Symantec Access Management

Hi,

I would like to know the list of attributes/parameters which will be stored in the following caches.

• WebAgent : Agent Resource Cache
• WebAgent : Agent Session/User Cache (Authentication cache, Authorization cache)
• Policy Server : User Authorization Cache

Regards,

Dhilip

Hi Dhilip,

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/cache-management

CA Single Sign-On deployments can be configured to maintain the following cache on the Policy Server:

The User Authorization Cache stores user distinguished names (DNs) based on the user portion of policies and includes the users’ group membership.

CA Single Sign-On also maintains an Agent Cache on each a CA Single Sign-On Agent machine. The Agent Cache has two components:

The Agent Resource Cache stores a record of accessed resources that are protected by various realms. This cache speeds up Agent to Policy Server communication, since the Agent knows about resources for which it has already processed requests.

The Agent User Cache maintains users’ encrypted session tickets. It acts as a session cache by storing user, realm, and resource information. Entries in this cache are invalidated based on timeouts established by the realms a user accesses.

Web Agent Caches - Maximum Resource Cache Size & Maximum User Session Cache Size

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/performance/web-agent-caches

Regards,

Leo Joseph.

Hi Leo,

Thanks for your response.

Basically, I would like to know in detail about

1. How many attributes will be stored in each cache?
2. What are the name of those attributes?
3. What is the significance of each attribute?

Is there any document where I can final these information?

Thanks,

Dhilip

Hi Dhilip,

User Authorization Cache:

The User Authorization cache remembers unique Policy Authorization results by User Directory OID and user DN + filter path + filter class + resolution.  It is not unique to sessions.  The entries in the Authorization cache are determined by (number of users) * (number of policies for which user could be authorized).  Entries live for the length of time specified by the Cache Entry Lifetime setting.  User Authorizations that are cached may not match the entries in the Policy Store for up to the length of time that the Authorization cache is alive.

Resource Cache:

The Resource cache caches the results of IsProtected calls and is independent of session.  Documents that fall under Ignore Extensions are not stored in cache.  Cache entries are based upon the full URI (including query string), Agent name, and action.  The cache stores the Realm OID, the protection type (Authentication Scheme), and a redirection URL for credentials.  It is recommended that the size of the Resource cache be set to the number of unique URIs on the site + 10%.  For highly dynamic sites (>60% dynamic URLs, including query string differences), limit the size of the cache or disable it altogether.  It is best to set the timeout of the Resource cache to expire items before the cache fills completely.

User Session Cache:

The User Session cache caches Authentications and Authorizations.  Authentication is based upon session ID and Realm OID and is dependent upon the number of Realms to which a user has access (e.g. 10 users accessing 100 Realms will fill a cache of size 1000).  Authorization is based upon session ID and resource (Full URI, Method, and Agent name).  Response information is cached by each process and stored with a timestamp denoting its validity.  The maximum session time is also stored for cleanup of entries.  Logout does not flush the cache. 

Also refer the below links for more information

Understanding Policy Server and Web Agent Caches 

What is the Webagent cache size and memory used? 

How to control authorization cache at policy server? 

Regards,

Leo Joseph

Hi Leo,

Thanks for sharing the useful articles. I got some idea and got confused as well. Is it possible to provide response in the below format (Attribute name and purpose) so that it will be easy to understand?

<<

• ATTR_USERDN. The user's distinguished name.
• ATTR_SESSIONSPEC. The session specification returned from the login call.
• ATTR_SESSIONID. The session ID returned from the login call.
• ATTR_USERNAME. The user's name.

>>

Ujwol,

As you will be preparing many useful articles, it would be very helpful if you could create an article regarding the information which will be stored in each cache.

Regards,

Dhilip

Hi,

A gentle reminder.

Thanks.

Regards,

Dhilip

Hi Dilip,

Here is the list of attribute stored in all the available cache, however, some of the attributes may change/keep changing between different version.

Regards,

Ujwol

Hi Ujwol,

Thanks for providing the detailed info.

1. May I know the version of Policy Serer and Web agent (which the above table represents)?
2. Where will the cache of webagent and policy server be stored (physical location)?
3. Is there a way to view the content of cache's?

Thanks,

Dhilip

1. It is for 12.0 but there has’nt been any significant changes around this so most of these should still be applicable.

2. It is stored in process memory.

3. For web agent there is no option. For PS, you can try “smpolicysrv -dumpcache” To my knowledge , this didn’t work in some version

Hi Ujwol,

Thanks for your response. We are using 12.52.104.2032 version of PS. May I know the exact syntax to view cache content?

I have used smpolicysrv -dumpcache command, I didn't get any response message/code. Will the outputs/results be placed in any particular file?

Note :

When I check the status of last executed command (using $?), I am getting the output as success (0).

Also, in the smps.log, I could see the following lines, Server 'dumpcache' command received.

Thanks,

Dhilip

Hi Dilip,

Do you mind spinning off a new thread for it and close the current thread.

I will try to find answer to dumpcache command question tomorrow, unless someone else get in before me.

Sent from my iPhone

Sure Ujwol!

New Thread has been created.

CA SSO : How to view content of Policy Server Cache? 

Ujwol

Sorry replying to an old thread, but it's regarding the webagent caches.

From this link What is the Webagent cache size and memory used? - CA Knowledge  we have a formula to calculate the amount of RAM used by cache.

It's not clear if the results are in bytes or Kbytes. I assume it's in bytes since the value of sizeof(void*) is 8 bytes most of the time.

Can you confirm that's right?

Thanks.

Hi Wellington,

Yes, it's in bytes.

Regards,

Ujwol