Content caching

WebSEAL can cache static web contents to increase the response time of a transaction. We can flush all caches and set cache control for specific documents.

Users can often experience extended times for network access and file download due to poor web document retrieval performance. Poor performance can occur because the WebSEAL server is waiting for documents that are retrieved from junctioned back-end servers. Caching web content gives us the flexibility of serving documents locally from WebSEAL rather than from a back-end server across a junction. With the content caching feature, we can store commonly accessed web document types in the WebSEAL server memory. Clients can experience much faster response to follow up requests for documents that were cached in the WebSEAL server. Cached content can include static text documents and graphic images. Dynamically generated documents, such as database query results, cannot be cached.

Caching is based on MIME type. When configuring WebSEAL for content caching, identify the following settings:

• Document MIME type

• Type of storage medium
• Size of storage medium
• Maximum age if expiry information is missing from the original response

Configuration of content caching

To configure content caching in the [content-cache] stanza of the WebSEAL configuration file.

<mime-type> = <cache-type>:<cache-size>

Variable	Description
mime-type	Represents any valid MIME type conveyed in an HTTP Content-Type: response header. This value can contain an asterisk (*). A value of */* represents a default object cache that holds any object that does not correspond to an explicitly configured cache. The asterisk is a wildcard only for a MIME-type directory and its contents. The asterisk is not a wildcard for regular expression matching.
cache-type	Type of storage medium to use for the cache. This release of ISAM supports only "memory" caches.
cache-size	Maximum size in KB the specified cache can grow before objects are removed according to a Least Recently Used algorithm.
def-max-age	Maximum age (in seconds) if expiry information is missing from the original response. If no value is provided, a default maximum age of 3600 (1 hour) is applied.

Conditions

• Content caching occurs only when a cache is defined in the WebSEAL configuration file.
• By default, no content caches are defined at installation.
• If we do not specify a default content cache, documents that do not match any explicit cache are not cached.
• Authorization is still performed on all requests for cached information.
• The content caching mechanism does not cache responses to requests containing query strings.
• The content caching mechanism does not cache responses to requests over junctions configured with the -c and -C options.

HTTP headers types

For client request headers, WebSEAL will either produce the requested resource or send the request to the destination server. WebSEAL does not process <meta> tags with http-equiv attributes for response headers.

Response header	Response headers in the request	Request headers in the request
Accept-encoding	Not applicable	Allows the response to come from the cache if the value matches the cached encoding type.
Age	Calculate whether data in the cache is fresh enough to use.	Not applicable
Authorization	Not applicable	If the document-cache-control=public POP value is not set, stops the response from the cache unless the junction has the -b filter set. See Cache control for specific documents.
Age	Calculate whether data in the cache is fresh enough to use.	Not applicable
Cache-control	The no-cache, no-store, or private values stop the resource from being stored in the content cache. The public value stores the resource in the content cache even if user-identifying data is passed to the junction.	The no-cache stops the response from the cache. The no-store value stops the response from the cache and being stored in the cache. The max-age, max-stale, or min-fresh values determine whether the cache is used for the response.
Content-range	Stops the resource from being stored in the content cache.	Not applicable
Date If the value of Date is greater than the value of Expires, the resource is not stored in the cache, which complies with HTTP/1.0 specification.	Calculate whether data in the cache is fresh enough to use.	Not applicable
Expires	Stores the resource in the content cache even if user-identifying data is passed to the junction. Calculate whether data in the cache is fresh enough to use.	Not applicable
Last date	Calculates shether data in the cache is fresh enough to use.	Not applicable
Pragma	The non-cache value stops the resource from being stored in the content cache.	The non-cache value stops the response from the cache.
Range	Not applicable	Stop the response from the cache and the response from being stored in the cache.
Transfer-encoding	Strip the TE: header from the request sent to the junction, so it does not expect a Transfer-Encoding: header to be sent back. However, if a Transfer-Encoding: header is sent back, WebSEAL stops the resource from being stored in the content cache.	Not applicable
Vary	Stops the resource from being stored in the content cache.	Not applicable

Impact of other conditions on WebSEAL content caching

Other conditions affect WebSEAL content caching.

