CA Access Gateway (formerly Secure Proxy Server): Commonly Tuned Parameters

Document ID : KB000043275
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

- This article gives an overview of parameters that are able to be tuned within the CA Access Gateway (formerly CA Secure Proxy Server) and its various components

- The CA Access Gateway is comprised of an HTTP Listener (Apache module) and a Tomcat Servlet container

- There are four specific tuneable sections of the CA Access Gateway:

  1. Apache
  2. Apache-Tomcat connector
  3. HttpClient Connection Pool
  4. JVM

 

Instructions:

1. Apache:

 

Since Apache (version 2.2.6) is acting as an Http-Listener inside SPS, it can be tuned from the perspective of number of threads or max clients it can support concurrently.

The Apache server ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. The MPM modules with which Apache (used inside SPS) has been built are as follows: 

For Windows platform: mpm_winnt (The tunable parameters are available inside httpd.conf)

For UNIX platform: worker (The tunable parameters are available inside httpd-mpm.conf)

Below is the list of the important parameters that need to be tuned from the perspective of number of Threads or max clients it can support:

 

ParameterDescriptionDefault Value
ThreadsPerChild

This parameter sets the number of threads created by each child process. The child creates these threads at startup and never creates more. This parameter holds significance for Windows platform since there is only one child process.

This parameter should be high enough to handle the entire load of the server. For UNIX platform, where there are multiple child processes, the corresponding parameter would be MaxClients.

Consider increasing this value on Windows if more number of concurrent connections/requests are expected.

250 (Windows)

25 (Unix)

ThreadLimit

This parameter sets the maximum configured value for ThreadsPerChild for the lifetime of the Apache process.

This value is not present by default in the conf files. 

1920 (Windows)

64 (Unix)

MaxClients

This parameter sets the limit on the number of simultaneous requests that will be served. Once a child process is freed at the end of a different request, the connection will then be serviced. It is only available for UNIX platform

Consider increasing this value if more number of concurrent connections/requests are expected.
150 (Unix)

 

 

  

2. Tomcat Connector:

 

 

Tomcat ajp13 connector receives the requests that are forwarded by Apache via mod_jk.

The Tomcat initialization is customized so it does not allow deployment of any external applications or servlets. The standard Tomcat xml (server.xml) is not used for initialization.

The tunable parameters for Tomcat Ajp13 Connector are available inside server.conf (<sps_home>/secure-proxy/proxy-engine/conf/server.conf).

Below is the list of the parameters: 

ParameterDescriptionDefault Value
worker.ajp13.accept_count

Number of request waiting in queue (queue length):

This represents the maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full are refused.
10
worker.ajp13.min_spare_threads

Number of threads created at initialization time:

This represents the number of request processing threads that will be created when this connector is initialized.

This attribute should be set to a value smaller than that set for worker.ajp13.max_threads
10
worker.ajp13.max_threads

Maximum number of concurrent connections possible:

This represents the maximum number of request processing threads to be created by this connector, which therefore determines the maximum number of simultaneous requests that can be handled.
100
worker.ajp13.reply_timeout

The maximum time (milliseconds) that can elapse between any two packets received from proxy engine after which the connection between HTTP listener and proxy engine is dropped.  A value of zero makes it to wait indefinitely until response is received (default)

The parameter value should be kept equivalent to the 

http_connection_timeout.
0 (infinite/never timeout)
worker.ajp13.retries

The maximum number of times that the worker will send a request to Proxy Engine in case of a communication error.

Each retry will be done over another connection. The first time already gets counted, so retries=2 means one retry after error
2

 

3. HttpClient Connection Pool:

 

The HTTP client component is used by the SPS to send requests over the wire to the backend server and receive responses from the backend server.

HttpClient ConnectionPool is a pool that maintains the connections that are made with the backend web server by HttpClient component.

Below is the list of the tunable parameters that are available inside server.conf (<sps_home>/secure-proxy/proxy-engine/conf/server.conf).

 

ParameterDescriptionDefault Value
http_connection_pool_min_size

The minimum number of connections to a single destination server that will be maintained by the SPS and available for processing user requests.

It defines the minimum number of connections that would be created when the first request is made to a particular backend web server. 
4
http_connection_pool_max_size

The maximum number of connections between the SPS and a destination server.

It defines the maximum number of connections that can be made with a particular backend web server at a given point of time. These connections would be available in the pool. If all the connections are busy then the request will have to wait for any of the connections to be available.

Note: Each connection established by the SPS creates a socket. For UNIX operating systems, if the maximum size of the connection pool is large, you might need to increase the operating system’s limit on file descriptors to accommodate the large number of sockets
20
http_connection_pool_incremental_factor

The increment factor when creating the connections.

It defines the number of connections that would be added (in case the http_connection_pool_max_size has not reached) to the pool if all the connections that are already present in the pool are being used to process requests.
4
http_connection_pool_connection_timeoutThis parameter defines the Idle time for a connection (in minutes or seconds as specified by the parameter http_connection_pool_connection_timeout_unit) after which the connection is closed and removed from the pool.1
http_connection_pool_connection_timeout_unit

This parameter defines whether the value specified in the http_connection_pool_connection_timeout is to be considered in minutes or seconds.

minutes
http_connection_pool_wait_timeout

Timeout (in milliseconds) to be used to wait for an available connection.

If all the connections present in the pool are busy at a given point of time and the http_connection_pool_max_size limit has reached then the request would wait for this much amount of time before getting timed out.

A timeout of zero means wait indefinitely.
0 (infinite/never timeout)
http_connection_pool_max_attempts

Number of attempts to obtain a connection from the pool.

A value of zero causes it to attempt indefinitely.

This parameter is only applicable if wait timeout is not zero
3
http_connection_timeout

Timeout (in milliseconds) to be used for creating connections and reading responses.

This parameter defines the socket timeout as well as it limits the time that would be spent in establishing a connection to backend web server. This would include the time spent doing the host name translation and establishing the connection with the backend web server when creating sockets.

A timeout of zero means wait indefinitely.

The parameter value should be kept equivalent to the worker.ajp13.reply_timeout.
0

 

 

4. JVM:

The JVM tuning parameters can have major impact on performance especially on UNIX.

The JVM settings can be tuned via the SmSPSProxyEngine.properties (<sps_home>/secure-proxy/proxy-engine/conf/SmSPSProxyEngine.properties) on Windows platform and via the proxyserver.sh (<sps_home>\secure-proxy\proxy-engine\ proxyserver.sh) for UNIX platform.

Most important parameters are:

–Xms (default --256m)

–Xmx (default --512m)

to define proper memory usage by CA Access Gateway

-Xms - This setting tells the JVM to set its initial heap size. By telling the JVM how much memory it should initially allocate for the heap, we save it from growing the heap size frequently

-Xmx - This setting tells the JVM, the maximum amount of memory it should use for the heap. Placing a hard upper limit on this number means that the Java process cannot consume more memory than physical RAM available. This limit can be raised on systems with more memory.

 

 Note: Do not set this value to near or greater than the amount of physical RAM in your system or it will cause severe swapping during runtime.