Tuning the Policy Cache

Two modes exist for client-side policy configuration: subtree mode and self mode. Based on the client configuration, server-side policy evaluation is done differently.

In subtree mode, all the policies from the root resource are evaluated. The high performance cost of evaluating high number of policies makes caching necessary. In self mode, only one resource is evaluated. Self mode is fast, and no caching is required. So there is no need to tune the policy cache when all the clients are running in self mode.

Policy cache behavior

The policy cache is a two-level nested cache, with one hash map contained inside the other. The top level cache is the resource cache. The session cache is a second hash map inside the resource cache.

Policy Resource cache

A hash map whose key is resource/rule name and the value is hash map of policy session cache.

Policy Session cache

A hash map whose key is sessionid and the value is map of policy decision objects. For each new resource a new hash map of session cache is created and stored in the policy resource cache.

Configuring the Policy Cache Limit

You can configure the policy cache by setting properties for both server and client.

Configuring Server-Side Properties

The following two properties do not exist in the OpenSSO Enterprise administration console by default. These properties must be added manually in the advanced properties section of the OpenSSO Enterprise administration console:

com.sun.identity.policy.resultsCacheResourceCap

The default value is 100. This means that a maximum of 100 rules can be cached in subtree mode.

This property should be always equal to the total number of rules configured in the system. Otherwise, when the maximum cache limits are reached for the resource cache, and if a new rule or resource is accessed, then the oldest cached rule and all the sessions cached for that rule will be removed. If you have large number of rules, configure this value to the total number of most frequently accessed rules.

com.sun.identity.policy.resultsCacheSessionCap

The default value is 1000. Total number of policy objects is (100 *1000) or 100,000 maximum.

The resourceCap should be always tuned. The SessionCap should be tuned accordingly only when you observer high latency for policy requests or responses, and you observe repeated policy requests from the same policy agent for the same user. This usually does not occur unless the user session stays active for a very long period. The policies are also cached on the policy agent.

If you increase the ResourceCap value correspondingly, you should also reduce the SessionCap value to limit the total number of policy objects cached, and to maintain unchanged the maximum number of sessions supported on the server. The following table illustrates how the policy cache configuration effects the number of sessions supported. The SDK cache size is set to 10,000 for all of the tests. If the SDK cache is increased, the maximum number of sessions will be reduced accordingly.

Table 3–1 Policy Session Cache Configuration and Number of Sessions Supported

Policy Session Cache Configuration	Maximum Number of Sessions Supported
1000   (100 * 1000 = 100,000 policy decision objects)	200,000
2000  (100 * 2000 = 200,000 policy decision objects)	150,000
3000  (100 * 3000 = 300,000 policy decision objects)	90,000
4000  (100 * 4000 = 400,000 policy decision objects)	40,000

Configuring Client-Side Properties

The client-side SDK and policy agent cache properties apply only to Java EE policy agents. The properties do not apply to web agents.

com.sun.identity.policy.client.resultsCacheResourceCap

The default value 20. This means the Java EE policy agent can cache a maximum of 20 rules or resources.

This property should be set equal to the number of rules configured on the server for the FQDN the Agent is protecting. Otherwise, when the maximum cache limits are reached for the resource cache, and if a new rule or resource is accessed, then the oldest cached rule and all the sessions cached for that rule will be removed.

com.sun.identity.policy.client.resultsCacheSessionCap

The default value is 10000. This means the Java EE policy agent can cache a maximum of 10000 sessions per rule or resource. This property should be reduced or increased based on the memory available on the container.

The ResourceCap value should be always tuned. Since the policy agents co-exist with the application, you should increase or reduce the SessionCap on the policy agent based on the memory use of the application protected by the policy agent. You can increase the SessionCap value until you no longer observe frequent full GCs.