Sun Java System Web Server 7.0 Update 3 Performance Tuning, Sizing, and Scaling Guide

Tuning the ACL User Cache

The ACL user cache is active by default. Because of the default size of the cache (200 entries), the ACL user cache can be a bottleneck, or can simply not serve its purpose on a site with heavy traffic. On a busy site, more than 200 users can hit ACL-protected resources in less time than the lifetime of the cache entries. When this situation occurs, Web Server must query the LDAP server more often to validate users, which impacts performance.

This bottleneck can be avoided by increasing the maximum users of the ACL cache on the configuration's Performance tab ⇒ Cache sub tab. You can also set the number of users by setting the max-users property using the command wadm set-acl-cache-prop. Note that increasing the cache size uses more resources; the larger you make the cache, the more RAM you'll need to hold it.

There can also be a potential (but much harder to hit) bottleneck with the number of groups stored in a cache entry (four by default). If a user belongs to five groups and hits five ACLs that check for these different groups within the ACL cache lifetime, an additional cache entry is created to hold the additional group entry. When there are two cache entries, the entry with the original group information is ignored.

While it would be extremely unusual to hit this possible performance problem, the number of groups cached in a single ACL cache entry can be tuned with Maximum Groups setting on the configuration's Performance tab ⇒ Cache sub tab. Or you can use the max-groups-per-user property of the wadm set-acl-cache-prop command.

The maximum age setting of the ACL cache determines the number of seconds before the cache entries expire. Each time an entry in the cache is referenced, its age is calculated and checked against the maximum age setting. The entry is not used if its age is greater than or equal to the maximum age. The default value is 120 seconds. If your LDAP is not likely to change often, use a large number for the maximum age. However, if your LDAP entries change often, use a smaller value. For example, when the value is 120 seconds, the Web Server might be out of sync with the LDAP server for as long as two minutes. Depending on your environment, that might or might not be a problem.