Symantec Access Management

Hi All,

We have two CA Directory which we are using as Policy store and Session Store, to share a load we have configured router in both CA Directory, But in policy store summary logs we only see that most of the request is served by primary policy stores, and at the time of replication only we see request in secondary policy store.

 can someone help us to identify where we are missing ? below steps we followed-

1.  Make sure following schema is configured in $DXHOME/config/schema/***.dxg

source "x500.dxc";

source "cosine.dxc";

source "umich.dxc";

source "inetop.dxc";

source "dxserver.dxc";

source "netegrity.dxc";

source "nsroaming.dxc";

2. Create router DSA,

dxnewdsa -t router ****** 11389 "o=***,c=xx"

dxnewdsa -t router ****** 11489 "o=***,c=xx"

3. Go to $DXHOME/config/knowledge/***.dxg in both servers and add the 2 new dsas in there. Make sure router dsas are mentioned before data dsas:

In router xx01:

source "xxxx.dxc";

source "xxxx.dxc";

in router xx02:

source "xxxx.dxc";

source "xxxx.dxc";

4. In /config/knowledge/<dsa_name>.dxc: (also make sure to change IPs in the )

router dsas:

auth-levels   = anonymous, clear-password

trust-flags   = allow-check-password, trust-conveyed-originator

data dsas:

auth-levels   = anonymous, clear-password

dsa-flags     = multi-write, load-share, no-service-while-recovering

       trust-flags   = allow-check-password, trust-conveyed-originator

in all dsas:

      address       = tcp "<add locahost IP address>" port #specific port no.

5. In /config/servers/<dsa_name>. dxi router dsa:

 router xx01:

# write-precedence

set write-precedence = data_DSA01, data_DSA02;

router xx02:

# write-precedence

set write-precedence = data_DSA01, xxxx02;

6. In /config/settings/***.dxc:

# CA Siteminder specific settings

set mimic-netscape-for-siteminder = true;

set concurrent-bind-user = <c XX><o xxxxx><ou xxxx><cn admin>;

set ignore-name-bindings = true;

7. In /config/limits/***.dxc

set max-op-size = 2000;

8. In /config/servers/ on the data .dxi files add the lines:

# cache configuration

set max-cache-size = 2000;

set cache-index = all-attributes;

set lookup-cache = true;

and comment out previous cache-index and lookup-cache    and

set wait-for-multiwrite = true;

9. In /config/servers/<router_dsa_name>.dxi 

# schema

source "../schema/***.dxg";

# knowledge

clear dsas;

source "../knowledge/***.dxg"

# operational settings

source "../settings/***.dxc";

# service limits

source "../limits/***.dxc";

10. Add the router config in the policy server smconsole. In SMCONSOLE we added Policy router DSA name and port no. and each policy router has both data DSA configuration setting, so if request comes on 1st policy router it should load share to both data DSA configured in it.

Regards

Prashant

Prashant,

The router will only load share if needed. Meaning if data DSA1 is over whelmed, router will be made aware of the situation and will send the next incoming request to data DSA2. If that is not the case, router will keep sending incoming requests to the same data DSA that is has been working with.

It seems like your understanding of load share is:

- Two requests comes into to router DSA.

- Router DSA should sent one request to data DSA1 and the other one to data DSA2.

If I am correct in my assumption, that is not how this works. As DSAs (aka DXserver) is multi threaded, as long as worker threads are available to handle the load, it will do so.

Hope this answers your concern.

Thanks,

Hitesh

Hi Hitesh

thanks for your reply, so If this is the case then I guess our policy store is working as expected, since in our policy store we don't get much transaction (read/write operation), I guess that is why we only see request in one policy store, because worker threads are available to handle the load in one policy store.

just curious to know if there any threshold setting in CA Directory which we can set as per our requirement ?

Regards

Prashant

Hi Prashant,

See if this helps answering that question.

set user-threads Command -- Define the Number of Threads for Requests - CA Directory - 12.6 - CA Technologies Documentat… 

Thanks,

Hitesh

Ok, I am asking this question because in our Production environment we have policy router setup and under this policy router both data DSA are defined, but still If I access WAM UI it takes couple of minutes to load the pages into browser. even If I create any object in WAM UI it take much time then expected ( 1-2 min).

I was under impression that this could be due to Policy Store slowness since request is only going on primary Policy Store, anything can be done to improve this performance ?

Regards

Prashant 

Prashant PKSahu

What version of CA SSO WAMUI and CA SSO Policy Server.

Could we know the deployment topology ? Where is WAMUI deployed, where is policy server deployed. Have we looked at underlying network.

How many objects in Policy Store ? When the policy server does a bulk fetch at restart, you should see that number.

Sounds like you have completely ruled out SMPS being part of the problem?

To make sure, how about using an LDAP browser (I usually use JXPlorer) to connect to this same router DSA and creating an object and see how long that takes? Does that also take 1-2 minutes? This testing will by pass entire SMPS layer. If this worked in reasonable time, I would rule out CA Directory being a problem and concentrate on CA SSO side.

Hi Hitesh,

When I created object using LDAP browser it gets created within no time, any suggestion how we can improve WAM UI performance ?

HubertDennis we have R12.52 CR05 version of CA SSO WAMUI and CA SSO Policy Serve and CA Directory r12.0 SP12 (build 7338) in Production, and WAM UI and Policy server are underlying on same box.

How many objects in Policy Store ? 5929 objects

-Prashant

Prashant PKSahu

In general I'd say some of the latest versions of the CA SSO have better performant UI's than the R12.52 SP1's.

In addition somethings to consider.

Consideration-1

https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-policy-store/configure-a-ca-directory-policy-store

# size limits
set max-users = 1000;
set credits = 5;
set max-local-ops = 1000;
set max-op-size = 4000;
set multi-write-queue = 20000;

https://docops.ca.com/ca-directory/12-6/en/reference/commands-reference/set-max-op-size-command

So if you Policy Store has more than 5K entries, I would set "max-op-size" to 6K (or 7K just a little more buffer space).

Consideration-2

Have you seen any error messages in CA Directory logs with regards to connection timeouts OR other errors from queries originating from CA SSO. Have you done any investigation in that space.

Consideration-3

Have you seen any error messages in CA SSO logs with regards to connection timeouts OR other errors from queries being issued to CA Directory. Have you done any investigation in this space.

Consideration-4

Have you seen any errors in server.log in CA SSO AdminUI logs. Many a times there are tons of errors here which we ignore.