Argus: Policy Decision Point (PDP): Troubleshooting

PDP Uses “Old” Policies

The PDP caches policies received from the PAP in order to avoid the cost of fetching and parsing them for every request. In cases where you know, or suspect, the policy used by the PDP is no longer in synch with the policy stored at the PAP you may use the command

pdpctl reloadPolicy

to force the PDP to flush its policy cache and retrieve the latest policy from the PAP.

Private Key File Access

Many systems protect their private keys so that only super-user accounts can read them. Starting, and running the PDP, as such an account is strongly discouraged. The recommend approach is to create a special group (e.g. ‘hostkey’) that has read permissions to the key and ensure the user running the PDP service is also in this group. This group should not have write permission to the key.

Some people might view this as a loss of security, because, if the service user account were compromised the attacker would be able to read the private key. However, the service holds a copy of key in memory once it starts and this copy can easily be accessed via tools that come with the JRE.