Slow Login with CLE and SSPR Integration

  • Document ID:7017988
  • Creation Date:25-Aug-2016
  • Modified Date:25-Aug-2016
    • Micro Focus Products:
      Self Service Password Reset

Environment

SSPR 3.3.x
SSPR data stored on LDAP server (default)
CLE 3.9.x
CLE configured with SSPR integration
CLE user at Location A
SSPR server at Site B
LDAP server at Site A

Situation

Logins are much slower after installing CLE
CLE is configured with SSPR integration
Problem occurs whether or not SSPR integration options in CLE include "force user for challenge response enrollment†

Resolution

Configure an SSPR server at the same location as the LDAP server.  Users should be able to access both LDAP and SSPR servers without crossing WAN links. 

Additional Information

With “SSPR Integration†enabled, CLE will contact the SSPR server whenever a user logs in. This is the case regardless of whether or not the option to "force user for challenge response enrollment†has been configured.  
  
With "force user for challenge response enrollment†turned on, CLE will check with the SSPR server to see if (among other things) challenge questions have been answered for the user.  But with "force user for challenge response enrollment†turned off, CLE will still contact the SSPR server to get other information, like Password Expiry details.  (If the password is going to expire in xx days then CLE will display a password expiry warning message.)

When this information is stored in the directory, SSPR will query the LDAP server for this information.  When CLE is installed with SSPR integraion, the traffic flow during login looks like this:

CLE on user workstation requests information from SSPR server
SSPR server requests information from LDAP server
LDAP server replies to SSPR server
SSPR server replies to CLE on user workstation

This can be problematic in instances where the LDAP server and the SSPR server are separated by a WAN link.  For example, assume the following:
- CLE Users are at Location A 
- SSPR server is at Site B, and the 
- LDAP server is at Site A 

In this case login traffic will cross the WAN lin betwwen  Site A and site B four times during user login, as follows:

CLE at Site A queries --->  SSPR server at Site B queries ---> LDAP server at Site A replies --> SSPR server at Site B replies --> User at site A

Just as it is important for users to have access to local LDAP replica servers, it is also important, and highly recommended, that SSPR servers be placed at each location where users reside.