000025234 - How to add a protected resource in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025234
Applies ToRSA ClearTrust 5.5.3 Authorization Server (AServer)
RSA ClearTrust 5.5.3 Entitlements Server (EServer)
IssueHow to add a protected resource in RSA ClearTrust
Authorization server cache not updated when resource added in RSA ClearTrust
A resource in the entitlements repository is not being protected
CauseIn the RSA ClearTrust Entitlements server, cleartrust.eserver.runtime.granular_updates is set to false
In the RSA ClearTrust Entitlements server, cleartrust.eserver.runtime.granular_updates is set to true, but the authorization server is under high load and hasn't yet processed the entitlements server's request to poison the cache for that resource
ResolutionThe cache in the RSA ClearTrust Authorization server loads a list of protected URL's at startup and also when following a manual cache flush. When an entry for a resource in the list has gone stale by exceeding the configured time-to-live, the Authorization server checks the status of the resource in the entitlements repository upon receiving a request for that URL. If that resource is no longer protected, the URL is removed from the list of protected resources; thus, even if granular_updates is false, delayed, or fails altogether, a resource that changes from protected to unprotected will be updated after the configured cache time-to-live. The reverse is not true - for performance reasons, unprotected resources are never checked against the entitlements repository, only against the list of protected resources in cache. To update the cache with a newly protected URL, either selective cache poisoning must be done with the entitlements server's granular_updates mechanism, or a full manual cache flush must be triggered in the Entitlements Manager or by the Runtime API.

If cleartrust.eserver.runtime.granular_updates is set to false or is set to true but the resource is still unprotected, trigger a manual cache flush in the Entitlements Manager ("Clear Cache" under the Options link). Restarting the Authorization server will have the same effect.
WorkaroundThe resource was added, and the RSA ClearTrust Authorization server has not had its cache flushed, nor has it been restarted
Legacy Article IDa25680

Attachments

    Outcomes