Policy Server Guides › Policy Server Administration Guide › Cache Management › Configure Caches

Configure Caches

You can view the refresh status of Policy Server caches and disable or enable cache flushing through the FSS Administrative UI or through three smpolicysrv command-line options. By using these options to suspend and resume cache flushing, you can resolve policy evaluation issues. These commands are issued by the central administration Policy Server to all secondary Policy Servers.

Note: Because Policy Server commands are processed according to a thread management model, changes to the cache status are not visible in the smps.log file immediately.

To manage cache status through the FSS Administrative UI

1. Log in to the FSS Administrative UI.
2. From the menu bar, select Tools, Manage Cache.

   The SiteMinder Cache Management dialog opens.

3. View the cache status in the Cache updates group box:

   Disabled: Cache flushing is disabled.

   Enabled: Cache flushing is enabled.

4. (Optional) Click the Enable/Disable button and OK to modify the cache status.

To manage cache status through the Command Line Interface

1. Open a command prompt.

   Important! If you are running a SiteMinder utility or executable on Windows Server 2008, be sure to open the command–line window with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the release notes for your SiteMinder component.

2. Enter one of the following commands:

   smpolicysrv -disablecacheupdates

   Disables cache flushing.

   smpolicysrv -enablecacheupdates

   Enables cache flushing.

   smpolicysrv -statuscacheupdates

   Reports the refresh status of Policy Server caches to the log file: smps.log.

   Disabled: Cache flushing is disabled.

   Enabled: Cache flushing is enabled.

Note: On Windows systems, do not run the smpolicysrv command from a remote desktop or Terminal Services window. The smpolicysrv command depends on inter-process communications that do not work if you run the smpolicysrv process from a remote desktop or Terminal Services window.

Flush Caches

When you change SiteMinder objects, SiteMinder automatically flushes the appropriate cache entries. The cache settings also specify a regular interval for applying administrative changes. When making sensitive changes (for example, changing the access rights to highly critical information), you have the option of flushing SiteMinder caches manually. This manual step helps ensure that unauthorized users cannot access protected resources based on information stored in the caches.

Cache Management features are accessible from the Policy Server Global Tools pane in the Administrative UI. They let you force an update of SiteMinder data by manually flushing the following caches:

All Caches

Enables you to flush all caches, including user sessions, resource information, and user directory caches (including certificate CRLs).

User Session Caches

Enables you to force users to reauthenticate when they try to access protected resources.

Resource Caches

Enables you to flush cached information about resources.

Flush All Caches

The Cache Management options provide a method for administrators to flush the contents of all caches. Flushing all caches can possibly adversely affect the performance of a Web site, since all requests immediately following the cache flush must retrieve information from user directories and the policy store. However, this action can be necessary if critical user privileges and policy changes must go into effect immediately.

Cache management features are only available to administrators who have either the Manage Users or Manage System and Domain Objects privileges. The Flush All button is only available for administrators with the Manage System and Domain Objects. This menu selection appears only when the account you used to log in has enough privileges to access the cache function.

To flush all caches

1. Log in to the Administrative UI.
2. Click Administration, Policy Server, Cache Management.
3. In the All Caches group box, click Flush All.

   Note: The Flush All button is only enabled for administrators that have both the Manage Users and Manage the SiteMinder Objects privileges.

   The Policy Server and associated SiteMinder Agents flush all caches. This process can take up to twice the time of your policy server poll interval while the Policy Server synchronizes caches.

4. Click Submit.

   All caches are cleared.

Flush User Session Caches

When a user successfully authenticates, the Policy Server begins a session for the authenticated user. During the session, the web agent stores authorization information in the user cache.

Consider the following:

• If you change user access rights, it can be necessary to force the Policy Server to flush user session information from the web agent cache.
• The option to flush user caches is only enabled for administrators that have permission to manage users.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Administration, Policy Server, Cache Management.
3. Select one of the following options in the User Session Caches section.

   All

   Flushes all user sessions from the user cache.

   Specific User DN

   Flushes a specific DN from the user cache.

   If you select this option:

   1. Select the user directory from the Directory list that contains the DN you want to remove.
   2. Enter the distinguished name in the DN field. Specify a user DN, not a DN of a group. If you do not know the DN, click Lookup and search for the DN.

4. Click Flush.

   SiteMinder flushes the respective users from the user cache. This process takes up to twice the time specified by your Policy Server poll interval while the Policy Server synchronizes caches.

5. Click Submit.

   The user session caches are cleared.

Flush Resource Caches

SiteMinder Web Agents stores information about specific resources that users access in a resource cache. The resource cache records the following:

• Record of the Resources that have been accessed by users
• Whether or not the resources are protected by SiteMinder
• If a resource is protected, how the resource is protected

If you change rules or realms, you may want the changes to take effect immediately. If so, you must flush the resource cache.

Note: For detailed information about flushing resource caches for a realm or for a specific policy, see the Policy Server Configuration Guide.

To flush resource caches

1. Log into the Administrative UI.
2. Click Administration, Policy Server, Cache Management.
3. In the Resource Caches group box, click Flush.

   This flushes all resource caches and forces Web Agents to authorize requests against the Policy Server. This process will take up to twice the time specified by your policy server poll interval while the Policy Server synchronizes caches.

   Note: For an administrator with the Manage Domain Objects privilege for specific policy domains, flushing all resource caches only flushes the caches for the realms within the administrator’s policy domains.

4. Click Submit.

   The resource cache are cleared.

Flush the Requests Queue on the Policy Server

Requests from SiteMinder agents are set to time out after a certain interval. However, the Policy Server continues to process all agent requests in the queue, even those requests that have timed out, in the order that they were received. The following situations can cause the queue to fill with agent requests faster than the Policy Server can process them:

• Network lag between the Policy Server and the policy store or user store databases
• Heavy loads on the policy store or user store databases
• Policy Server performance problems

When the Policy Server requests queue fills with agent requests, you can flush the timed-out agent requests from the queue, so that only the current agent requests remain. Only use this procedure in the following case:

1. Agent requests waiting in the Policy Server queue time out.
2. One or more Agents resend the timed-out requests, overfilling the queue.

Important! Do not use -flushrequests in normal operating conditions.

To flush the requests queue on the Policy Server

1. Open a command prompt on the Policy Server.
2. Run the following command:

   smpolicysrv -flushrequests
   

   The request queue is flushed.

Note: On Windows systems, do not run the smpolicysrv command from a remote desktop or Terminal Services window. The smpolicysrv command depends on inter-process communications that do not work if you run the smpolicysrv process from a remote desktop or Terminal Services window.

Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.