000013510 - Cleartrust datastore connections using Nagle's agorithm

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013510
Applies ToClearTrust Authorization Server 5.5.3
RSA Access Manager 6.0
IssueCleartrust datastore connections using Nagle's algorithm
Customer experiencing 200 msec socket level delays with data store connections due to ClearTrust's sockets use of Nagle's algorithm.  The problem is exacerbated by the datastores use of a socket feature called "delayed acks". This could increase the delays upwards to a half a second.
Cause

The Nagle algorithm (named after its author, John Nagle) is a TCP congestion control algorithm that is designed to reduce the number of small packets that are sent on a network. For a complete discussion of the algorithm, see the Internet Engineering Task Force Web site at www.ietf.org/rfc/rfc0896.txt?number=896. While the Nagle algorithm is suitable for many environments, it has been frequently observed to inhibit the performance of client and server applications that operate over a LAN. The Nagle algorithm applies to every socket connection by default. Fortunately, it can be disabled on a specified socket by calling setsockopt() on the socket with the TCP_NODELAY option and an option value of 1. It is advisable to make the setting of TCP_NODELAY on client and server sockets a configurable application-level parameter. For applications that communicate predominantly over a LAN, the default behavior should set TCP_NODELAY on client and server sockets to 1.

A corollary of the Nagle algorithm discussion is the desirability of writing as much data as possible to a socket at once, rather than fragmenting the data at the application-level and writing it to the socket in multiple operations. As an example, if there are 3000 bytes of data to send on a socket, it is more desirable to write all 3000 bytes to the socket in one operation, rather than having three operations that write 1000 bytes each. When a larger amount of data is written to a socket, TCP/IP can more efficiently stream the data to the recipient, usually reducing the overall number of packets, and reducing CPU consumption on both the sender and the recipient.

The Nagle's algorithm interacts badly with TCP delayed acknowledgments, a feature introduced into TCP at roughly the same time in the early 1980s, but by a different group. With both algorithms enabled, applications which do two successive writes to a TCP connection, followed by a read, experience a constant delay of up to 500 milliseconds, the "ACK delay". For this reason, TCP implementations usually provide applications with an interface to disable the Nagle algorithm. This is typically called the TCP_NODELAY option.

Resolution

The TCP_NODELAY option has been added in hotfix Cleartrust 5.5.3.156.  Contact RSA Security Customer Support to request fix RSA ClearTrust Agent hot fix 5.5.3.156, or request the latest hot fix which is cumulative. ftp.rsasecurity.com/support/hotfixes/accmgr/servers/5.5.x/ct-server-5.5.3.156.zip

  # This parameter controls the TCP_NODELAY setting for connections between
  # an RSAClearTrust Server and the data store. Enabling TCP_NODELAY will
  # disable the use of the Nagle algorithm for these connections, and
  # usually results in
  # improved performance. If you know that your particular network
  # environment works better with the delay, then set this value to false.
  #
  # Allowed Values:
  #   true | false
  #
  # Default Value:
  #   true
  #
  # Note:
  #   If your data store response is especially slow (overloaded or
  #   located at a remote site), set this to false.
  #
  #cleartrust.data.ldap.directory.<directory-name>.connection.tcp_nodelay:false

Notes

RSA Access Manager 6.0  was released with this new feature already implemented.  All Access Manager versions 6.0 and above will have this setting in the ldap.conf.

At this time the setting is only applicable to LDAP and not SQL.

The default for both the Cleartrust Hotfix  and all versions of RSA Access Manager is that Nagle's Algoritm is shut off by the default TCP_NODELAY = TRUE.  Prior to this hotfix, Nagle's algoritm was always in effect. 

Legacy Article IDa40947

Attachments

    Outcomes