User AZ Cache in policy server

Document ID:  TEC544401
Last Modified Date:  08/07/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On
  • CA Federation
  • CA Web Services Security

Releases

  • CA Single Sign-On:Release:12.52
  • CA Single Sign-On:Release:12.51
  • CA Single Sign-On:Release:12.5
  • CA Single Sign-On:Release:12.0 SP3
  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.52 SP2
  • CA Single Sign-On:Release:12.6
  • CA Single Sign-On:Release:12.6.1
  • CA Single Sign-On:Release:12.7

Components

  • SITEMINDER -POLICY SERVER:SMPLC
Question:

How does the User Authorization Cache work at Policy server?

Environment:
Policy Server : r12.5 and above
Answer:

The User AZ cache stores information about policies applied to a given user. When a policy is bound to a user directory object such as a group it is necessary to determine whether a particular user belongs to the group i.e. it is necessary to search the directory to get the user's membership list. The User Authorization Cache prevents this round trip to the directory. Note that if a policy is bound to a user name (or DN, OU, and O); the Authorization Cache is ineffective because in this case there is no need to search the directory in the first place.

Location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\DsCacheParms

DsInfoEnabled specifies whether User Authorization cache is enabled or disabled.
DWORD=1 implies that User Authorization cache is enabled.
Default value: 0

Range: 0-3

0: Cache Disabled.

1: Cache All.

2: Cache entries if given policy is applicable irrespective of the authorization result. Policy applicable doesn't mean authorization is successful. Authorization can be failed due to IP restriction or time restriction or user namespace restriction etc.

3: Cache entries only when given policy is not applicable for user

DsInfoTimeoutSeconds specifies in number of seconds the lifetime of the above mentioned cache entry.
Default value: 3600
Range: 0-*

DsInfoMaxSizeMB specifies the maximum size of cache entries that are allowed in the user authentication cache.
Default value: 10
Range: 0-*

In siteminder 6.x and R12 you specify the User Authorization cache size in MB. Each entry is estimated to be 64 bytes, therefore the formula simply needs to convert the number of entries to MBs as follows: Number of MB = (ExpectedNumberOfUsers * NumberOfPolicies * 64) / 1048576

UserPolicyCacheMaxSize sets the number of entries for the user policy cache (if present). If this entry is not present, or is set to 0, then this cache will not be active.
Default value: 1000
Range: 0-*

Please note that entries are removed from the cache when:

  • The cache limit is reached 25% random entries are removed.
  • The entry has expired.
  • The FlushAll or the FlushUsers commands are processed all entries are removed.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >