Sun[TM] Identity Manager 8.0 Release Notes

Documentation Additions and Corrections

This section contains new and corrected information that was required after the Identity Manager 8.0 documentation set was published. This information is organized as follows:


Identity Manager 8.0 Administration

This section contains a correction for Sun Identity Manager Administration:


Identity Manager Technical Deployment Overview

This section contains new information and documentation corrections for Sun Identity Manager Technical Deployment Overview:

The following information will be added to, or corrected in, the “Private Labeling of Identity Manager” chapter of the Identity Manager Technical Deployment Overview:

You can now replace the product name string in the browser title bar with a localizable string of your choice.

  1. Import the following XML file:
  2. Code Example 1  XML to Import

    <?xml version='1.0' encoding='UTF-8'?>

    <!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>

    <Configuration name='AltMsgCatalog'>

    <Extension>

    <CustomCatalog id='AltMsgCatalog' enabled='true'>

    <MessageSet language='en' country='US'>

    <Msg id='UI_BROWSER_TITLE_PROD_NAME_OVERRIDE'>Override Name</Msg>

        </MessageSet>

    </CustomCatalog>

    </Configuration>

    </Extension>

  3. Using the Identity Manager IDE, load the System Configuration object for editing. Add a new top-level attribute:
  4. Name = customMessageCatalog

    Type = string

    Value = AltMsgCatalog

  5. Open the ui.web Generic Object and look for the browserTitleProdNameOverride attribute. Set this value to true.
  6. Save this change to the System Configuration object, and restart your application server.
  7. The instructions for customizing login pages provided in “Customizing Identity Manager End User Pages” should now include the following information about message keys. (ID-16072)
  8. JSP or Identity Manager Component

    Interface Affected

    Message Key

    Login Page TITLE

    Administrator and User

    UI_LOGIN_TITLE_TO_RESOURCE

    UI_LOGIN_CHALLENGE

    Login Page SUBTITLE

    Administrator and User

    Select a key depending on the login mode: Forgot Password, Forgot User ID, Login Challenge.

    UI_LOGIN_WELCOME3

    UI_LOGIN_WELCOME4

    UI_LOGIN_WELCOME5

    UI_LOGIN_WELCOME6

    UI_LOGIN_CHALLENGE_INFO

    staticLogout.jsp and user/staticUserLogout.jsp

    Administrator and User

    UI_LOGIN_TITLE

    continueLogin.jsp

    Administrator

    UI_LOGIN_IN_PROGRESS_TITLE

    UI_LOGIN_WELCOME

Changing the Default “Logged in as ...” Text

  1. Import the following XML file:
  2. <?xml version='1.0' encoding='UTF-8'?>

    <!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>

    <Configuration name='AltMsgCatalog'>

    <Extension>

    <CustomCatalog id='AltMsgCatalog' enabled='true'>

    <MessageSet language='en' country='US'>

    <Msg id='UI_NAV_FOOT_LOG_AS'>mytext {0}!</Msg>

    </MessageSet>

    </CustomCatalog>

    </Extension>

    </Configuration>

  3. Add the following line to the System Configuration object within the <Configuration><Extension><Object> element:
  1. Save change and restart your application server.


Identity Manager Workflows, Forms, and Views

This section contains new information and documentation corrections for Sun Identity Manager Workflows, Forms, and Views.

Chapter 1, Identity Manager Workflow

Chapter 2,  Workflow Services

lock Provisioning Workflow Service

unlock Workflow Service

Chapter 3, Identity Manager Forms

Related Information

About Auditing-Related Form Processing

Specifying User Forms

Default Auditing-Related Forms

Why Customize These Forms?

Scan Task Variables

Chapter 4, Identity Manager Views

Common Attributes

The high-level attributes of the Org view are listed in the following table.

Name

Editable?

Data Type

Required?

orgName

Read

String

System-Generated

orgDisplayName

Read/Write

String

Yes

orgType

Read/Write

String

No

orgId

Read

String

System-Generated

orgAction

Write

String

No

orgNewDisplayName

Write

String

No

orgParentName

Read/Write

String

No

orgChildOrgNames

Read

List

System-Generated

orgApprovers

Read/Write

List

No

allowsOrgApprovers

Read

List

System-Generated

allowedOrgApproverIds

Read

List

System-Generated

orgUserForm

Read/Write

String

No

orgViewUserForm

Read/Write

String

No

orgPolicies

Read/Write

List

No

orgAuditPolicies

Read/Write

List

No

renameCreate

Read/Write

String

No

renameSaveAs

Read/Write

String

No

orgName

Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.

orgDisplayName

Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.

orgType

Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.

orgId

Specifies the ID that is used to uniquely identify the organization within Identity Manager.

orgAction

Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.

orgNewDisplayName

Specifies the new short name when you are renaming the organization.

orgParentName

Identifies the full pathname of the parent organization.

orgChildOrgNames

Lists the Identity Manager interface names of all direct and indirect child organizations.

orgApprovers

Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.

allowedOrgApprovers

Lists the potential user names who could be approvers for users added to or modified in this organization.

allowedOrgApproverIds

Lists the potential user IDs who could be approvers for users added to or modified in this organization.

orgUserForm

Specifies the userForm used by members users of this organization when creating or editing users.

orgViewUserForm

Specifies the view user form that is used by member users of this organization when viewing users.

orgPolicies

Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).

orgAuditPolicies

Specifies the audit policies that apply to all member users of this organization.

renameCreate

When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.

renameSaveAs

When set to true, renames this organization using the value of orgNewDisplayName.

Directory Junction and Virtual Organization Attributes

Name

Editable?

Data Type

Required?

orgContainerId

Read

String

System-generated

orgContainerTypes

Read

List

System-generated

orgContainers

Read

List

System-generated

orgParentContainerId

Read

String

System-generated

orgResource

Read/Write

String

yes, if directory junction or virtual organization

orgResourceType

Read

String

System-generated

orgResourceId

Read

String

System-generated

orgRefreshAllOrgsUserMembers

Write

String

No

orgContainerId

Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).

orgContainerTypes

Lists the allowed resource object types that can contain other resource objects.

orgContainers

Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.

orgParentContainerId

Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).

orgResource

Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).

orgResourceType

Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).

orgResourceId

Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.

orgRefreshAllOrgsUserMembers

If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.

Dynamic Organization Attributes

Name

Editable?

Data Type

Required?

orgUserMembersRule

Read/Write

String

No

orgUserMembersRuleCacheTimeout

Read/Write

String

No

orgUserMembersRule

Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.

orgUserMembersCacheTimeout

Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.

The discussion of the User view now includes the following discussion of the accounts[Lighthouse].delegates attributes: (ID-15468)

accounts[Lighthouse].delegates

Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item

accounts[Lighthouse].delegatesHistory

Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth

This attribute has one unique attribute: selected, which is a Boolean that indicates the currently selected delegate history object.

accounts[Lighthouse].delegatesOriginal

Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation.

All accounts[Lighthouse].delegates* attributes take the following attributes:

Attributes of accounts[Lighthouse].delegate* Attributes

Description

 

 

workItemType

Identifies the type of workItem being delegated. See the description of the Delegate Object Model in the Identity Manager Technical Deployment Overview section of this Documentation Addendum for a valid list of workItem types.

workItemTypeObjects

Lists the names of the specific roles, resources, or organizations on which the user is delegating future workItem approval requests. This attribute is valid when the value of workItemType is roleApproval, resourceApproval, or organizationApproval.

If not specified, this attribute by default specifies the delegation of future workItem requests on all roles, resources, or organizations on which this user is an approver.

toType

Type to delegate to. Valid values are:

manager

delegateWorkItemsRule

selectedUsers

toUsers

Lists the names of the users to delegate to (if toType is selectedUsers).

toRule

Specifies the name of the rule that will be evaluated to determine the set of users to delegate to (if toType is delegateWorkItemsRule).

startDate

Specifies the date when delegation will start.

endDate

Specifies the date when delegation will end.

Referencing a DelegateWorkItems View Object from a Form

The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:

<Field name='delegates[*].workItemType'>

<Field name=’delegates[*].workItemTypeObjects’>

<Field name=’delegates[*].toType’>

<Field name='delegates[*].toUsers'>

<Field name=’delegates[*].toRule’>

<Field name='delegates[*].startDate'>

<Field name='delegates[*].endDate'>

where supported index values (*) are workItemType values.

Name

Editable?

