test

Sun Java System Access Manager 7.1 Performance Tuning and Troubleshooting Guide

Tuning the LDAP Connection Pool and LDAP Configurations

The amtune script provided by AccessManager recommends parameter values for the following three LDAP connection pools:

But the script does not actually tune the LDAP connection pools for you. You need to make the changes manually. In addition, in deployments with a subrealm, you must also manually tune the subrealm's connection pools. Just like the root realm, each sub-realm can have its own user authentication LDAP connection pool and data store LDAP connection pool. You must manually tune these as well.

You can modify one or more of the three LDAP connection pool configurations . In each configuration, the recommended values are MIN=8 and MAX=32. Under some conditions, you can increase the MAX value up to 64. The following sections describe how to manually tune the connection pools:

To Tune the User Authentication LDAP Configuration

You can modify the settings on one of the following depending upon the module you use for user authentication.

LDAP Authentication Module

This module is used only to authenticate the user. In the Access Manager console, under Configuration, click Authentication > Core.

Data Store Authentication Module

When the Data Store is as the authentication module, the Data Store LDAP connection pool settings are used. No additional Authentication connection pool settings are used.

To Tune the Data Store LDAP Configuration

The Data Store LDAP Configuration is used for retrieving user profiles and can also be used for authentication. By default, Access Manager 7.1 supports two types of Data Store plug-ins: AMSDK and LDAPv3. If the Data Store Authentication module is used for authentication (see above), then the recommended Data Store LDAP configuration settings are MIN=8 and MAX=64. You can modify the settings on one of the following depending upon the Data Store plug-in you use:

AMSDK Configuration

The AMSDK LDAP configuration is stored in the serverconfig.xml file under the Access Manager config directory. The server group name is default.

LDAPv3 Configuration

To modify the LDAPv3 Configuration, in the Access Manager console, under Access Control, click Realm > DataStore.

To Tune the Access Manager Configuration Store and SMS LDAP Configuration

The Service Management (SMS) LDAP Configuration is used for storing and retrieving all Access Manager configuration and Policy Service configuration. The SMS LDAP Configuration is stored in the serverconfig.xml file under the Access Manager config directory. The server group is sms.

  1. Start by setting all the connection pool configurations with MIN=8 and MAX=32.

  2. If you must make adjustments based on performance test results, adhere to the following requirements:

    • The MIN value should be at least 8.

    • The MAX value for any pool should not be greater than 64. The MAX value of 32 is enough for most typical deployments.

    Special requirements are outside the scope of this document.

  3. After following steps 1 and 2, if low throughput or low response times persist, then try the following solutions:

    • Verify that the Directory Server instance is not at 100% CPU usage. If the Directory Server instance is at 100% and the throughput is still low, revisit the indexing on the Directory Server entries. Be sure that Directory Server indexing is configured properly.

    • Run load tests to verify that Access Manager login is not causing performance to slow down. First run the tests with logging enabled, and then run the tests with logging disabled. If you find that logging is causing low response time, then you can tune the logging service through the Access Manager console. See Logging in Sun Java System Access Manager 7.1 Administration Reference.