In this post, we will enumerate indirect contributors to poor authorization performance. This article is a follow up to part 1 where we discussed direct contributors. We will also provide a few tips that can assist you during troubleshooting.
Abnormal User Load
Proper sizing of the resource cache depends heavily on understanding how users access the protected resources. If users are accessing resources in a manner that is inconsistent with the expected pattern, it could impact cache efficiency.
For example, if the majority of application use occurs between 9 AM and 5 PM EST, with the majority of users logging in at 9 AM and again at 1 PM, the resource cache timeout could be left at the default setting (10 minutes). If, however, the user community for an application spans multiple time zones, increasing the resource cache timeout would be recommended. The increase provides cache stability and results in improved performance for users who access the application from other (trailing) time zones.
Monitoring the web agent resource cache metrics is the best way to determine if this is an issue.
Undersized Resource Cache
Resource cache optimization should allow the agent to handle all requests for previously requested resources without communicating with the policy server, thus allowing for the web agent to respond immediately. A properly optimized resource cache dramatically improves the performance of the web agent, reduces the load on the policy server, and reduces the load on the network.
To determine if your resource cache is undersized, you will need to have the following data from the web agents via SNMP or the OneView Monitor:
You will also need to know how many protected resources are deployed as that will provide guidance in determining how the cache should be sized.
Note: The OneView Monitor only provides a current view of the totals for the metrics collected. To provide a comprehensive view of these metrics, use of an SNMP monitoring tool is recommended. These tools can help you identify the trends over time and correlate known issues with data being collected.
Many SiteMinder administrators look at the ResourceCacheMisses value as the sole indicator that the cache is not large enough. It is easy to focus on that value, but by itself it is not extremely useful; we need to understand the context surrounding the ResourceCacheMisses. For example, it is important to understand when the misses are occurring. If the vast majority of the misses occur when there is very low user activity, then the misses are not negatively impacting the performance of the web agent. In many use cases, the resource cache is drained after typical working hours and replenished the next business day. This pattern would result in a large number of misses each morning, but would not be a problem. Additionally, the following can elevate the ResourceCacheMisses numbers:
- URLs with query parameters
- Resource Cache Timeout
- Poorly Constructed SiteMinder Policies
If the ResourceCacheCount is equal to the ResourceCacheMax, the resource cache is likely undersized. If the ResourceCacheCount is larger than the number of protected resources served by the web agent, consider the following:
- Do the protected applications use query parameters?
- If so, is IgnoreQueryData set to ‘Yes’?
- If the application has a large number of protected images, they should be accounted for in the resource cache sizing.
Increased Number of Protected Resources
An unexpected increase in protected resources due to changes in an application could cause the resource cache to be undersized. When those types of changes occur, consider increasing the MaxResourceCacheSize to accommodate the new resources. Each resource cache entry requires up to 4 KB of memory on the web server, so monitor the server resources to determine the appropriate resource cache size for the all of the applications protected by the server.
Resource Cache Timeout
Properly defining the ResourceCacheTimeout value will help maximize the cache efficiency. If the cache timeout value is too low, the web agent will discharge resources prematurely which would result in increased traffic and decreased performance.
When investigating poor authorization performance, be sure to correctly quantify the problem and gather the required information. Poor authorization performance can often be contributed to something external to the policy server.
If you need assistance with SiteMinder or other identity and access management solutions, we at SIS would be happy to assist in optimizing or enhancing your security platform.