Content caching

Edit online

WebSEAL can cache static web contents to increase the response time of a transaction. You must understand the key concepts, configuration variables, and conditions that affect content caching and the impact of HTTP headers. You can flush all caches and set cache control for specific documents.

Key caching concepts

Users can often experience extended times for network access and file download due to poor web document retrieval performance. Poor performance can occur because the WebSEAL server is waiting for documents that are retrieved from junctioned back-end servers.

Caching web content gives you the flexibility of serving documents locally from WebSEAL rather than from a back-end server across a junction. With the content caching feature, you can store commonly accessed web document types in the WebSEAL server memory. Clients can experience much faster response to follow up requests for documents that were cached in the WebSEAL server.

Cached content can include static text documents and graphic images. Dynamically generated documents, such as database query results, cannot be cached.

Caching is based on MIME type. When you configure WebSEAL for content caching, identify the following settings:

  • Document MIME type
  • Type of storage medium
  • Size of storage medium
  • Maximum age if expiry information is missing from the original response

Configuration of content caching

You configure content caching in the [content-cache] stanza of the WebSEAL configuration file. The following syntax applies:
<mime-type> = <cache-type>:<cache-size>
Variable Description
mime-type Represents any valid MIME type conveyed in an HTTP Content-Type: response header. This value can contain an asterisk (*). A value of */* represents a default object cache that holds any object that does not correspond to an explicitly configured cache.
Note: The asterisk is a wildcard only for a MIME-type directory and its contents. The asterisk is not a wildcard for regular expression matching.
cache-type Specifies the type of storage medium to use for the cache. This release of Verify Identity Access supports only "memory" caches.
cache-size Specifies the maximum size in KB that the specified cache can grow before objects are removed according to a Least Recently Used algorithm.
def-max-age Specifies the maximum age (in seconds) if expiry information is missing from the original response. If no value is provided, a default maximum age of 3600 (1 hour) is applied.

Conditions affecting content caching configuration

The content caching mechanism observes the following conditions:

  • Content caching occurs only when a cache is defined in the WebSEAL configuration file.
  • By default, no content caches are defined at installation.
  • If you do not specify a default content cache, documents that do not match any explicit cache are not cached.
  • Authorization is still performed on all requests for cached information.
  • The content caching mechanism does not cache responses to requests that contain query strings.
  • The content caching mechanism does not cache responses to requests over junctions that are configured with the –c and –C options.

Impact of HTTP headers on WebSEAL content caching

The following table describes how specific
  • HTTP Request headers from the client affect whether WebSEAL uses the cache to produce the requested resource or send the request to the destination server.
  • HTTP Response headers from the junction affect whether WebSEAL allows caching of the resource,
Note: WebSEAL does not process <meta> tags with http-equiv attributes for Response headers.
Response Header Impact of HTTP Response headers in the request Impact of HTTP Request Headers in the request
Accept-encoding Not applicable Allows the response to come from the cache if the value matches the cached encoding type.
Age Calculates whether data in the cache is fresh enough to use. Not applicable
Authorization Not applicable If the document-cache-control=public POP value is not set, stops the response from the cache unless the junction has the -b filter set. See Cache control for specific documents.
Age Calculates whether data in the cache is fresh enough to use. Not applicable
Cache-control
  • The no-cache, no-store, or private values stop the resource from being stored in the content cache.
  • The public value stores the resource in the content cache even if user-identifying data is passed to the junction.
  • The no-cache stops the response from the cache.
  • The no-store value stops the response from the cache and being stored in the cache.
  • The max-age, max-stale, or min-fresh values determine whether the cache is used for the response.
Content-range Stops the resource from being stored in the content cache. Not applicable
Date
Note: If the value of Date is greater than the value of Expires, the resource is not stored in the cache, which complies with HTTP/1.0 specification.
Calculates whether data in the cache is fresh enough to use. Not applicable
Expires
  • Stores the resource in the content cache even if user-identifying data is passed to the junction.
  • Calculates whether data in the cache is fresh enough to use.
 Not applicable
Last date Calculates whether data in the cache is fresh enough to use. Not applicable
Pragma The non-cache value stops the resource from being stored in the content cache. The non-cache value stops the response from the cache.
Range Not applicable Stops the response from the cache and the response from being stored in the cache.
Transfer-encoding WebSEAL strips the TE: header from the request sent to the junction, so it does not expect a Transfer-Encoding: header to be sent back. However, if a Transfer-Encoding: header is sent back, WebSEAL stops the resource from being stored in the content cache. Not applicable
Vary Stops the resource from being stored in the content cache. Not applicable

Impact of other conditions on WebSEAL content caching

Other conditions affect WebSEAL content caching.

  • WebSEAL does not cache content if the response from the junction does not have the status 200 OK.
  • WebSEAL does not cache content if the request URL contains a query string.
  • WebSEAL flushes a cache entry if a PUT, POST, or DELETEis used in the URL.
  • WebSEAL returns only values from the cache for HEAD and GET requests.
  • WebSEAL does not cache the response from junctions toHEAD requests.
  • WebSEAL does not cache the response if the junction has -b gso, -b supply, C, or -cset, unless one of the following conditions exists:
    • There is a POP on the object with value document-cache-control=public. See Cache control for specific documents.
    • The response has an Expires: header.
    • The response has Cache-Control: public set.
  • WebSEAL does not cache the response if there is a POP on the object with the value document-cache-control=no-cache. See Cache control for specific documents.
  • You cannot override the calculations that are based on date headers (Date, Age, Last-modified, Expires, and the related Cache-control header values.
  • You cannot override all other headers.

Flushing all caches

You can use the pdadmin utility to flush all configured content caches. You cannot flush individual caches with pdadmin.

Note: You must log in to the secure domain as the Verify Identity Access administrator sec_master before you can use pdadmin.

To flush all content caches, use the following pdadmin command:

pdadmin> server task instance_name-webseald-host_name cache flush all

Cache control for specific documents

You can control caching for specific documents by attaching a special protected object policy (POP) to those objects. This POP must contain an extended attribute called document-cache-control.

The document-cache-control extended attribute recognizes the following two values:

Value Description
no-cache The no-cache value instructs WebSEAL not to cache this document. All children of the object with the POP also inherit the POP conditions.
public The public value allows WebSEAL to cache the document by ignoring the fact that the junction was created with a –c or –C option. In addition, this value also allows caching of this document when the request is sent with an authorization header (such as Basic Authentication). This condition also includes a request where WebSEAL inserts BA information on behalf of the client (such as with GSO or –b supply junctions). Normally, proxy servers do not cache the response documents to requests that include authorization headers.

Use the pdadmin pop create, pdadmin pop modify, and pdadmin pop attach commands to set a POP on a protected object.

The following example illustrates creating a POP called "doc-cache" (with the document-cache-control extended attribute) and attaching it to an object (budget.html):

pdadmin> pop create doc-cache
pdadmin> pop modify doc-cache set attribute document-cache-control no-cache
pdadmin> pop attach /WebSEAL/hostA/junction/budget.html doc-cache

The budget.html document is never cached by WebSEAL. Each request for this document must be made directly to the back-end server where it is located.

Details about the pdadmin command-line utility can be found in the Command Reference topics in the IBM® Knowledge Center.