How SiteMinder Caches Work

Caches implemented by the Policy Server

Object Store Cache
Purpose: Stores contents of the Policy Store in memory in order to reduce round trip calls to LDAP and ODBC policy stores.
Type: Key/Value map.
Key: Object ID
Value: Object
Entry added:
· All objects are added at the startup time.
· Every time an object or an object property is fetched from the Policy Store
Entry removed: Whenever an object is invalidated due to creation/deletion/modification.
Configuration: No parameters. Always fully preloaded
Comments: The Policy Cache is actually an array of caches – one element of this array corresponds to one object type (domain, realm, etc.). Successful read access is not blocking. Thread will have to obtain a lock only if it tries to modify the cache.

Policy Cache
Purpose: Stores the list of policy links applicable to a given resource and action. Prevents the scanning of all rules within a given realm in order to determine which policies protect a particular resource.
Type: Two level cache. The first level is the Key/Value map, the second level is tree of lexical rule filters + array of regexp rule filters.
First level Key: RealmOID (or Agent OID in case of Global Policies) of a protected resource.
First level Value: Data describing the realm.
Second level Key: Resource+Action.
Second level Value: Tree of lexical rules pointing to lists of applicable policy links. Map of regexp rules pointing to lists of applicable policy links.
Cache lifetime: Cache rebuilt if needed at the end of the Management cycle. If some relevant object were modified, cache will be completely rebuilt from Object Cache. While cache is building no requests are served.
Configuration: None
Comments: New in SiteMinder 6.0

Agent Name Cache
Purpose: Stores easy searchable table of Agent Oids. During IsProtected it is necessary to determine Agent Oid from Agent Name. The Agent Name Cache prevents enumerating all agents to find one with matching name.
Type: Hash Map of Agent Names to Agent Oids
Key: Agent Name
Value: Agent Oid
Cache lifetime: Cache rebuilt if needed at the end of the Management cycle. If some relevant object were modified, cache will be completely rebuilt from Object Cache. While cache is building no requests are served.
Comments: New in SiteMinder 6.0

Agent Group Cache
Purpose: Stores easy searchable lists of Agent Oids. During IsProtected it is necessary to find all Agents that might protect this resource, i.e. if given agent belongs to Agent Group, all agents (and agent groups) of this group might protect given resource. The Agent Group Cache prevents recursive scanning of all agents to find applicable ones.
Type: Multi Map of Agent Oids to list of Agent Oids
Key: Agent Oid
Value: List of Agent Oids
Cache lifetime: Cache rebuilt if needed at the end of the Management cycle. If some relevant object were modified, cache will be completely rebuilt from Object Cache. While cache is building no requests are served.
Comments: New in SiteMinder 6.0

Realm Cache
Purpose: Stores Realms for best resource matching. During IsProtected it is necessary to find best matching Realm for given Agents and resource. The Realm Cache prevents scanning of all Realms to find best lexical match.
Type: Two level cache. First stores Hash Map of Agent Oids, each pointing to Realm Tree. Each Realm
Tree stores Realm filter pointing to Realm OID. The process of finding best matching realm is:
1. For each given Agent, find corresponding tree.
2. Search given resource to find best matching realm in the tree.
3. Pickup the longest match between all applicable Agents.
Key: List of Agent Oids + resource
Value: Realm OID
Cache lifetime: Cache rebuilt if needed at the end of the Management cycle. If some relevant object were modified, cache will be completely rebuilt from Object Cache. While cache is building no requests are served.
Comments: New in SiteMinder 6.0

Server Command Cache
Purpose: Stores Server Commands for configurable amount of time (default 10 seconds) before actually storing them in Policy Store. When changes are made to Policy Store, duplicate commands may be created. Also, “Flush” commands of broader scope overwrite more specific Flush commands. For example, if user initiates “Flush All” command, all other “flush” commands become irrelevant. This is done to decrease overall number of Server Commands.
Type: Commands are treated differently:
· UpdateOid commands stored in hash table, so only last “update” of specific command will be
stored.
· “Flash All” : last command stored by itself. Because we should issue only one such command.
· “Flash Realms”: last command stored by itself. Because we should issue only one such
command.
· “Flush Realm”: commands stored in hash table, so only last “flush” of specific realm will be
stored.
Cache is cleaned out every “ServerCmdDelay” seconds i.e. all cached commands are stored in
Policy Store.
Key: Server Command
Value: True if proceed with Save or False if skip it.
Entry added: Every time server command is created
Entry removed:
· Once every “ServerCmdTimeDelay”
Configuration:
Registry
ObjStore\
Registry Value Name Default Commnet
ServerCmdDelay 10 Number of seconds to store Server Commands.
Comments: New in SiteMinder 6.0

User Authorization Cache
Purpose: Stores information about policies applied to a given user. When a policy is bound to a user directory object such as a group it is necessary to determine whether a particular user belongs to the group i.e. it is necessary to search the directory to get the user’s membership list. The User Authorization Cache prevents this round trip to the directory. Note that if a policy is bound to a user name (or DN, OU, and O), the Authorization Cache is ineffective because in this case there is no need to search the directory in the first place.
Type: Key/Value map with timestamp for each entry. When cache limit is reached, 25% of random entries are removed. During a successful lookup the timestamp is checked and the entry is invalidated if it has expired.
Key: Directory+UserDN+PolicyUserFilter+PolicyResolution+PolicyFlags
Value: True (if a policy applies to the user), False otherwise
Entry added: Every time user-policy relationship is found.
Entry removed:
· When the cache limit is reached 25% random entries are removed.
· When the entry has expired.
· When the “FlushAll” or the “FlushUsers” commands are processed all entries are removed.
Configuration: UI: Policy Server management console, “Settings” tab,
“User Az Cache (MB)”
Registry Key: Ds\DsCacheParms
Value Name Default Description
DsInfoEnabled False
DsInfoMaxSizeMB 10 Size of cache in MB
DsInfoTimeoutSeconds 3600 Cache entry expiration time
in seconds
Registry-UI mapping
Registry Value Name UI control name
DsInfoMaxSizeMB User Az Cache (MB)
Comments:
· Although DsInfoCacheEnabled does not have UI mapping, it will be set to False if DsInfoMaxSizeMB is zero.
· In SiteMinder version 4x/5x User Az Cache defined in number of entries. To improve manageability of prodact, SiteMinder 6.x defines User Az Cache size in MB. Rule used for conversion is:
Number Of MB = Number of entries 64 / ( 1024 1024) + 1 (i.e. each entry estimated as 64 bytes)

Authentication Cache
Purpose: Stores full response packets for a successful user authentication. Prevents a round trip to the LDAP or ODBC user store in order to authenticate a particular user. There are a number of limitations with this cache (see below).
Type: Key/Value map with timestamp for each entry. When cache limit is reached one random entry is removed. During a successful lookup the timestamp is checked and the entry is invalidated if it has expired.
Key: SHA1 Digest of Username+Password+RealmOID
Value: Full response packet
Entry added: Every time a user is successfully authenticated.
Entry removed:
· When the cache limit is reached one randomly selected entry is removed.
· When the entry is expired.
Configuration: UI: None
Registry Key: Authentication
Value Name Default Description
AuthCacheSize 0 0 means that cache is disabled
AuthCacheEntryLifetime 6 0 Cache entry expiration time in minutes
Comments: This cache is currently not documented in any of the SiteMinder end user documentation. The
cache has the following limitations:
· It Works only for password based authentication schemes
· There is no synchronization with the “FlushUser”, “FlushAll” command.
· There is no synchronization with a users session expiration time.

Certificate Revocation List (CRL) cache
Purpose: Stores CRLs. Eliminates search of the CRL Directory during certificate-based authentication.
Type: Unbounded linked list of objects. During successful lookup the “NextUpdate” field of the CRL is checked. If the current time is bigger then the value of that field, the entry is removed.
Key: Issuer DN +Certificate Serial Number
Value: REVOKED (if the certificate is found in the CRL cache),
VALID (if the certificate is not found in the CRL cache),
NOT_FOUND (if the CRL is not cached)
Entry added: when CRL is fetched from the CRL Directory.
Entry removed:
· When the entry is expired (“NextUpdate” field of CRL is in the past).
· When the “FlushAll” command is processed all entries are removed.
Configuration: Configured in Admin GUI in the “Certificate Mapping” dialog box.

Courtesy:http://www.ssohelp.com/notes/How_SiteMinder_Caches_Work

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: