Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.

Document ID:  TEC1626754
Last Modified Date:  08/02/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -POLICY SERVER:SMPLC
Symptoms:

Policy Server reports Error 82 during cache rebuilds:


[17987/4011699056][Fri Oct 16 2015 08:45:01][SmObjProvider.cpp:187][ERROR][sm-Server-03090] Policy store failed operation 'MultipleSearch' for object type 'UserDirectory' . LDAP Error Doing UserDirectory_Fetch: 82: Local error

These errors are encountered on other object types as well such as "UserDirectory", "TrustedHost", "PropertyCollection", and "ServerCommand" to name a few.

Environment:
SiteMinder Policy Server : R12.52 SP1 Policy Store : CA Directory version >= R12.0.14 and < r12.0.17="" cr1="" r12.0.17="">
Cause:

CA directory has setting dxgrid-queue and the issue may occur when this setting set to true. Pre-SP14, it was set to ‘false’ by default, Post-SP14, it is set to ‘true’ by default. 

These failed searches are the result of a packet/memory corruption issue in CA Directory R12.0.14 through R12.0.17 with 'set dxgrid-queue=true' (default).

This error is reported by LDAP SDK on the Policy Server side due to malformed packet received from CA Directory.

Resolution:

This issue is resolved in CA Directory R12.0.17 CR-01.  So, to resolve this issue and still be able to use the dxgrid-queue upgrade CA Directory to version R12.0.17 CR-01 or later.

Workaround:

1. Disable dxgrid-queue by adding following configuration in your DSA initialization file (.dxi ) :

    set dxgrid-queue=false

dxi.jpg

2. Restart DSA

 

However, please note , disabling the dxgrid-queue comes with the penalty of loosing the following benefits which comes with the dxgrid-queue :

  • Improves performance of concurrent search and update requests.
  • Allows abandoning of searches that are not performed yet (due to reasons such as client disconnect or timeout).
  • Increases thread utilization, thus allowing better throughput.
  • Allows the set interrupt-searches = true|false; command to be used to prevent long running searches blocking updates. See the set interrupt-searches command for more details.
Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >