to the domain. The type of filter you define determines how the Policy Server evaluates CA SiteMinder® policy membership.

Note: For more information about adding users to a CA SiteMinder® policy, see the Policy Server Configuration Guide.

The following filters are listed in the order in which they have the smallest affect on performance:

Note: You can enable the User Authorization cache to reduce the number of requests the Policy Server makes to user directories to resolve policy membership.

More information:

User Authorization Cache

User Authorization Cache

The user authorization cache reduces the number of user directory requests to determine CA SiteMinder® policy membership by storing the relationship between users and policies.

Note: The user authorization cache does not store data about the user, store user attribute values, or cache user entries.

For example, three policies are configured to apply to an "Administrator" group, to which user A belongs. The first–time the Policy Server evaluates CA SiteMinder® policy membership, it must resolve the group membership and make three requests (one for each policy) to the user directory to determine that each CA SiteMinder® policy applies.

The Policy Server writes these results to the user authorization cache. Subsequent policy evaluation does not require the Policy Server to make user directory requests. Rather, the Policy Server uses the cached authorization information to determine policy membership.

Note: The Policy Server polls for policy updates periodically. The default interval is 60 seconds. If the policy membership changes, the Policy Server reloads the policy and removes the cache entries that are related to the updated policy.

More information:

CA SiteMinder® Policy Membership and Authorization Performance

User Authorization Cache Efficiency

The user authorization cache is most efficient when:

If these factors are not met, the efficiency of the User Authorization cache is reduced.

Example: the user authorization cache and agents configured to round–robin load balance

The more Policy Servers that are in the CA SiteMinder® agent round–robin pool, the greater the chance that the efficiency of the user authorization cache is reduced.

If a single CA SiteMinder® Agent is configured to round–robin between two Policy Servers, the first request for a protected resource results in a user authorization cache entry on one of the Policy Servers. There is approximately a 50 percent chance that the Policy Server that does not have the cache entry must service the second request. Moving forward, however, both Policy Servers have cached the data for subsequent requests.

Consider now, the effect of a single Agent configured to round–robin between 10 Policy Servers. After a Policy Server authorizes a user and enters the result in to the authorization cache, there is only a 10 percent chance that the same Policy Server services the next request. In this configuration, 5 cache misses must occur before there is a 50 percent chance of a cache hit.

Note: Policy Server clusters can reduce the effect round–robin load balancing has on the user authorization cache.

Estimate the Size of the User Authorization Cache

The default size of the user authorization cache is 10 MB. You can estimate the amount of space the user authorization cache requires and use the Policy Server Management Console to adjust the default size.

To estimate the size of the user authorization cache

  1. Use the following formula to estimate the number of cache entries:

    expected_users * number_of_policies_per_session = entries

    expected_users

    Specifies the total number of users authenticating to the applications CA SiteMinder® is protecting.

    number_of_policies_per_session

    Specifies the average number of CA SiteMinder® policies that apply to a user during the session.

    Note: Each CA SiteMinder® policy has the potential to enter a unique entry into the user authorization cache.

    entries

    Specifies the number of cache entries authorizations can create.

  2. Use the following formula to estimate the size of the cache:

    (entries * .000062) + 1

    Note: .000062 represents the approximate size of a cache entry in MB.

Auditing and Performance

By default, the Policy Server writes audit events to a text file, which is known as the Policy Server log. Optionally, you can configure the Policy Server to log events to an audit database.

Note: For more information about configuring the Policy Server to log events to an audit database, see the Policy Server Administration Guide. For more information about configuring an audit database, see the Policy Server Installation Guide.

Consider the following factors if you decide to log events to an audit database:

Load Balancing the Application Tier

Tuning the various CA SiteMinder® Agent parameters and following the CA SiteMinder® policy design guidelines may not significantly improve the amount of time it takes the Policy Server to service authentication and authorization requests.

When you have multiple Agents and Policy Servers, dynamic load balancing reduces latency and improves throughput because the Agents distribute requests among all of the Policy Servers.

More information:

Redundancy and High Availability