Cache Tuning and Asynchronous Update of the Application Data
Cache Tuning and Asynchronous Update of the Application Data
You can enable the use of the cache and asynchronous updates though the User Profile with EAM Console. For more information, see Evidian EAM Console - Guide de l'administrateur.
The following sub-sections give information on how to tune the cache (when enabled) and configure asynchronous updates on your EAM workstations.
Cache and Application Update Mechanism
Cache Mechanism
Subject
Since LDAP directory servers can be unavailable (offline work on a laptop, failure of the servers or network), the SSO engine can create a cache when it works in LDAP storage mode.
The cache is created on the user's workstation upon user authentication. It contains the following data:
- User data:
- Technical definitions of the declared applications: application objects, window types, default PFCP, default Application profile.
- User Accounts.
- User Profile: configured using EAM Console.
- Access Point data:
- Installation mode.
- Target base.
- Authentication type.
- Authentication method.
- Application data:
- Applications.
- Technical definitions.
- Application parameters.
- Application profiles.
- Password format control policies.
- Password change policies.
- Time-slices (only with Controller).
Location
This cache is located in the following registry key: HKLM\Software\Enatel\WiseGuard\Framework\Cache\CacheDir
Offline Work
When servers are unavailable, queries are made on the cache. Queries that modify the cache are recorded so they can be replayed when a server becomes available.
Online Work
The cache is also used to reduce the number of queries between Enterprise SSO and LDAP directory servers. So even if the LDAP directory servers are available, the cache is used and works as a buffer:
- When Enterprise SSO starts or is reset, the cache is synchronized with the server data.
|
|
NOTE:
|
- Once stored in the cache, the data is considered valid for a configurable period of time, and no query is sent to the server during this period (for more details, see Cache and Update Timing Parameters).
- If the data is not found in the cache, or needs to be refreshed, the server is queried.
- All modifications to the data (creation, changes, deletion) are immediately copied to the server (if possible) and in the cache.
Asynchronous Update Mechanism
Subject
The asynchronous update of the application data on the workstations (LDAP storage mode only) avoids the update during the user’s authentication. Thus, the network and the directory are not massively loaded during critical hours (for instance, at 9am) and user’s authentication duration decreases.
Parameters
The registry key values detailed in Cache and Update Timing Parameters allow you to:
- Activate asynchronous update.
- Set a random latency period before the first update, to avoid an overload during the deployment.
- Set time slices, during which workstations are allowed to perform an asynchronous update.
Mechanism
When the workstation is starting up, it checks if application data in the cache is available. Indeed asynchronous update may have been bypassed if the workstation was off for too long or during each defined time-slice.
If data is not up to date:
- If time slices are defined:
- If current time is in time-slice, update is performed.
- If current time is not in time-slice, the update will be performed at next time-slice, by choosing a random time in it.
- If no time slice is defined, update is performed.
At the time of asynchronous update, the directory may be unavailable. In this case update is retried later when the directory is available and according to possible time-slice.
Cache and Update Timing Parameters
Full version Parameters
You can modify the cache and application data update timing parameters by editing values located in the following registry keys:
HKLM\Software\Policies\Enatel\WiseGuard\Framework\CacheHKLM\Software\Enatel\WiseGuard\Framework\Cache
|
|
IMPORTANT: The second key must be set on every computer, while the first key (Policies) can be set with centralized parameters. For more details, see Evidian EAM Installation Guide |
The cache timings can be set with these values:
|
Value |
Default |
Min |
Description | ||
|
|
30 |
1 |
Time in seconds between two LDAP directory connection checks. | ||
|
|
10
|
0
|
Duration of cache data validity. Time in seconds.
| ||
|
|
|
|
Cache directory. | ||
|
|
1
|
|
Cache availability on Access Points: 0: Off. 1: On. | ||
|
|
1
|
|
User cache availability. 0: Off. 1: On+AccessPoint Cache=1 | ||
|
|
|
|
Period (in days) between two updates of the application data on the workstation (for asynchronous update). Note: only applies for applications of the workstation's domain. | ||
|
|
0
|
|
If activated, the workstation chooses a random latency period before updating its application data, between zero and the update period (and during chosen time-slice if defined). 0: Off. non null: On. Note: If multiple workstations are installed simultaneously (and during time-slice if defined), the application data is downloaded from all these workstations. This value avoids an overload during the deployment, and creates an interval between the updates. | ||
|
|
|
|
Starting time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed. | ||
|
|
|
|
Ending time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed. |
|
|
IMPORTANT: If you are using Group Policies (see Evidian EAM Installation Guide), read this: The PerformanceCacheDelay value is overwritten by the Group Policy WGSS => Network cache: PerformanceCacheDelay. If you change the Group Policy, the information is propagated by Microsoft and the delay depends on your servers' topology (server replication time). |
Access Collector Mode Parameters
The following registry keys allow you to configure the asynchronous directory update of collected accounts, for Enterprise SSO used in Access Collector mode:
HKLM\Software\Enatel\WiseGuard\Framework\Cache\
SelfRegistrationUpdatePeriod
Delay (in minutes) between two updates of the collected SSO accounts from the workstation cache into the directory, in an asynchronous way.
If this value is set to 0 or not defined, the update is done automatically each time an account is collected.
HKLM\Software\Enatel\WiseGuard\Framework\Authentication\ CacheSynchroWithAuthIn case of a roaming context (shared workstations, Citrix systems), this option forces a synchronous update of the cache at logon:
- 0: Off.
- ≠ 0: On.
Integrating Care-FX with Enterprise SSO
Integrating Care-FX with Enterprise SSO
Integrating Care-FX with enterprise SSO enables you to authenticate to Care-FX with the Fast User Switching method (FUS) without having to provide any credentials.
Authentication Description
When the FUS method is activated, each time a user logs:
- On: E-SSO is started.
- Out: E-SSO is stopped.
Logging On
- E-SSO starts and sends a logon notification.
- FCC asks E-SSO to retrieve the user identity.
The user identity is retrieved through a COM interface.
|
|
NOTE: This COM interface is self-registering during E-SSO installation. |
Logging Out
When E-SSO stops, it sends a logout notification.
Configuring the Implementation
Activating the FCC Notification
To activate the FCC Notification, execute the following procedure.
Set the two following registry values:
- CareFxIntegration:
- Key: Software\Enatel\SSOWatch\CareFx\CareFxIntegration
- Type: DWORD.
- Value: 0 = no FCC notification. >0 = send FCC notifications.
- fccsyncPath:
- Key: Software\\Enatel\SSOWatch\CareFx\fccsyncPath
- Type: String.
- Value: complete path to fccsync.
|
|
NOTE: Both registry values can be set through policies. |
Integrating the COM Interface
To integrate the COM interface with FCC Notification, execute the following procedure.
Add the following registry key:
- Key: Software\CareFx\SSO interface\SSOImplementation
- Type: String.
- Value: CfxQEIntf.SSOQuest.
|
|
IMPORTANT: After E-SSO installation, you must obtain the following registry value: HKEY_CLASSES_ROOT\CfxQEIntf.SSOQuest. |