Type

Required?

name

 

String

Yes

status

 

String

Yes

user

 

String

Yes

userId

 

String

Yes

attestorHint

 

String

No

userView

 

GenericObject

Yes

reviewInstanceId

 

String

Yes

reviewStartDate

 

String

Yes

scanId

 

String

Yes

scanInstanceId

 

String

Yes

approvalWorkflowName

 

String

Yes

organizationId

 

String

Yes

attestorComments.name

 

String

No

attestorComments.attestor

 

String

No

attestorComments.time

 

String

No

attestorComments.timestamp

 

String

No

attestorComments.status

 

 

No

name

Identifies the User Entitlement (by a unique identifier).

status

Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.

user

Identifies the name of the associated WSUser for this entitlement.

userId

Specifies the ID of the associated WSUser.

attestorHint

Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.

userView

Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.

reviewInstanceId

Specifies the ID of the PAR Task instance.

reviewStartDate

Indicates the (String) start date of the PAR task (in canonical format).

scanId

Specifies the ID of AccessScan Task definition.

scanInstanceId

Specifies the ID of AccessScan Task instance.

approvalWorkflowName

Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.

organizationId

Specifies the ID of the WSUser's organization at the time of the scan.

attestorComments

Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.

attestorComments[timestamp].name

Timestamp used to identify this element in the list.

attestorComments[timestamp].attestor

Identifies the WSUser name of the attestor making the comment on the entitlement.

attestorComments[timestamp].time

Specifies the time at which the attestor attested this record. May differ from the timestamp.

attestorComments[timestamp].status

Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.

attestorComments[name].comment

Contains comments added by attestor.

Chapter 6, XPRESS Language

Chapter 8, HTML Display Components

How to Use the objectSelector Example Code

  1. From the Identity Manager IDE, open the Administrator Library UserForm object.
  2. Add the following code to this form:
  3. <Include>

       <ObjectRef type='UserForm' name='Scalable Selection Library'/>

    </Include>

  4. Select the accounts[Lighthouse].adminRoles field within the AdministratorFields field.
  5. Replace the entire accounts[Lighthouse].adminRoles with the following reference:
  6. <FieldRef name='scalableWaveset.adminRoles'/>

  7. Save the object.
  8. When you subsequently edit a user and select the Security tab, Identity Manager displays the customized form. Clicking ... opens the Selector component and exposes a search field. Use this field to search for admin roles that begin with a text string and set the value of the field to one or more values.

    To restore the form, import $WSHOME/sample/formlib.xml from Configure > Import Exchange File.

    See the Scalable Selection Library in sample/formlib.xml for other examples of using the objectSelector template to manage resources and roles in environments with many objects.

  9. The discussion of the TabPanel component now contains the following description of the validatePerTab property: (ID-15501)

ListEditor

Enabling autocomplete for Identity Manager Login Pages

Appendix A, Form and Process Mappings


Identity Manager Deployment Tools

This section provides corrections and additions to the Identity Manager Deployment Tools documentation:.

Working with the Identity Manager Profiler

Identity Manager provides a Profiler utility to help you troubleshoot performance problems with forms, Java, rules, workflows, and XPRESS in your deployment.

Forms, Java, rules, workflows, and XPRESS can all cause performance and scale problems. The Profiler profiles how much time is spent in these different areas, enabling you to determine if these forms, Java, rules, workflows, or XPRESS objects are contributing to performance and scale problems and, if so, which parts of these objects are causing the problems.

This section explains how to use Identity Manager’s Profiler and provides a tutorial to help you learn how to troubleshoot performance issues in your deployment. The information is organized as follows:

Overview

The section provides an overview of the Identity Manager’s Profiler’s features and functionality. The information is organized as follows:

Major Features

You can use the Profiler utility to

How the Profiler Locates and Manages Source

This section describes how the Profiler looks up and manages the source for the following Identity Manager objects:

For Forms, Rules, Workflows, and XPRESS Objects     When you take a snapshot with the Profiler, the server evaluates all of the profiling data and discovers on which sources the data depends. The server then fetches all of these sources from the repository and includes them in the snapshot. Consequently, you can be sure that the Identity Manager objects displayed in the snapshot are accurately reflecting the point at which the snapshot was captured.

This process adds to the size of the snapshot, but the source size is actually a relatively small fraction of the total size. As a result, you can send a snapshot to Sun’s Customer Support without having to send your source files separately.

For Java Source     When you take a snapshot of Java source, the client downloads the snapshot and then goes through the snapshot to capture all referenced Java sources from the project. When you save the snapshot, the client zips the sources and attaches them to the end of the snapshot.

