Credential Caching Cluster Properties
The following cluster properties configure the caching of credentials in the .
The following cluster properties configure the caching of credentials in the
Number of failed authentications to cache in memory per
API Gatewaynode. When the cache fills up, the least recently used failed authentication is discarded. This value should be a fraction of authCache.successCacheSize, depending on how frequently failed authentications are retried by users, scripts, or attackers. For example, the default value of the failure cache is 10% the size of the default success cache. If you want it to be 15% the size, set this cluster property to '300'. Enter zero to disable caching.
API Gatewayrestart for changes to take effect.
Group membership cache size. Group membership information is cached only for identities that are successfully authenticated. Use the following general rule to determine the membership cache size:
(Groups + Failed_Tests) * Users
Maximum time users must wait to use their accounts after these failed authentication actions:
Maximum time users must wait to access their account if a password is changed or account is locked.
Number of successful authentications to cache in memory per
API Gatewaynode. When the cache fills up, the least recently used authentication result is discarded. Set this to the maximum number of user sessions that are actively using this cluster (without load balancer node affinity) or just this node (with node affinity).
Maximum number of concurrent users for caching group membership information. Having this information in the cache improves performance. If the number of concurrent users exceed this cluster property value, there is a slight performance penalty as the
API Gatewayupdates the cache with new group information, replacing group membership information from the least recently used user.
For optimal performance, adjust this cache size to match the expected number of concurrent users.
Maximum number of groups to cache for each user.
Example: A setting of '50,' downloads the first 50 groups of the user. When a user performs an action in the Policy Manager requiring a permission, the downloaded groups are checked for the appropriate role assignments. If that user belongs to 51 groups and the desired action requires a permission from a role assignment from the 51st group, then the user is denied permission to perform that action, plus any other actions which depend on the permissions contained in the 51st group.
Controls how often to check users' group membership for roles and permissions. The default 5 minutes is a reasonable balance between security and performance. A value of 0 is the most secure, which checks a user's group memberships on every action by the user. However, this setting decreases the responsiveness of the Policy Manager (the
API Gatewayperformance is unaffected).