Layer7 Access Management

Expand all | Collapse all

Tech Tip : CA Single Sign-On : SPS Tuning on Linux

  • 1.  Tech Tip : CA Single Sign-On : SPS Tuning on Linux

    Posted 11-29-2016 05:24 AM

    Question :

     

       I'd like to get tips on how to tune SPS running on Linux.

     

     

     

    Environment :

     

    Access Gateway/SPS 12.52SP1 on RedHat 6 64bit;

     

     

     

    Answer :

     

       First, Access Gateway/SPS has an Apache and Tomcat modules. The following technote will give you indications about the parameters you can tune for:

     

       Apache
       Apache Tomcat connector
       Httpclient Connection Pool
       JVM

     

       CA Access Gateway (Secure Proxy Server): Commonly Tuned Parameters

     

       You will be able to get the best values by "benchmarking" in your Test or QA environment and put load on it.

     

       More, the section "Operating System Tuning" mentions the following:

     

       Note:
       Sometimes Linux operating environments require tuning the shared memory
       segments. For more information about the shared memory segments and how
       to tune them, see the documentation for your particular operating environment.

     

      Operating System tuning for Agents

     

       That means that often out of the box configuration is already enough for shared memory on Linux, which is not the case with SunOS systems. That is the reason why you see only values for SunOS.

     

       Looking also in a RedHat 6 64bit system, by default have seen the following values :

     

       /proc/sys/kernel/shmmax
       68719476736
       /proc/sys/kernel/shmmni
       4096

     

       which are greater than the ones recommended for SunOS. You will find more documentation about RedHat Operating System here :

     

       RedHat Documentation - Performance tuning and shared memory

     

    Additional Information :

     

       SPS - Configure the Apache settings manually

     

       SPS - Configure the proxy service settings manually

     

       SPS - Configure the Tomcat settings manually
       
    KB : TEC1785241



  • 2.  Re: Tech Tip : CA Single Sign-On : SPS Tuning on Linux

    Posted 05-17-2018 07:08 PM

    Patrick -

     

    'MaxClients' (in Apache 2.3), was renamed to 'MaxRequestWorkers' in Apache 2.4.x (bundled with Access Gateway 12.7) along with other dependent parameters. The default value of these parameters are different from older versions. 

     

    CA Access Gateway (formerly Secure Proxy Server): - CA Knowledge 

     

    Do you have a similar KB that reflect the equivalent parameters for Access Gateway 12.7 ?



  • 3.  Re: Tech Tip : CA Single Sign-On : SPS Tuning on Linux

    Posted 05-18-2018 02:17 AM

    Hi Makesh,

     

    Do we have a CA Access Gateway version which has Apache 2.3 ? 

     

    I'll add a note in the KD TEC1785241 about the fact that 'MaxClients' has been renamed to 'MaxRequestWorkers' in Apache 2.4.x (bundled with Access Gateway 12.7) . 

     

    Thanks 

    Patrick



  • 4.  Re: Tech Tip : CA Single Sign-On : SPS Tuning on Linux

    Posted 05-21-2018 06:26 PM

    Hi Patrick,

     

    As per the KB000043275  both AJP13/Tomcat and HTTPClient timeout values should be in SYNC. But looking at the default values in Access Gateway 12.7, the default values are quite different. 

     

    worker.ajp13.reply_timeout = 0 (wait indefinitely until response is received)

    http_connection_timeout: 3 (minutes)

     

    Q:

    In Access Gateway 12.7 does both these timeout values have to be in SYNC ?

    Is that a recommended baseline settings?



  • 5.  Re: Tech Tip : CA Single Sign-On : SPS Tuning on Linux

    Posted 05-21-2018 08:03 PM

    My recommendation would be to leave this at it's default (of zero) : 

    worker.ajp13.reply_timeout = 0 (wait indefinitely until response is received)

     

    Then this determines your timeout: 

    http_connection_timeout: 3 (minutes)

     

    This along with the number of retries, I guess you could calculate a "reply timeout" of (timeout * retries) but seems a bit pointless.  

     

    So I do not agree with this statement in that article  :  

    The parameter value should be kept equivalent to the worker.ajp13.reply_timeout. 

     

    I did find this link, about reply_timeout: 

    The Apache Tomcat Connectors - Common HowTo - Timeouts HowTo 

     

    Cheers - Mark