Then, when you view the snapshot and go to the Java source, the client first checks the content of the snapshot. If the client cannot find the content there, it checks the project’s content. This process allows you to send a snapshot containing profiling data from both your custom Java code and Identity Manager code.


Note

In a Java source snapshot, do not assume the source is up-to-date with the server or always available.


Statistics Caveats

The following sections contain information to consider when you evaluate results provided by the Profiler:

Self Time Statistics     To compute a root node’s Self Time statistic, the Profiler subtracts the times of all children nodes from the root node’s total time.

Consequently, an uninstrumented child node’s time is reflected in the root node’s self time. If a root node has a significant self time, you should certainly investigate why. You might not have the proper methods instrumented and so you are looking in the wrong place.

For example, assume method A calls method B.

Method A takes a total time of 10 seconds (where total time includes the call to B) and the call to B takes a total time of 10 seconds.

If both A and B are instrumented, the call stack reflects that information. You will see that A has a self-time of 0 seconds and that B has a self-time of 10 seconds (where 10 seconds was actually spent in B). If, however, B is not instrumented, you only see that the call to A takes 10 seconds and that A's self-time is 10 seconds. Consequently, you might assume the problem lies directly in A rather than in B.

In particular, you might notice large self times on JSPs during their initial compile. If you reset the collected results and then redisplay the page, the self time value will be much less.

Constructor Calls     Because there are limitations in the Java instrumentation strategy, initial calls to this() or super() will appear as a sibling to the constructor call, rather than as a child. See the following example:

class A

{

public A()

{

this(0);

}

public A(int i)

{

}

}

and:

class B

{

public static void test()

{

new A();

}

}

The call tree will look like this:

B.test()

-A.<init>(int)

-A.<init>()

Rather than this:

B.test()

-A.<init>()

-A.<init>(int)

Daemon Threads     Do not be mislead by the seemingly large amount of time spent in a number of Identity Manager’s daemon threads, such as ReconTask.WorkerThread.run() or TaskThread.WorkerThread.run(). Most of this time is spent sleeping, while waiting for events. You must explore these traces to see how much time is actually spent when they are processing an event.

Getting Started

This section describes how to start the Profiler and how to work with various features of the Profiler’s graphical user interface. This information is organized as follows:

Before You Begin

Because the Profiler is very memory intensive, you should significantly increase the memory for both your server and the Netbeans Java Virtual Machine (JVM).

When you are finished, you can start the Profiler as described in the next section.

Starting the Profiler

You can use any of the following methods to start the Profiler from the Identity Manager IDE window:

When you start the Profiler, the Profiler Options dialog displays so you can specify which profiling options you want to use. Instructions for setting these options are provided in Specifying the Profiler Options.

Using the Profiler

This section describes the features of the Profiler graphical user interface, and how to use these features. The information is organized as follows:

Specifying the Profiler Options

The Profiler Options dialog consists of the following tabs:

Use the options on these tabs to indicate which objects to profile and which elements to display in the profile.

After specifying the Profiler options, click OK to start the Profiler. Depending on your project configuration, the Profiler does one of two things:

Mode     The Mode tab provides the following options:

IDM Object Filters     The IDM Object Filters tab provides the following options:

Java Filters     Select the Java Filters tab to

Java filters are given in terms of method patterns, and they are expressed in patterns that include or exclude based on canonical method name. Where a canonical method name is:

fully-qualified-class-name.method-name(parameter-type-1, parameter-type-2, ...)


Note

For constructors, method-name is <init>.


Here are a few examples:

If necessary, you can instrument other jars by modifying the following lines in build.xml as appropriate. For example,

<instrument todir="${lighthouse-dir-profiler}/WEB-INF" verbose="${instrumentor.verbose}" includeMethods="${profiler.includes}" excludeMethods="${profiler.excludes}">

<fileset dir="${lighthouse-dir}/WEB-INF">

<include name="lib/idm*.jar"/>

<include name="classes/**/*.class"/>

</fileset>

</instrument>

By default, the configuration includes all your custom classes and most Identity Manager classes. A number of Identity Manager classes are forcibly excluded — because enabling them would break the Profiler.

For example, classes from the workflow, forms, and XPRESS engines are excluded or the Profiler would produce an unintelligible snapshot when profiling Java and Identity Manager objects.

