9 Monitoring Performance by Using Oracle Access Management Console

Monitoring performance refers to observing (viewing) performance metrics to make yourself aware of the state specific components. While there are several methods to view performance metrics, this chapter provides the following topics with emphasis on using Oracle Access Management Console:

See Also:

  • Chapter 10if you are using Oracle Enterprise Manager Fusion Middleware Control

9.1 Introduction to Performance Monitoring

Component performance metrics can be collected in memory during the completion of particular events. You can monitor the time spent in a particular area or track particular occurrences or state changes.

Oracle Access Management uses the Oracle Dynamic Monitoring Systems (DMS) to measure application-specific performance information for OAM Servers and registered Agents.

Metric collection is the mechanism by which components collect information in memory for particular events. Based on these events, you can monitor the time spent in a particular area or track particular occurrences or state changes. These metrics are kept only in memory and there are several mechanisms to extract and display them: EM, dmsSpy, dmsDump, for instance.

dmsSpy is a Fusion Middleware tool that is part of the WebLogic Application Server. dmsSpy displays the raw DMS data specific to the WebLogic Application Server instance. Displayed information is categorized by Noun Types (OAMS.OAM_ prefix for Oracle Access Management) and includes metrics pertaining to all DMS instrumented applications running in the Weblogic Application Server instance. To see the metrics on a Weblogic instance, go to http://hostname:port/dms/. For example:

http://samplehost:7001/dms/

See Also:

Administrators can monitor performance for Access Manager using the Monitoring command on the Actions menu under the System Configuration tab.

9.2 Reviewing DMS Metric Tables

To access DMS console

  1. In a brower window, go to the DMS Console using the following URL:

    http:// <example_AdminServer:Port/dms/
    
  2. Log in with your Oracle Access Management Administrator credentials.

  3. In the DMS Metric Tables, click the desired metric from those listed to view the results on the right-side of the console.

    DMS Metric Table

9.3 Monitoring Server Metrics Using Oracle Access Management Console

This section provides the following topics:

9.3.1 Monitoring Server Instance Performance

Users with valid Oracle Access Management Administrator credentials can use the following procedure to display various performance metrics using the Oracle Access Management Console.

Prerequisites

The OAM Sserver must be running.

To monitor performance using Oracle Access Management Console

  1. In the Oracle Access Management Console, go to the System Configuration tab.

  2. Server Instance:

    1. Open the:


      Common Configuration section
      Server Instances node
      DesiredServer
    2. From the Actions menu in the navigation tree, click Monitor Menu.

    3. On the Monitor page, click the desired subtab to view results for the server instance:


      Server Processes Overview
      Session Operations
      Server Operations
      OAM Agents
    4. Proceed to "Reviewing Server Metrics Using Oracle Access Management Console".

  3. See also, "Introduction to OAM Proxy Metrics and Tuning".

9.3.2 Reviewing Server Metrics Using Oracle Access Management Console

This topic provides a look at the Server metrics available when you have a server instance selected in the navigation tree and you choose the Monitoring Menu command on the Actions menu under the System Configuration tab.

Figure 9-1 shows the Server Processes page.

Figure 9-1 Server Processes Overview Page

Server Processes Overview Page
Description of "Figure 9-1 Server Processes Overview Page"

Server Processes Overview provides the following OAM Server events, organized in individual columns on the tab.

Table 9-1 OAM Server Metrics: Server Processes Overview Tab

Server Metric Columns

Authorization Process

Authorization Requests

Authentication Process Failure

Authentication Process Success

Pre Authentication Process Failure

Pre Authentication Process Success


Figure 9-2 shows the Session Operations Monitoring tab after detaching the table to display all event metrics in individual columns.

Figure 9-2 OAM Server Metrics: Session Operations Monitoring Page

Session Operations Monitoring Page
Description of "Figure 9-2 OAM Server Metrics: Session Operations Monitoring Page"

OAM Server Session Operations metrics include:

Table 9-2 OAM Server Metrics: Session Operations

Session Operations

Check Session Valid

Check Session Valid Failure

Check Session Valid Success

Create Session

Create Session Failure

Create Session Success

Destroy Session

Destroy Session Failure

Destroy Session Success

Delete Client Session

Delete Client Session Failure


Figure 9-3 shows the detached OAM Server Operations Monitoring page.

Figure 9-3 OAM Server Metrics: Server Operations Tab

Server Operations Monitoring Page
Description of "Figure 9-3 OAM Server Metrics: Server Operations Tab"

OAM Server Operations metrics include those in Table 9-3.

Table 9-3 OAM Server Metrics: Server Operations Tab

OAM Server: Operations Metrics

Authentication Policy Response Failure

Authentication Policy Response Success

Authentication Scheme Response Failure

Authentication Scheme Response Success

Authentication Failure

Authentication Failure Responses

Authentication Policy Response

Authentication Requests

Authentication Scheme Response

Autorization Failure

Autorization Failure

Autorization Process Failure

Autorization Process Success


Figure 9-4 shows the OAM Server Metrics: OAM Agents tab with all available metrics showing.