• WebSEAL does not cache content if the response from the junction does not have the status 200 OK.
• WebSEAL does not cache content if the request URL contains a query string.
• WebSEAL flushes a cache entry if a PUT, POST, or DELETEis used in the URL.
• WebSEAL returns only values from the cache for HEAD and GET requests.
• WebSEAL does not cache the response from junctions toHEAD requests.
• WebSEAL does not cache the response if the junction has -b gso, -b supply, C, or -cset, unless one of the following conditions exists:
  • There is a POP on the object with value document-cache-control=public. See Cache control for specific documents.
  • The response has an Expires: header.
  • The response has Cache-Control: public set.
• WebSEAL does not cache the response if there is a POP on the object with the value document-cache-control=no-cache. See Cache control for specific documents.
• We cannot override the calculations based on date headers (Date, Age, Last-modified, Expires, and the related Cache-control header values.
• We cannot override all other headers.

Flushing all caches

We can use the pdadmin utility to flush all configured content caches. We cannot flush individual caches with pdadmin. We must log in to the secure domain as the ISAM administrator sec_master before we can use pdadmin.

To flush all content caches:

pdadmin> server task instance-webseald-host cache flush all

Cache control for specific documents

We can control caching for specific documents by attaching a special protected object policy (POP) to those objects. This POP must contain an extended attribute called document-cache-control.

The document-cache-control extended attribute recognizes the following two values:

Value	Description
no-cache	The no-cache value instructs WebSEAL not to cache this document. All children of the object with the POP also inherit the POP conditions.
public	Public value allows WebSEAL to cache the document by ignoring the fact the junction was created with a -c or -C option. In addition, this value also allows caching of this document when the request is sent with an authorization header (such as Basic Authentication). This condition also includes a request where WebSEAL inserts BA information on behalf of the client (such as with GSO or -b supply junctions). Normally, proxy servers do not cache the response documents to requests that include authorization headers.

Use the pdadmin pop create, pdadmin pop modify, and pdadmin pop attach commands to set a POP on a protected object.

Create a POP called "doc-cache", with the document-cache-control extended attribute, and attached it to an object (budget.html):

pdadmin> pop create doc-cache
pdadmin> pop modify doc-cache set attribute document-cache-control no-cache
pdadmin> pop attach /WebSEAL/hostA/junction/budget.html doc-cache

The budget.html document is never cached by WebSEAL. Each request for this document must be made directly to the back-end server where it is located.

Parent topic: Web server configuration

Related concepts

• Communication protocol configuration
• IPv4 and IPv6 overview
• IPv6: Compatibility support
• IP levels for credential attributes
• LDAP directory server configuration
• WebSEAL worker thread configuration
• WebSEAL worker threads
• Global allocation of worker threads for junctions
• Per-junction allocation of worker threads for junctions
• HTTP data compression
• WebSEAL data handling by using UTF-8
• UTF-8 dependency on user registry configuration
• UTF-8 data conversion issues
• UTF-8 impact on authentication
• UTF-8 impact on authorization (dynamic URL)
• Encoding type usage
• UTF-8 support for uniform resource locators
• UTF-8 support in POST body information (forms)
• UTF-8 support in query strings
• UTF-8 encoding of tokens for cross domain single signon
• UTF-8 encoding of tokens for e-community single signon
• UTF-8 encoding of cookies for failover authentication
• UTF-8 encoding of cookies for LTPA authentication
• UTF-8 encoding in junction requests
• Validation of character encoding in request data
• Set system environment variables
• Cross-Origin Resource Sharing (CORS) Support

Related tasks

• Specify the WebSEAL host name
• Modify the configuration file settings
• Configure WebSEAL for IPv6 and IPv4 requests

Related reference

• IPv6: Upgrade notes
• Allocation view of worker threads for junctions
• Supported wildcard pattern matching characters