Note that Java filters provide much more filtering granularity than IDM Object Filters. Java instrumentation adds significant overhead to the execution time, which can drastically skew the profiling results. Because Identity Manager objects are interpreted rather than compiled, the instrumentation overhead is negligible. So for example, there is basically no reason to exclude workflow A and include workflow B, and so forth.


Note

You cannot modify Java filters while the Profiler is running. You must stop the Profiler before changing Java filters.


Miscellaneous     The Miscellaneous tab provides the following options:

Working with the IDM Profiler View

The IDM Profiler view consists of the following areas:

Current Project Area     The Current Project area consists of a drop-down menu that lists all of your current projects. Use this menu to select the project you want to profile.

Controls Area     The Controls area contains four icons, as described in the following table:

Icon

Purpose

Start Identity Manager Profiler icon

Start Identity Manager Profiler

Starts the Profiler and opens the Profiler Options dialog.

Stop Identity Manager Profiler icon

Stop Identity Manager Profiler

Stops the Profiler.

Graphic showing Reset Collected Results icon.

Reset Collected Results

Resets all of the profile results you collected to this point.

Modify Profiling icon

Modify Profiling

Re-opens the Profiler Options dialog so you can change any of the settings to modify your current profile results.

Status Area     The Status area reports whether you are connected to the Host and provides Status information as the Profiler is starting up, running, and stopping.

Profiling Results Area     The Profiling Results area contains two icons, which are described in the following table:

Icon

Purpose

Take Snapshot icon

Start Identity Manager Profiler

Starts the Profiler and opens the Profiler Options dialog.

Graphic showing Reset Collected Results icon.

Reset Collected Results

Resets all of the profile results you collected to this point.

Saved Snapshots Area     The Saved Snapshots area provides a list of all saved snapshots.


Note

Instructions for saving snapshots are provided in Saving a Snapshot.


In addition, you can use the following buttons to manage these snapshots:

Working with the Snapshot View

When you open a snapshot, the results display in the Snapshot View window, located on the upper right side of Identity Manager IDE.

A snapshot provides several views of your data, which are described in the following sections:

Call Tree View     Call Tree view consists of a tree table showing the call timing and invocation counts throughout your system.

This tree table contains three columns:

Hotspots View     Hotspots view provides a flattened list of nodes that shows aggregate call timings regardless of parent.

This view contains the following columns:

Back Traces View     Back Traces view provides an inverted call stack showing all the call chains from where each node was called.

You can use these statistics to answer the question — How much time would I save if I eliminated this particular call chain from this node?

You can access the Back Traces view from any of the other snapshot views by right-clicking a node (known as the root node) and selecting Show Back Traces from the pop-up menu.


Note

The Time and Invocations data values mean something different in Back Traces view:

  • Time: The values in this column represent the time spent in the root node when it is called from a given call chain.
  • Invocations: The values in this column represent how many times the root node was invoked from a given call chain.

Callees View     Callees view provides an aggregate call tree for a node (known as the root node), regardless of its parent chain.

These statistics are helpful if you have a problem area that is called from many places throughout the master call tree and you want to see the overall profile for that node.

You can access the Callees view from any of the other snapshot views by right-clicking a node (known as the root node) and selecting Show Callees from the pop-up menu.


Note

The Time and Invocations data values used in Callees view have the same meaning as those used in Call Tree view.


Using the Pop-Up Menu Options

Right-click any node in Call Tree view or in Hotspots view and a pop-up menu displays with the options described the following table:

Menu Options

Description

GoTo Source

Select this option to view the XML source for a node that corresponds to a Java method, workflow, form, rule, or XPRESS. For detailed information about this view, see How the Profiler Locates and Manages Source.

Show Back Traces

Select this option to access the Back Traces view. For detailed information about this view, see Back Traces View.

Show Callees

Select this option to access the Callees view. For detailed information about this view, see Callees View.

Find In Hotspots

Select this option to find a node in the Hotspots view. For detailed information about this view, see Hotspots View.

List Options > Sort >

Select this option to

  • None
  • Call Tree
  • Time
  • Invocations
  • Ascending
  • Descending

List Options > Change Visible Columns

Select this option to change the columns displayed in the Call Tree or Hotspots list.

When the Change Visible Columns dialog displays, you can select one or more of the following options:

  • Call Tree: Call Tree
  • Invocations: Invocations
  • Time: Time

Searching a Snapshot

Use the Search icon , located at the top of the Snapshot View window to search for nodes by name the Call Tree view or Hotspots tree.

