Credential Caching Cluster Properties

The following cluster properties configure the caching of credentials in the .
gateway90
The following cluster properties configure the caching of credentials in the
API Gateway
.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
authCache.failureCacheSize
Number of failed authentications to cache in memory per
API Gateway
node. When the cache fills up, the least recently used failed authentication is discarded. This value should be a fraction of authCache.successCacheSize, depending on how frequently failed authentications are retried by users, scripts, or attackers. For example, the default value of the failure cache is 10% the size of the default success cache. If you want it to be 15% the size, set this cluster property to '300'. Enter zero to disable caching.
Default:
200
Requires a
API Gateway
restart for changes to take effect.
authCache.groupMembership
CacheSize
Group membership cache size. Group membership information is cached only for identities that are successfully authenticated. Use the following general rule to determine the membership cache size:
(Groups + Failed_Tests) * Users
Where:
  • Groups
    = Maximum number of groups that may be active at once.
  • Failed_Tests
    = Maximum number of failed group membership tests a user may encounter in any policy path.
  • Users
    = Number of users that may be active at once.
Default:
5000
authCache.maxFailureTime
Maximum time users must wait to use their accounts after these failed authentication actions:
  • Account unlocked
  • Account created
  • Account password reset
Default:
30000ms
authCache.maxSuccessTime
Maximum time users must wait to access their account if a password is changed or account is locked.
Default:
60000ms
authCache.successCacheSize
Number of successful authentications to cache in memory per
API Gateway
node. When the cache fills up, the least recently used authentication result is discarded. Set this to the maximum number of user sessions that are actively using this cluster (without load balancer node affinity) or just this node (with node affinity).
Default:
2000
principalSessionCache.cacheSize
 
Maximum number of concurrent users for caching group membership information. Having this information in the cache improves performance. If the number of concurrent users exceed this cluster property value, there is a slight performance penalty as the
API Gateway
updates the cache with new group information, replacing group membership information from the least recently used user.
Default:
1000
For optimal performance, adjust this cache size to match the expected number of concurrent users.
principalSessionCache.
maxPrincipalGroups
Maximum number of groups to cache for each user.
Example
: A setting of '50,' downloads the first 50 groups of the user. When a user performs an action in the Policy Manager requiring a permission, the downloaded groups are checked for the appropriate role assignments. If that user belongs to 51 groups and the desired action requires a permission from a role assignment from the 51st group, then the user is denied permission to perform that action, plus any other actions which depend on the permissions contained in the 51st group.
Default:
1000
principalSessionCache.maxTime
Controls how often to check users' group membership for roles and permissions. The default 5 minutes is a reasonable balance between security and performance. A value of 0 is the most secure, which checks a user's group memberships on every action by the user. However, this setting decreases the responsiveness of the Policy Manager (the
API Gateway
performance is unaffected).
Default:
300000ms