Symantec Access Management

  • 1.  Sm_AgentApi_Init method works extremally slowly

    Posted Nov 29, 2016 09:04 AM

    Hello.

     

    We have a custom siteminder agent which use SM Agent API (smagentapi.dll).

    Our agent calls methods one by one like it's described in the documentation.

    But sometimes the call of Sm_AgentApi_Init method works extremally slowly.

     

    This is an usual trace, Sm_AgentApi_Init works more 3 sec, it isn't very fast but it's OK for us:

    Sm_AgentApi_GetConfig executed 554.70880 ms.
    Sm_AgentApi_Init executed 3,172.97340 ms.
    Sm_AgentApi_SetDefaultAgentId executed 0.97660 ms.
    Sm_AgentApi_IsProtected executed 146.49000 ms.
    Sm_AgentApi_Login executed 431.65720 ms.
    Sm_AgentApi_Logout executed 112.30900 ms.
    Sm_AgentApi_FreeAttributes executed 0.97660 ms.
    Sm_AgentApi_UnInit executed 0.97660 ms.
    Sm_AgentApi_FreeServers executed 0.97660 ms.

     

    but sometimes this method can work 60 sec :

    Sm_AgentApi_GetConfig executed 543.96620 ms.
    Sm_AgentApi_Init executed 60,946.67620 ms.
    Sm_AgentApi_SetDefaultAgentId executed 0.00000 ms.
    Sm_AgentApi_IsProtected executed 136.72400 ms.
    Sm_AgentApi_Login executed 408.21880 ms.
    Sm_AgentApi_Logout executed 142.58360 ms.
    Sm_AgentApi_FreeAttributes executed 0.00000 ms.
    Sm_AgentApi_UnInit executed 0.97660 ms.
    Sm_AgentApi_FreeServers executed 0.00000 ms.

     

    This method is a black box for us, we call it and don't know what this method does and why it can work slowly.

    Also there is not any problem with the network because all other methods (including Login/Logout) work fast any time.

    The problem is only with Init method.

     

    Maybe somebody had such situation?

    Any idea why can it work so slolwy?

     

    Thanks.



  • 2.  Re: Sm_AgentApi_Init method works extremally slowly

    Posted Nov 29, 2016 10:14 AM

    You are using the JNI version of agent sdk (smjavaagentapi.jar) , can you try with the pure java agent (smagentapi.jar) and see if the behavior is same? The pure java agent won't call any dlls and is usually gives better performance.





  • 3.  Re: Sm_AgentApi_Init method works extremally slowly

    Posted Dec 01, 2016 07:11 AM

    Unfortunately we don't work with jar-files, we use .NET.

    Our .NET application loads smagentapi.dll and calls methods of this DLL.



  • 4.  Re: Sm_AgentApi_Init method works extremally slowly

    Posted Dec 01, 2016 09:00 AM

    we use C++ SDK - nete-sdk-6.0-sp5-cr035-win32

    not .NET

    sorry for misunderstanding.



  • 5.  Re: Sm_AgentApi_Init method works extremally slowly

    Broadcom Employee
    Posted Nov 29, 2016 02:11 PM

    Sm_AgentApi_Init() 

    Initializes the Agent API and sets up connections to the Policy Server. This function is called once per agent.

    Note: This call succeeds even if a connection to the Policy Server cannot be established immediately. The Agent API will keep trying to reconnect.

    "You are responsible for deallocating memory for your custom agent. When you initialize the Agent API with Sm_AgentAPI_Init(), all information in the Sm_AgentApi_Init_t structure is copied, allowing you to deallocate the structure’s memory after initialization."

     

    As you can see the agent is searching and finding the right policy server to connect to based on SmHost.conf or ip address you gave, and there are hand shake exchange before socket connection is established, that is why it is slower than other calls. There are sleep wait algorithm built-in if top of policy servers was not available.  I suspect that could be a factor.
    You may crosscheck time stamped API agent log and policy server logs to see when the agent Init request actually made to policy server, then determine if there is or there is not a network problem, or the policy server connecting to was too busy accepting other calls at the time.
    Hongxu


  • 6.  Re: Sm_AgentApi_Init method works extremally slowly

    Posted Nov 30, 2016 03:53 AM

    yes, we mapped API agent log with policy server logs.

    the time in the policy server log is clashed with the time when our agent calls Sm_AgentApi_Login

    there is not any record in the policy server log when our agent calls Sm_AgentApi_Init

    do you know is this call tracked in any log on the server side?

    thanks.



  • 7.  Re: Sm_AgentApi_Init method works extremally slowly

    Broadcom Employee
    Posted Nov 30, 2016 11:49 AM

    Your policy server log must have trace enabled, and the trace profiler must contain data field:
    IPAddr
    which Includes the client IP address

     

    If a custom agent established the connection successfully, you should see something like this in policy server trace log, depending on the verions:

    "New connection attempt from client host" and it marks with the client ip address.

     

    [11/30/2016][10:17:06.625][2344][][][CServer.cpp:2627][CAgentAcceptHandler::HandleInput][][][][][][][][][][][Received connection request][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][992][10:17:06][][][][][][][][][][][][][][]
    [11/30/2016][10:17:06.640][2344][][][threads.cpp:347][ThreadMessageQueue::Enqueue][][][][][][][][][][][Enqueuing a High Priority Message. Current count is 1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][992][10:17:06][][][][][][][][][][][][][][]
    [11/30/2016][10:17:06.640][2324][][][threads.cpp:525][ThreadMessageQueue::Dequeue][][][][][][][][][][][Dequeuing a High Priority message. Current count is 0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][992][10:17:06][][][][][][][][][][][][][][]
    [11/30/2016][10:17:06.640][2324][][][CServer.cpp:1647][CAgentMessageHandler::DoWork][][][][][][][][][][][New connection attempt from client host][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][992][10:17:06][127.0.0.1][4873][][][][][][][][][][][][]

     

    If the connection fails, you may get handshake error from smps.log instead.

    When successful, smps.log does not log anything.

     

    Hongxu