Alternatively, right-click any node in Call Tree view or Hotspots view and select Find in Call Tree or Find in Hotspots (respectively) from the pop-up menu to search for a node.

Saving a Snapshot

The Profiler provides several options for saving a snapshot. See the following table for a description of these options:

Icon

Purpose

Take Snapshot icon

Save the Snapshot in the Project icon (located at the top of the Snapshot View window)

Saves the snapshot in the nbproject/private/idm-profiler directory of your project. Snapshots saved in your project are listed in the Saved Snapshots section of the Profiler view.

Graphic showing Reset Collected Results icon.

Save the Snapshot Externally icon (located at the top of the Snapshot View window)

Saves a snapshot to an external, arbitrary location.

Graphic showing Save As button in the Saved Snapshots area.

Save As button (located in the Saved Snapshots area)

Saves a snapshot to an external, arbitrary location.

Tutorial: Troubleshooting Performance Problems

Identity Manager provides a tutorial (profiler-tutorial.zip) to help you learn how to use the Profiler to troubleshoot forms, Java rules, workflows, and XPRESS.

Step 1: Create an Identity Manager Project

Follow these steps to create an Identity Manager project:

  1. Select File > New Project.
  2. When the New Project wizard displays, specify the following, and then click Next:
    1. In the Categories list, select Web to indicate what type of project you are creating.
    2. In the Projects list, select Identity Manager Project.

    3. Note

      You must create a regular Identity Manager project for a fully featured development environment. Do not select the Identity Manager Project (Remote) option.


  3. Complete the following fields on the Name and Location panel, and then click Next:
    • Project Name: Enter Idm80 as the project name.
    • Project Location: Use the default location or specify a different location.
    • Project Folder: Use the default folder or specify a different folder.
  4. When the Identity Manager WAR File Location panel displays, enter the location of the Identity Manager 8.0 war file. Typically, unzipping this file creates an idm.war file in the same directory.
  5. Click Next to continue to the Repository Setup panel.
  6. You should not have to change the default settings on this panel, just click Finish. When you see the BUILD SUCCESSFUL message in the Identity Manager IDE Output window, you can extract the Profiler tutorial files. See Step 2: Unzip the Profiler Tutorial for instructions.

Step 2: Unzip the Profiler Tutorial

Unzip profiler-tutorial.zip in the project root. The extracted files include:

<project root>/custom/WEB-INF/config/ProfilerTutorial1.xml

<project root>/custom/WEB-INF/config/ProfilerTutorial2.xml

<project root>/src/org/example/ProfilerTutorialExample.java

<project root>/PROFILER_TUTORIAL_README.txt

You are now ready to start the Profiler.

Step 3: Starting the Profiler

To start the Profiler,

  1. Use the instructions provided in Before You Begin to increase the memory for your server and Netbeans JVM.
  2. Use any of the methods described in Overview to start the Profiler.
  3. When the Profiler Options dialog displays, you can specify profiling options.

Step 4: Setting the Profiler Options


Note

For detailed information about all of the different Profiler options, see Specifying the Profiler Options.


For the purposes of this tutorial, specify the following Profiler options:

  1. On the Mode tab, select Java and IDM Objects to profile form, Java, rule, workflow, and XPRESS objects.
  2. Select the Java Filters tab.
  3. Use the following steps to disable all Identity Manager Java classes except your custom Java classes (in this case, org.example.ProfilerTutorialExample):

    1. Click New and a new, blank field appears at the bottom of the Filter column.
    2. Enter com.waveset.* into the new field, and then select the Exclude box.
    3. Click New again.
    4. Enter com.sun.idm.* into the new field, and then select the Exclude box.
  4. Click OK to run the Profiler.

  5. Note

    The Profiler takes a few minutes to complete the first time you run it on a project or if you have recently performed a Clean Project action.


    When the Profiler finishes processing, you are prompted to Log In.

  6. Enter the password configurator, select the Remember Password box, and then click OK to continue.
  7. When the Identity Manager window displays, log in.

  8. Note

    Typically, you should log in to Identity Manager as a different user instead of logging in as configurator again. You are already logged into the Profiler as configurator, and the Identity Manager session pool only allows one entry per user. Using multiple entries can result in the appearance of a broken session pool and might skew your profiling results for finer-grained performance problems.

    However, for this simple example the session pool is of no consequence so you can login as configurator/configurator.


