Is there a CA SSO Policy Store Threshold?

Document ID : KB000033143
Last Modified Date : 14/02/2018
Show Technical Document Details

Question

 

We are trying to find out if anyone has met the max thresholds or started to see major issue once reaching a certain number of policy store objects?  

We need to know what thresholds exist – how many is “too many” of any given object.  

I’d suspect Trusted Hosts is our highest count type of object right now (over 8K trusted hosts configured), 

but any thresholds need to be identified BEFORE we hit them. Are there any objects that have a threshold that could be different than another? How many ACOs, HCOs, Domains?

 

Basically, our Policy Server takes over 30 minutes to load due to volume being cached, now trusted host registration is also lagging.

We have thousands of policies and millions of users.

 

We're in the process of migrating, but we'll need to understand these thresholds.

 

 

 

Answer

 

Yes, there can be issues with large stores. 

It is difficult to say how many objects is too many objects e.g. if a customer uses long strings everywhere e.g. provides long description, OR long URI patterns 

 

- the Object may be small with one realm - however the size of smdif or XPSExport would be similar to a customer who uses multiple realms with short URIs and no descriptions.

 

 

Large number of objects

 

Policy Server startup takes longer.

Import and Export of objects takes longer.

 

Option-1: Probably set PStore as close as possible to Policy Server to eliminate Network Latency / Network bandwidth.

 

Option-2: Housekeeping Objects is a best practice to get rid of unwanted Policy Domains, ACO, WebAgents, AgentGroups, Trusted Hosts.

 

Large number of trusted hosts means, WebAgent initialization are dead slow OR returns failures.

 

Option-1:

Are all the 8K valid trusted host objects? How about some housekeeping i.e.

 

if a server is decommisioned OR a webserver is removed - please delete the trusted host object.

are their demo OR dummy trusted host objects.

 

Option-2:

 

How about bring up one or two policy server that is purely used for bootstrapping and host registration purpose. This set of policy server is not defined in HCO, but only in SmHost.conf. Hence there would be no normal priority requests on this policy server. There would be only high priority threads. Increase the high priority thread count on this server to maximum (I believe default is 5 and max is 20).

 

 

Migrating to latest version of SiteMinder.

 

Perfect opportunity to clean the PStore. Use Parallel Upgrade. Setup a brand new PStore. Move one application at a time. This way you move only necessary objects i.e. Policy Domain, ACO, WebAgent, Authentication Scheme, Trusted Host (re-run host registration to generate new SmHost.conf - backup existing SmHost.conf for failback) to new PStore, This also blesses you with an opportunity to start keeping a book of ledger for managing objects in new environment.