Understanding Policy Server and Web Agent Caches

Document ID : KB000010239
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Understanding Policy Server and Web Agent Caches

Instructions:

 

The Policy Store cache is used to cache Policy data to keep the Policy Server from having to query the Policy Store for information.

 

L2 Policy Cache:

The L2 Policy cache maps a resource to the relevant Policy and its Rules / actions, and is hashed by Realm.

The maximum number of entries in the L2 cache can be configured in the Policy Server Management Console in 4.61.

 

 

User Authorization Cache:

 

 

The User Authorization cache remembers unique Policy Authorization results by User Directory OID and user DN + filter path + filter class + resolution.  It is not unique to sessions.  The entries in the Authorization cache are determined by (number of users) * (number of policies for which user could be authorized).  Entries live for the length of time specified by the Cache Entry Lifetime setting.  User Authorizations that are cached may not match the entries in the Policy Store for up to the length of time that the Authorization cache is alive.

  In addition, a change in the user directory which authorization is keyed off of will not be picked up for this length of time.

 

 

Web Agent Caches

 

Note: Size of a WebAgent cache entry is highly dependent on the size of the full URI (including query string). 

 

Resource Cache:

 

The Resource cache caches the results of IsProtected calls and is independent of session.  Documents that fall under Ignore Extensions are not stored in cache.  Cache entries are based upon the full URI (including query string), Agent name, and action.  The cache stores the Realm OID, the protection type (Authentication Scheme), and a redirection URL for credentials.  It is recommended that the size of the Resource cache be set to the number of unique URIs on the site + 10%.  For highly dynamic sites (>60% dynamic URLs, including query string differences), limit the size of the cache or disable it altogether.  It is best to set the timeout of the Resource cache to expire items before the cache fills completely.

 

User Session Cache:

 

The User Session cache caches Authentications and Authorizations.  Authentication is based upon session ID and Realm OID and is dependent upon the number of Realms to which a user has access (e.g. 10 users accessing 100 Realms will fill a cache of size 1000).  Authorization is based upon session ID and resource (Full URI, Method, and Agent name).  Response information is cached by each process and stored with a timestamp denoting its validity.  The maximum session time is also stored for cleanup of entries.  Logout does not flush the cache. 

 

Other Caches:

 

The Affiliate cache caches the information for the redirection back to the Affiliate.

 

Caching of Anonymous users should be turned off unless the site only uses Anonymous Authentication.

 

Reflecting Policy Store Changes

 

When a change is made to the Policy Store, it gets written as a Journal entry.  New Journal entries are detected based on the Apply Administrative Changes setting for the Policy Server caches and the Web Agent Poll Interval for the Web Agent caches.  It may take as long as a combination of both of those times for Policy Store changes to be propagated out to the Web Agents.  In order to insure that that all information is synchronized within the poll interval, Policy Servers need to be time-synced.  Time is GMT-relative, meaning the offset for GMT (based on the server’s time zone setting) is used to ensure that servers in different times zones can be synchronized.