  9. In Identity Manager, select Server Tasks > Run Tasks, and then click ProfilerTutorialWorkflow1.
  10. The tutorial might take a few moments to respond.

  11. Although you could take a snapshot now; you are going to reset your results instead, run the Profiler, run it again, and then take a snapshot.

  12. Note

    It is a best practice to run the Profiler a couple of times before taking a snapshot to be sure all the caches are primed, all the JSPs are compiled, and so forth.

    Running the Profiler several times enables you to focus on actual performance problems. The only exception to this practice is if you are having a problem populating the caches themselves.


    1. Return to the IDM Profiler view in the Identity Manager IDE. Click the Reset Collected Results icon Graphic showing Reset Collected Results icon. in the Profiling Results section (or in the Controls section) to reset all of the results collected so far.
    2. In Identity Manager, select Server Tasks > Run Tasks again, and click ProfilerTutorialWorkflow1.
    3. When the Process Diagram displays, return to the Identity Manager IDE and click Take Snapshot in the Profiling Results section.
  13. The Identity Manager IDE downloads your snapshot and displays the results on the right side of the window.
  14. This area is the Call Tree view. At the top of the Call Tree, you should see a /idm/task/taskLaunch.jsp with a time listed in the Time column. The time should indicate that the entire request took six+ seconds.

  15. Expand the /idm/task/taskLaunch.jsp node, and you can see that ProfilerTutorialWorkflow1 took six seconds.
  16. Expand the ProfilerTutorialWorkflow1 node. Note that activity2 took four seconds and activity1 took two seconds.
  17. Expand activity2.
  18. Note that action1 took two seconds and action2 took two seconds.

  19. Expand action1 and note that the <invoke> also took two seconds.
  20. Double-click the <invoke> to open ProfilerTutorialWorkflow1.xml and highlight the following line:
  1. Select the CPU:<date><time> tab to return to your snapshot.
  2. Expand the <invoke> node, and note that the Profiler spent two seconds in the Java ProfilerTutorialExample.example() method.
  3. Double-click the method name to open the ProfilerTutorialExample.java source and highlight the following line:
  1. If you return to the Call Tree, you can see that all of the two second paths lead to this method. (You should see three paths; for a total of six seconds.)
  2. Select the Hotspots tab (located at the bottom of the Call Tree area) to open the Hotspots view. Notice that ProfilerTutorialExample.example() has a total self time of six seconds.
  3. (For more information about Hotspots, see Hotspots View.)

  4. Right-click ProfilerTutorialExample.example() and select Show Back Traces from the pop-up menu.
  5. A new Back Traces tab displays at the bottom of the area.

  6. Expand the ProfilerTutorialExample.example() node on the Back Traces tab to see that this method was called from three places, and that the method took two seconds when it was called from each place.
  7. (For more information about Back Traces, see Back Traces View.)

  8. Click the Save the snapshot in the project icon Graphic shows Save the snapshot in the project icon. to save your snapshot and close it.
  9. If you check the Saved Snapshots section on the IDM Profiler tab, you should see your snapshot. (You might have to scroll down.)

  10. Select the saved snapshot, and then click Open to re-open it.

  11. Note

    You can use the Save As button to save your snapshots externally and use the Load button to load a snapshot from outside your project.


  12. Close the snapshot again.

Using the Profiler on a Workflow ManualAction

The next part of this tutorial illustrates how to profile a workflow ManualAction.

  1. In Identity Manager, select Server Tasks > Run Tasks, and then click ProfilerTutorialWorkflow2.
  2. After a few moments, an empty form displays.

  3. Click Save and the process diagram displays.
  4. Select Server Tasks > Run Tasks again.
  5. Return to the Identity Manager IDE IDM Profiler view and click the Reset Collected Results icon in the Profiling Results section.
  6. Now click ProfilerTutorialWorkflow2 in Identity Manager.
  7. When the blank form displays again, click Save.
  8. In the IDM Profiler view, click Take Snapshot.
  9. After a few seconds, a snapshot should display in the Call Tree area. You should see that /idm/task/workItemEdit.jsp took six+seconds. (This result corresponds to the manual action in the workflow.)

  10. Expand the /idm/task/workItemEdit.jsp node and note that running all Derivations in the ManualAction form took a total of six seconds.
  11. Expand the Derivation, displayNameForm, variables.dummy, and <block> nodes.
  12. You should see that the <block> took six seconds and, of that time, the Profiler spent two seconds in each of the three invokes to the ProfilerTutorialExample.example(). method.

