000020830 - Password changes made directly to the ClearTrust datastore may not immediatelty take effect

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020830
Applies ToRSA ClearTrust 5.5
RSA ClearTrust 5.0.1
RSA ClearTrust Authorization Server cache
IssueUser password changes made directly to ClearTrust datastore may not immediately take effect
CauseThe ClearTrust Authorization Server caches data retrieved from the ClearTrust datastore. Changes to data in the ClearTrust data store will appear not to have taken effect until the Authorization Server cache is refreshed. The ClearTrust Entitlements Manager will automatically flush the Authorization Server cache each time a change is saved. The ClearTrust Management API also includes a flushCache() function, or method, that can be called when editing the data store.

If the data store is edited "outside of ClearTrust" by direct access with LDAP or SQL tools, the change may not to take effect on the ClearTrust runtime system until the Authorization Server cache is refreshed.
ResolutionThe default time-to-live for the cache is 5 minutes, and is controlled by the aserver.conf parameter "cleartrust.aserver.cache.time_to_live." Although it is possible to lower the cache time-to-live, doing so will increase the frequency of data store lookups and may effect Authorization Server performance.

Edits to the ClearTrust data store should only be made through the ClearTrust Entitlements Manager or the Administration API. In situations where this is not appropriate, such as a user auxiliarystore where user accounts are managed independently of ClearTrust, a delay in the propagation of updates to the Authorization Server is be expected.
Legacy Article IDa19140

Attachments

    Outcomes