OpenAM caching mechanism and persistent search

This article intend to share with you about a complex subject, OpenAM caching mechanism and persistent search.

1) OpenAM Caches

OpenAM comes with 2 caches:

• IDRepo Cache
• Service Management Cache

By default, those both active are active, when nothing else has been specified.

2) Flags that allows to tune caches

Tuning is provided using 3 flags:

• com.iplanet.am.sdk.caching.enabled
• com.sun.identity.idm.cache.enabled
• com.sun.identity.sm.cache.enabled

The flag com.iplanet.am.sdk.caching.enabled allow enables global caching for both caches (i.e when set both caches area active)

It is possible to selectively set/unset each of the both caches using:

• com.sun.identity.idm.cache.enabled: used for IdRepo Caching
• com.sun.identity.sm.cache.enabled: Used for Service Management Cache.

3) What is Persistent Search

Persistent Search is defined by the RFC Persistent Search: A Simple LDAP Change Notification Mechanism.

When available, it provides the  following OID supported Control Type 2.16.840.1.113730.3.4.3

4) Persistent Search and Caching

A persistent search is an ldapsearch which remains open even after the initial search results are returned.

Persistent search allows to send asynchronous notification event to the upper layer.

It means for example that when persistent search mechanism is  in place, any update done at directory level will hence propagated at upper level.

In the case of openAM, it means that openAM caches will also get updated with any directory updates, when directory is implementing the psearch mechanism/functionality.

At openAM level, it is necessary to have cache coherency. Hence if the underlying product does not implement persistent search caching, the corresponding cache should be disabled.

Products implementing persistent searches are for example ODSEE,  openDJ, OUD (and others).  But in contrario openLDAP does not implement persistent search.

Below is an example of cache tuning where the data store, does not implement persistent search such as  opendlap

• com.iplanet.am.sdk.caching.enabled=false
• com.sun.identity.sm.cache.enabled=true
• com.sun.identity.idm.cache.enabled=false

Idm cache has been set to false, whereas SM cache (Service Management Cache) is set to true

5) additional pointers

• Managing LDAP Persistent Searches
• Using Persistent Search
• Tune Cache in OpenAM

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021