  13. You can double-click <block> to view the source.

Identity Manager IDE Frequently Asked Questions (FAQ)

This FAQ answers some commonly asked questions related to using the Identity Manager Integrated Development Environment (Identity Manager IDE). The information is organized into these categories:

Using NetBeans

Q: Which version of Netbeans should I use?

A: Use the Netbeans version referenced in the Identity Manager product documentation provided for the Netbeans plugin version you are using.


Note

Always use the exact version referenced because even patch releases can cause major functionality to break.


Q: The Netbeans plugin was working, I did something, and now it is no longer working. What could be causing this problem?

A: This problem is commonly caused by a corrupt file in your .netbeans directory. Generally, deleting your .netbeans directory and re-installing the NetBeans plugin resolves the problem. (Deleting the .netbeans directory effectively uninstalls the NetBeans plugin. You lose all of your user settings, but the contents of your project will be safe.)

The steps are as follows:

  1. Shutdown NetBeans.
  2. Delete the .netbeans directory.
  3. Start NetBeans.
  4. Install the NetBeans plugin.
  5. Restart NetBeans.

Working with Projects

Q: Building and running a project is taking a very long time, and the Identity Manager IDE seems to be copying a lot of files. What could be causing this problem?

A: This problem can occur for the following reasons:

Q: Now that I have created an Identity Manager project, what files should be checked into source control?

A: See the “CVS Best Practices” section in the Identity Manager IDE README.txt for information.

Q: What are the best practices for using project management in CVS?

A: See the “CVS Best Practices” section in the Identity Manager IDE README.txt for information.

Q: When are objects imported into the repository?

A: See Working with the Repository for information.

Q: How do I add a new JAR to the project?

A: See the “How to add a new JAR dependency” section in the Identity Manager IDE README.txt.

Working with the Repository

Q: Which repository should I use for my sandbox repository?

A: Use the embedded repository for your sandbox — particularly if you are using Identity Manager 7.1 (or higher), which has an HsSQL repository available. You lose functionality if you do not use the embedded repository.

Refer to the “Working with the Repository” section in the Identity Manager IDE README.txt for more information.

Q: When are objects imported automatically?

A: You have to configure Identity Manager IDE to import objects automatically.

The steps are as follows:

  1. Select Repository > Manage Embedded Repository from the IdM menu.
  2. Enable the Automatically Publish Identity Manager Objects option on the Manage Embedded Repository dialog.

  3. Note

    This option is not available for Identity Manager Project (Remote) or if you specify your own repository.


  4. Select Project > Run Project or Project > Debug Project.
  5. The Identity Manager IDE automatically imports all objects that have changed since the last time you ran the project.


    Note

    Automatically publishing Identity Manager objects increases the time needed to start the server. To minimize server start time, disable this option and explicitly upload objects to the repository.


Q: What is the most effective way to upload objects?

A: Use one of the following methods to upload modified objects:

Either method uploads the object(s) directly to the server, so there is no cache latency issue and it is much faster than using Run Project or Debug Project. The Upload Objects feature is available regardless of which repository you are using.

Using the Identity Manager IDE Debugger

Q: The Identity Manager IDE Debugger is sluggish. What could be causing this problem?

A: To improve the Debugger’s performance:

Q: I cannot set a breakpoint in the Debugger. What could be causing this problem?

A: The following conditions might prevent you from setting a breakpoint:

Q: I set a breakpoint in the Debugger and it is not suspending on the breakpoint. What could be causing this problem?

A: There are two things to check:

Working with Rules

Q: When developing rules in Netbeans, why is design mode not available for a Rule Library?

A: The design mode functionality is available from the explorer tree in Projects view. Use the following steps:

  1. Expand the library node and right-click a rule.
  2. When the pop-up menu displays, select Properties and then click Body.


Identity Manager Tuning, Troubleshooting, and Error Messages

This section provides new information and documentation corrections for Sun Identity Manager Tuning, Troubleshooting, and Error Messages.


Localization Scope

Historically, Identity Manager does not localize resource objects and functions, primarily because they are mostly samples that get loaded (through init.xml) during initialization of Identity Manager, and because the attributes of object types can vary between actual customer deployments, depending on the level of customizations. Following is a list of areas where users might encounter English: (ID-16349)


Online Help

This section contains documentation corrections for online help.