** what are the Default Time Outs for Policy Store connection
The default value for the search 20 seconds
searchTimeOut can be used to override the default
1) Go to policy store installation path,registry.
2) View sm.registry by-
3) Edit the file to add the following entry- Under the location HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore
4) Add the field SearchTimeout and give it a value in hexadecimal.
Limit: Use hexadecimal numbers.
Default: 0x14 (20 seconds). This value is also used when the
registry
setting does not exist.
Example: 0x78 (120 seconds)
** when policy server issues a connection to policy Store after how much time the connection will close ?
Connection from Policy Server will never close once opened , same for the user Store or any ldap connection .
** if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values?
If the policy Store is not available , the Policy server will report an LDAP 91 error and proceed with shutdown . no retries will take place . this is harcoded and cannot be changed
** After how much time or attempts it will try the fail over node in the same bank and when it will switch to other bank ?
Policy Store does not have banks for load balancer, only user Store does .
Policy store will have Failover only . it will conenct to the first one on the list and when that is not available , the failover will take place .
The failover is the same as the user store
LDAP Error codes resulting in failover:
https://docs.oracle.com/cd/E19957-01/817-6707/resultcodes.htmlLDAP Error 81: LDAP_SERVER_DOWN – This result code indicates that the LDAP SDK for C cannot establish a connection with, or lost the connection to, the LDAP server.
LDAP Error 91: LDAP_CONNECT_ERROR – This result code indicates that the LDAP client cannot establish a connection, or has lost the connection, with the LDAP server.
LDAP Error 85: LDAP_TIMEOUT – This result code indicates that the LDAP client timed out while waiting for a response from the server.
LDAP Error 89: LDAP_PARAM_ERROR - This result code indicates that an invalid parameter was specified.
LDAP error is received by the LDAP SDK, then that LDAP handle will be marked as bad. In this case, one of the following will occur:
a) One directory instance configured: The LDAP SDK will try to bind a new handle to the same directory (nowhere else to go), and the request will be retried. The ServerCheckerThread (ping thread)is woken up early.
b) Failover configured: The request will be retried against the next directory instance listed in Policy Store object.
The ServerCheckerThread is woken up early. If the directory instance is still up and working (the handle timed out, etc.), then the ServerCheckerThread will mark the directory instance as good again after it checks it, and then failback will occur.
The LDAP Ping timeout is used for all short operations such as connect, bind, and ping searches. Bind includes the following operations:
Policy server authenticating to the LDAP directory before sending search and modify requests
User basic password authentications against an LDAP user directory
The default LDAP Ping timeout value for policy stores, session stores, and user directories is 10 seconds.
: Increasing the Ping timeout increases the time that it takes for the Policy Server to detect that a network connection to a policy store, session store, or user directoriy is down.
To prevent LDAP ping timeout errors, increase the value of the following registry setting:
LDAPPingTimeout
Specifies the LDAP ping timeout value in seconds.
Configure this setting at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
Default: 10
** what are the Default Time Outs for User Store
If you are talking about the Search timeouts , it is 30 seconds by default configurable in the user directory Object
** when policy server issues a connection to User Store after how much time the connection will close if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values.
Connection will never close once opened (unless a network device or the user directory close it )
** what are the Default Time Outs for Web Agents
60 seconds for search timeouts default configurable in the HCO
10 seconds for connection handshake hardcoded
** when web agent issues a connection to policy server after how much time the connection will close if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values.
Agent will never close connections once opened.
if LLAWP was initialized initially and then suddenly new agent connections cannot be opened , Agent will keep attempting to connect as long as there are incoming requests . this is hardcoded
** Note: If Siteminder Doesn't manage the connection timeouts, what OS Parameters or registry entries managing those values and what are your recommended values
This is OS specific for the TCP settings , you need to consult with your OS vendor for this.
** When we see LDAP/AD(User store and Policy Store) and Web Agent connectivity issues these are the questions came up. how much time and how many attempts your system/application tried - after what time you see the alerts in smps logs
The alert will be seen in smps log as soon as there is an Error .
The policy server will keep attempting to Estabish connections to the Stores always as explained above.
Original Message:
Sent: 10-25-2019 04:27 PM
From: Venkata Kishore Babu Bellam
Subject: Siteminder Default Time Outs for Policy Store and User Store and Web Agents
Siteminder Default Time Outs for Policy Store and User Store and Web Agents.
what are the Default Time Outs for Policy Store connection
when policy server issues a connection to policy Store after how much time the connection will close if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values.
After how much time or attempts it will try the fail over node in the same bank and when it will switch to other bank.
what are the Default Time Outs for User Store
when policy server issues a connection to User Store after how much time the connection will close if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values.
what are the Default Time Outs for Web Agents
when web agent issues a connection to policy server after how much time the connection will close if it fails to establish connections and how many attempts it will try with in that time span and what is the setting to modify those values.
Note: If Siteminder Doesn't manage the connection timeouts, what OS Parameters or registry entries managing those values and what are your recommended values
When we see LDAP/AD(User store and Policy Store) and Web Agent connectivity issues these are the questions came up.
how much time and how many attempts your system/application tried - after what time you see the alerts in smps logs
------------------------------
Sr IT Systems Engineer
------------------------------