How to disable caching for a custom PIP in TSPM?

Question

I'm using IBM's Tivoli Security Policy Manager with a custom PIP (implementing com.ibm.tscc.rtss.authz.api.IExternalFinder). I can see my PIP from TIP console, and I'm able to configure it to provide values for parameters in my policies. However, when those policies are evaluated as a result of an authorization request, my PIP is only asked to provide a value every couple of minutes or so. The old value is used in the mean time.

To demonstrate this, my PIP has an internal state consisting of an int counter which is increased by one on calls to the get*Attributes methods. The single String type (environment) attribute produced by my PIP indicates "even" or "odd" depending on the value of counter % 2. I was expecting that the user was granted access every other attempt, but this is not what happens if requests are sent too soon after each other.

Is there a way to force TSPM not to cache results from my PIP? Where is this configured in TSPM or WebSphere?

Answer 1

There is no caching for PIPs in the current release of TSPM... only request / response caching. It definitely sounds like this is what's happening - the default timeout is indeed 120 seconds. Please revert all your configuration changes to default: don't set anything for commonauthz.home - it's a red herring; and revert your config.xml changes to default.

The correct place to disable request / response caching is in the file <PROFILE_HOME>/config/<CELL>/rtss/security-services.xmi. Add or edit this section:

<components name="Authz">
      <subComponents name="AuthzServices">
        <items name="CommonAuthz">
          <properties>
            <values name="com.ibm.sec.authz.xacml.runtime.DisableCaching" value="true" type="java.lang.String"/>
           </properties>
        </items>
      </subComponents>

Then restart RTSS.

I wouldn't recommend this in a production environment though.