Heavy CPU usage on Advanced Authentication servers

  • 7025126
  • 01-Jun-2021
  • 28-Jun-2021

Environment

NetIQ Advanced Authentication 6.x

Situation

Advanced Authentication Web Servers experience a heavy CPU usage. The top command indicates that the java process consumes 99% of CPU. After a reboot the CPU drops but it incrementally increases after a few days.

Resolution

Avoid using the HTTP-Redirect method and instead use the HTTP-POST for the SAML2 Binding. This can be achieved one of two ways:

1. Configure the third-party Service Provider to use the HTTP-POST Binding on that end.

2. Alter the AAF/ OSP's metadata by removing the <SingleSignOnService> and <SingleLogoutService> entries for HTTP-Redirect before it is supplied to the Service Provider. This tells the Service Provider that consumes the metadata that Redirect isn't supported and it will be forced to use HTTP-POST.

Cause

Use of the SAML 2.0 events may cause this condition.

The third-party Service Provider sends a SAML request via the HTTP-Redirect method. AAF/ OSP needs to "Inflate" the message before it can be processed.

For some reason the threads running to Inflate the process are never released causing the heavy CPU usage over time. The issue seems to be in the underlying Java library.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.