Friday Feb 06, 2009

The OpenSSO Cache is Not The Enemy

A cache is a collection of frequently accessed data that duplicates original values computed earlier and stored in a main memory store. In a write-through cache, every write to the cache causes a synchronous write to the main memory store. In a write-back cache, writes are not immediately mirrored to the store; the cache tracks which of its data locations have been written over and the data in these locations is collected and written to the main memory store all at once. A clean entry accurately reflects the contents of the main memory store and a dirty entry does not.

Two main OpenSSO components that rely heavily on caching are the Service Management and Identity Repository classes. When caching is enabled and a client invokes these services, the resulting session data is captured by the Client SDK and written to its local cache. To enable caching for the service management and identity repository services on the machine in which the Client SDK is installed, a combination of true and false values for the following properties are defined in AMConfig.properties on the Client SDK host machine.

NOTE: AMConfig.properties is used to store configuration data for the Client SDK (for example, the information needed to point the Client SDK to a remote instance of OpenSSO) and must be accessible from the machine on which the Client SDK is hosted. It is created during installation of the Client SDK.

  • com.iplanet.am.sdk.caching.enabled enables both caches when set to true (default). A value of false disables both caches.
  • com.sun.identity.idm.cache.enabled controls the Identity Repository cache. When com.iplanet.am.sdk.caching.enabled is set to false, enable the Identity Repository cache ONLY with a value of true. A value of false keeps it disabled.
  • com.sun.identity.sm.cache.enabled controls the Service Management cache. When com.iplanet.am.sdk.caching.enabled is set to false, enable the Service Management cache ONLY with a value of true. A value of false keeps it disabled.

com.iplanet.am.sdk.cache.maxSize, also in AMConfig.properties, limits the size of the Identity Repository cache to, by default, 10000 entries. There is no corresponding entry to limit the cache size for the Service Management cache.

When caching is enabled, OpenSSO has three options that can be used to invalidate dirty cache entries. The first is to set up a URL with which the OpenSSO server can send session change notifications to clients on remote web containers. This works for web and standalone applications that can listen for HTTP(s) traffic. The second method (which works ONLY if notification is disabled) is polling. In this case, the client periodically checks the OpenSSO server for session changes. The third method is referred to as Time-to-Live (TTL) and enforces a limit on the period of time dirty data remains in the cache before it is discarded. See the following sections for more information.

Configuring for Notification

OpenSSO allows for session notifications to be sent to remote web containers running the OpenSSO Client SDK in order to sync up the client side cache. The notifications apply to information from the Session, Policy and Naming Services. The following properties relate to notification and are configured on the machine in which the Client SDK is installed.

  • com.sun.identity.client.notification.url defines the URI of the Notification Service running on the host machine on which the Client SDK is installed; by default, http://SDK-host.domain:port /opensso/notificationservice. This value is used for both the Service Management and Identity Repository caches. If no URL is specified, notification is disabled.
  • com.sun.identity.idm.remote.notification.enabled is used to enable or disable the notifications for the Identity Repository cache. If set to true notifications are enabled; false disabled. If there is no value defined, it defaults to true.
  • com.sun.identity.sm.notification.enabled is used to enable or disable the notifications for the Service Management cache. If set to true notifications are enabled; false disabled. If there is no value defined, it defaults to true.

There are additional steps you might need to follow to enable notification. These are documented in the OpenSSO Enterprise 8.0 Developer's Guide.

Configuring for Polling

OpenSSO allows the Client SDK to periodically check for changes to information stored in the Service Management and Identity Repository caches. Polling is enabled when notification is disabled - com.sun.identity.client.notification.url contains no value. The following properties relate to polling and are configured on the machine in which the Client SDK is installed.

  • com.sun.identity.sm.cacheTime is the time (in minutes) that the Service Management cache will poll for updates.
  • com.iplanet.am.sdk.remote.pollingTime is the time (in minutes) that the Identity Repository cache (and the legacy AM SDK classes cache) will poll for updates.

Configuring Time-to-Live

The manner in which the entries in the cache are invalidated (the data's time-to-live, as it were) depends on the configuration of the following properties in the configuration data store (by default, embedded) on the machine in which OpenSSO is installed.

  • com.sun.identity.idm.cache.entry.expire.enabled takes a value of true or false which enables or disables respectively the Identity Repository TTL feature.
  • com.sun.identity.idm.cache.entry.default.expire.time specifies the time (in minutes) that non-user Identity Repository cache entries remain valid after their last modification. In other words, after the specified time (by default, one minute) has elapsed (following a modification or directory read), the data for the cached entry will expire and new requests for this data must be read from the directory.
  • com.sun.identity.idm.cache.entry.user.expire.time specifies the time (in minutes) that user Identity Repository cache entries remain valid after their last modification. In other words, after the specified time (by default, one minute) has elapsed (following a modification or directory read), the data for the cached entry will expire and new requests for this data must be read from the directory.
  • com.sun.identity.sm.cache.ttl.enable takes a value of true or false which enables or disables respectively the Service Management TTL feature.
  • com.sun.identity.sm.cache.ttl specifies the time (in minutes) that Service Management cache entries remain valid after their last modification. In other words, after the specified time (by default, 30 minutes) has elapsed (following a modification or directory read), the data for the cached entry will expire and new requests for this data must be read from the directory.
  • NOTE ON LEGACY SUPPORT: To enable TTL for the com.iplanet.am.sdk classes, configure com.iplanet.am.sdk.cache.entry.expire.enabled, com.iplanet.am.sdk.cache.entry.user.expire.time, and com.iplanet.am.sdk.cache.entry.default.expire.time.

Sample Configuration

The following configuration enables caching and updates using the server side TTL properties and the client side Service Management polling.

  1. Enable caching for Service Management and Identity Repository

    • com.iplanet.am.sdk.caching.enabled=false
    • com.sun.identity.idm.cache.enabled=true
    • com.sun.identity.sm.cache.enabled=true
  2. Disable notifications for Service Management and Identity Repository

    • com.sun.identity.idm.remote.notification.enabled=false
    • com.sun.identity.sm.notification.enabled=false
  3. Enable TTL for Service Management, Identity Repository and, if desired, the legacy AM SDK.

    • com.sun.identity.sm.cache.ttl.enable=true
    • com.sun.identity.sm.cache.ttl=30
    • com.sun.identity.idm.cache.entry.expire.enabled=true
    • com.sun.identity.idm.cache.entry.user.expire.time=1
    • com.sun.identity.idm.cache.entry.default.expire.time=1
    • com.iplanet.am.sdk.cache.entry.expire.enabled=true
    • com.iplanet.am.sdk.cache.entry.user.expire.time=1
    • com.iplanet.am.sdk.cache.entry.default.expire.time=1

  4. Enable polling for Service Management and disable polling for Identity Repository

    • com.iplanet.am.sdk.remote.pollingTime=0
    • com.sun.identity.sm.cacheTime=10

The Enemy

Now check out the old school punk of The Enemy (aka The Enemy UK on this side of the pond) on We'll Live and Die In These Towns.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today