Figure 9-4 OAM Server Metrics: OAM Agents Tab

OAM Agents Monitoring Page
Description of "Figure 9-4 OAM Server Metrics: OAM Agents Tab"

OAM Agent performance metrics include:

  • Agent Name

  • Agent Status

  • Version

9.4 Monitoring SSO Agent Metrics Using Oracle Access Management Console

This section describes how to review metrics for various components and how to determine whether tuning is needed. The following topics are included:

9.4.1 Monitoring Agent Metrics Using Oracle Access Management Console

Users with valid Oracle Access Management Administrator credentials can use the following procedure to display various SSO Agent performance metrics using the Oracle Access Management Console.

Prerequisites

The server and agent must be running.

To monitor SSO Agent performance using Oracle Access Management Console

  1. From the Oracle Access Management Console System Configuration tab:


    System Configuration tab
    Access Manager section
    SSO Agents node
  2. Open the desired agent type node:

  3. Search for the desired agent to monitor, as usual.

  4. In the Search Results table, highlight the desired agent SerialNumber and from the Actions menu select Monitor.

  5. Proceed as needed.

9.4.2 Reviewing OAM Agent Metrics

OAM Agent metrics are organized across the following tabs, as shown in Table 9-3:

  • Connectivity

  • Operations Overview

  • Operations Detail

  • Information

Figure 9-5 OAM Agent Metrics: Monitoring Characteristics

OAM Agent Monitoring Characteristics
Description of "Figure 9-5 OAM Agent Metrics: Monitoring Characteristics"

Following figures illustrate detached tables for one OAM Agent with all possible metrics displayed for each:

Figure 9-6 OAM Agent Metrics: Detached Connectivity Table

Agent Connection Table
Description of "Figure 9-6 OAM Agent Metrics: Detached Connectivity Table "

Figure 9-7 OAM Agent Metrics: Detached Operations Overview Table

Agent Operations Overview
Description of "Figure 9-7 OAM Agent Metrics: Detached Operations Overview Table "

Figure 9-8 OAM Agent Metrics: Detached Operations Detail Table

Agent Operations Detail
Description of "Figure 9-8 OAM Agent Metrics: Detached Operations Detail Table "

Figure 9-9 OAM Agent Metrics: Detached Information Table

Agent Information Table
Description of "Figure 9-9 OAM Agent Metrics: Detached Information Table "

9.4.3 Reviewing OSSO Agent Metrics

When you have an OSSO Agent selected OSSO Agents Search Results table and choose Monitor from the table's Actions menu, the following metrics pages are available:

Figure 9-10 OSSO Agent Monitoring Page with Operation Details

Agent Monitoring Page
Description of "Figure 9-10 OSSO Agent Monitoring Page with Operation Details"

Figure 9-11 illustrates the detached OSSO 10g Agent Monitoring Process Overview table.

Figure 9-11 OSSO Agent Monitoring Process Overview Table

Agent Monitoring Process Overview
Description of "Figure 9-11 OSSO Agent Monitoring Process Overview Table "

Figure 9-12 illustrates the detached OSSO Agent Information table.

Figure 9-12 OSSO Agent Information Table

OSSO 10g Agent Information
Description of "Figure 9-12 OSSO Agent Information Table "

9.5 Introduction to OAM Proxy Metrics and Tuning

This section provides the following topics:

9.5.1 About OAM Proxy Metrics

Throughput refers to the number of requests processed per second. Latency refers to the time required to process a particular request. There is less than a 20% latency increase with the introduction of a proxy between Webgate and OAM Server.

Table 9-4 lists the various OAM Proxy metrics available.

Table 9-4 OAM Proxy Metrics

Metric Description

handshakes.active

Number of active threads doing handshake

handshakes.avg

Average time spent performing initial handshake

handshakes.completed

Number of times an initial handshake has been executed

handshakes.maxTime

Maximum time spent performing initial handshake

handshakes.minTime

Minimum time spent performing initial handshake

handshakes.time

Total time spent performing initial handshake

failedHandshakes.count

Count of failed handshakes

peerCompatibilityFailures.count

Count of how many Peer Compatibility Check Failures have happened

openSecurityMode.count

Count of how many Open Security Mode handshakes have happened

simpleSecurityMode.count

Count of how many Simple Security mode handshakes have happened

SSLSecurityMode.count

Count of how many SSL Security Mode handshakes have happened

negotiateSecurityMode.active

Number of active threads doing security mode negotiation


9.5.2 OAM Proxy Server Tuning Parameters

Performance of the OAM Proxy can be tuned by changing its configuration through the Java EE container Administration Console.

Note:

Both the Java EE container Administrator and the Oracle Access Management Administrator can tune performance using the Java EE container Administration Console, which is outside the scope of this book.

