000021473 - Does Sun JVM  and hence RSA ClearTrust Authorization Server  cache namelookup?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021473
Applies ToRSA ClearTrust 5.5.2 Authorization Server (AServer)
RSA ClearTrust 5.0.1 Authorization Server (AServer)
RSA ClearTrust Agent 3.5 for Apache 2.0
RSA ClearTrust Agent (cleartrust.agent.auth_resource_list) and Authorization Server (cleartrust.aserver.nt_domain_controllers) configured to use NT authentication
IssueDoes Sun JVM, and hence RSA ClearTrust Authorization Server, cache namelookup?

Aserver log shows multiple errors indicating the LDAP server is unavailable.

sequence_number=291102,2007-06-16 07:25:38:440 EDT,Event Type = Data store,Description = Failed to obtain connection from myldap.com:636 after 3 attempts.

CauseYes, Sun JVM, and hence RSA ClearTrust Authorization Server, cache IP addresses for DNS namelookup. The JVM included with ClearTrust is by default configured to cache the namelookup indefinitely (forever). Unless the ClearTrust Authorization Server is restarted, it may be unable to communicate with PDC (Primary Domain Controller) and BDC (Backup Domain Controller) on new IP addresses.
ResolutionJava-level namelookup caching policy can be configured in <ClearTrust-install-dir>/jre/lib/security/java.security by appropriately setting "networkaddress.cache.ttl". This parameter can be configured to not cache namelookup or to cache it for only a certain number of seconds.

By default, the parameter "networkaddress.cache.ttl" in java.security is commented out to cache namelookup forever. It can be uncommented and set to a non-negative number to not cache (set to 0) or to cache for a few seconds (set to a positive number). The ClearTrust Authorization Server must be restarted to affect this change.NOTE: Setting "networkaddress.cache.ttl" to anything other than the default value (of cache forever) can have serious security implications. Do not set it unless you are sure you are not exposed to DNS spoofing attack. For more details, see comments in the file <ClearTrust-install-dir>/jre/lib/security/java.security, and/or online at http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html.
NotesIn addition to the caching done by the jvm, the Operating System may be caching the results of a name lookup. If this is the case then when the jvm does not have the result in cache it will retrieve from the OS and still find a cached value.
In particular on Solaris and Linux, look for the file /etc/nscd.conf to see if caching is enabled:
positive-time-to-live   hosts           3600
negative-time-to-live   hosts           5

enable-cache            hosts           no
If enable-cache is yes, then the ttl for successful resolution (positive-time-to-live) and failed resolution (negative-time-to-live) will apply to any host lookup.
Legacy Article IDa23196

Attachments

    Outcomes