Table 9-5 provides the tuning parameters for the OAM Proxy.

Table 9-5 OAM Proxy Tuning Parameters

Purpose Parameter Type Value Description

Denial of Service Attacks

ConnectionValidationInterval

Integer

120

The time interval in seconds for validating the connections periodically for denial of service attacks

 

BacklogQueue

Integer

50

Maximum length of backlog queue

 

MaxNAPHandShakeTime

Integer

100

The maximum time in milliseconds within which the client should complete the NAP handshake with client. If NAP handshake over a connection is not completed within this time, the connection will be marked as malicious


9.6 Reviewing OpenSSO Metrics in the DMS Console

This section provides the following topics:

9.6.1 OpenSSO Proxy Events and Metrics: Server

Throughput refers to the number of requests processed per second. Latency refers to the time required to process a particular request. The Events that can be monitored are described in Table 9-6.

Table 9-6 OpenSSO Proxy Server Events

Event Description

Naming Service Request

This request is for naming lookups. One can monitor response time taken by the OpenSSO Proxy in servicing this request

Agent Authentication Process

Agent Authentication has been captured in two phases:

  • AgentAuthentication_Login and AgentAuthentication_SubmitRequirements phase. The second phase refers to the phase after the credentials are submitted by the OpenSSO Agent for authentication

  • The second phase refers to the phase after the credentials are submitted by the OpenSSO Agent for authentication.

Agent Session Validation

Agent Session Validation

User Authentication

This event is captured for Client SDK's only. One can monitor response time taken to authenticate client SDK's through this diagnostic event

User Session Validation

Time taken to validate User Session

User Authorization

Time taken for authorization as per the configured policy for the given resource


Table 9-7 lists the various OpenSSO Proxy metrics available for the named server.

Table 9-7 OpenSSO Proxy Metrics: Server

Metric Description

AgentAuthentication_Login

Response time details for Authentication requests during login phase sent by the Agent to authenticate

AgentAuthentication_LoginFailures

Count of how many Agent Authentication requests during login phase have failed.

AgentAuthentication_SubmitRequirements

Response time details for Authentication requests during Submit Requirements phase send by the Agent to authenticate

AgentAuthentication_SubmitRequirementsFailures

Count of how many Agent Authentication requests during Submit Requirements phase have failed

NamingServiceRequest

Response time details for Naming Service Request operations

NamingServiceRequestFailures

Count of how many Naming Service Request operations have failed

UserAuthentication_SDK

Response time details for User Authentication requests

UserAuthentication_SDKFailures

Count of how many User authentication Requests have failed

UserAuthorization

Response time details for User Authorization operations

UserAuthorizationFailures

Count of how many user authorization operations have failed

ValidateAgentSession

Response time details for Agent Session Validation operation

ValidateAgentSessionFailures

Count of how many agent session validation operations have failed

ValidateUserSession

Response time details for User Session Validation operation

ValidateUserSessionFailures

Count of how many User session validation operations have failed.


9.6.2 OpenSSO Proxy Metrics: Agent

Table 2 lists the various OpenSSO Proxy metrics available for each OpenSSO Agent.

Table 9-8 OpenSSO Proxy Metrics: Agent

Metric Description

AgentAuthentication_SubmitRequirements

Response time details for Authentication requests during Submit Requirements phase collected per Agent

AgentCacheMode

Specifies the cache mode for the client policy evaluator. Values can be: subtree or self

AgentFilterMode

Specifies how the agent filters requests to protected web applications. The global value functions as a default, and applies for protected applications that do not have their own filter settings

AgentHostName

The host name of OpenSSO Agent

AgentIPAddress

The IP Address of OpenSSO Agent

AgentMappingMode

Specifies the mechanism used to determine the user ID

AgentState

The state of OpenSSO Agent: enabled or disabled.

UserAttributeName

Specifies the data store attribute that contains the user ID

UserAuthorization

Response time details for User Authorization operations collected per Agent

UserIdentity

Specifies the session property name for the authenticated user's ID. Default is 'UserToken'

ValidateAgentSession

Response time details for Agent Session Validation operation collected per Agent

agentType

The type of OpenSSO agent: J2EE or Web Agent


9.6.3 Reviewing OpenSSO Metrics Using the DMS Console

User with valid Oracle Access Management Administrator credentials can use the procedure here to view OpenSSO Proxy metrics in the DMS console.

Prerequisites

The OAM Server must be running.

To access DMS console

  1. In a brower window, go to the DMS Console using the following URL:

    http:// <example_AdminServer:Port/dms/
    
  2. Log in with your Oracle Access Management Administrator credentials.

  3. OpenSSO Agent Metrics: In the DMS Metric Tables, click OAMS.OAM_Server.OPENSSO_Agents.

  4. OpenSSO Proxy Metrics: In the DMS Metric Tables, click OAMS.OAM_OpenSSOProxy and view the results on the right side of the console.