This chapter provides guidelines for tuning and sizing specific to Oracle Identity Manager (OIM). It contains these topics:
Note:
As with any enterprise class business application, there is no simple procedure for tuning that works for all systems. The tuning sections in this chapter provide (in some cases) sample configurations and outline the principles for tuning Oracle Identity Manager. Consider your own use case scenarios to determine which settings are appropriate.
Oracle Identity Manager (OIM) provides operational and business efficiency through centralized administration and complete automation of identity and user provisioning events across the enterprise, as well as extranet applications.
For more information on using Oracle Identity Manager, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
To identify performance bottlenecks, you can monitor real-time performance metrics for the Oracle Identity Manager database. For more information on how to monitor your Oracle Fusion Middleware components, see Chapter 4, "Monitoring Oracle Fusion Middleware".
For Oracle Identity Manager it is recommended that you perform the following at regular intervals:
Monitor real-time performance by using a performance-monitoring tool such as Oracle Enterprise Manager console or Automatic Workload Repository (AWR) in Oracle Database 11g.
Note:
You can use Oracle Enterprise Manager 11g Fusion Middleware Control to monitor Oracle Identity Manager. To do so:
Under Identity Management, select Oracle Identity Manager to go to the home page. On the Home page, you can monitor Oracle Identity Manager.
From the Oracle Identity Manager menu, select Performance to view performance metrics.
Collect routine statistics and report by using Oracle Database Enterprise Manager (EM), which is available in Oracle Database as a standard offering.
Routine Statistics Gathering
Routine statistics gathering can be taken care by the 'Automated Maintenance Tasks', which is available in the following navigation path in Oracle Database:
Oracle EM, the Server tab, Query Optimizer, Manage Optimizer Statistics, the Automated Maintenance Tasks link
Reporting requirements of statistics through Oracle Database 11g EM
To report on the state of the currently gathered statistics, EM provides a reporting interface in the following navigation path:
Oracle EM, the Server tab, Query Optimizer, Manage Optimizer Statistics, the Object Statistics link
This interface can be used for the reporting purpose for All Objects (of the Schema or even the Object of choice), which have Stale, Missing, or Locked states or are already analyzed.
Collect complete schema statistics upon implementation of Oracle Identity Manager.
Update schema statistics regularly, so that the Cost-Based Optimizer (CBO) can access the latest statistics. You must consider complete schema or table statistics on mass data change events such as bulkload of users or accounts, import of a new connector, a huge reconciliation run from a new target system, or use of an archival utility.
This helps the CBO determine an efficient query execution plan that is based on the current state of data. The following is a sample SQL command to collect database statistics on a regular basis:
See Also:
Gathering routine statistics and reporting can be done by performing the automated maintenance tasks available in Oracle Database 11g. See Oracle Database Performance Tuning Guide 11g Release 1 (11.1) for details.
DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> schema_owner, Exec dbms_stats.gather_schema_stats(OWNNAME=> 'OIM_OIM',ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,options=>'GATHER AUTO',degree => 8,cascade=>TRUE);
Look for relevant recommendations provided in advisory sections in the Automatic Database Diagnostic Monitor (ADDM) or Automatic Workload Repository (AWR) report, and adjust the instance configuration parameters according to the recommended settings. This is specially required after importing a new connector and completing a round of reconciliation from a new target system so that you can identify the need of any new indexes according to your matching rules.
Depending on your Oracle Identity Manager usage and performance issues, you may consider tuning the following basic parameters. See Chapter 2, "Top Performance Areas" for additional tuning considerations.
Oracle Identity Manager allows caching of metadata, which reduces DB activities. This results in reduced network load and improved performance.
By default, caching for most of the configurations are disabled (set to false) so that the configuration changes are reflected immediately without having to restart the application servers in the development environments.
The following sections provide some recommended cache values for tuning Oracle Identity Manager:
Caching is configured in the /db/oim-config.xml configuration file, which is located in MDS where Oracle Identity Manager stores the configuration. You can use Oracle Enterprise Manager (EM) to turn on caching, or export the oim-config.xml to make changes and then import it back to turn on caching.
Oracle recommends the following settings for the production environments for optimal and better performance. Using EM, go to System Mbean > Application Defined Mbeans > oracle.iam > server:oim_server1 > Application: oim > XMLConfig > Config > XMLConfig.CacheConfig > Cache > XMLConfig.CacheConfig.CacheCategoryConfig, and do the following:
Set the caching to true for all the components except the following two sections:
threadLocalCacheEnabled="false" "StoredProcAPI" enabled="false"
For non-clustered installation, set clustered="false". For clustered installation, set clustered="true".
Note:
Changing this value gets saved into the MDS database schema used by the Oracle Identity Manager servers. Therefore, change only once for multi-node/clustered installations.
Enabling Cache Categories User_Org_Membership_And_Chain and ObjectDefinition
It is recommended that you enable the cache categories described inInstructions to Enable Cache Category Table 26-1, based on your Oracle Identity Manager version. Note that you do not need to enable these, if your Oracle Identity Manager version is not same as given in "Applicable Release" column in the following table:
Table 26-1 Instructions to Enable Cache Category
| Cache Category Name | Applicable Release | Instructions |
|---|---|---|
|
User_Org_Membership_And_Chain |
Oracle Identity Manager 11g Release 2 (11.1.2.1.0) |
You can enable this cache category using Oracle Enterprise Manager (EM) or by editing the Using EM
Using oim-config.xml File
|
|
ObjectDefinition |
Oracle Identity Manager 11g Release 2 (11.1.2.0.0) |
You can enable this cache category using Oracle Enterprise Manager (EM). To do so, complete the following steps:
|
Note:
For more information on configuration change using Enterprise Manager, see "Using Enterprise Manager for Managing Oracle Identity Manager Configuration" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about how to make changes to this file.
If you want to purge the cache, use the PurgeCache utility in the OIM_HOME/server/bin/ directory. This utility purges all elements in the cache.
Note:
Purging is required when caching is enabled and if you make any system configuration changes. It is not required if caching is disabled.
Before running the PurgeCache utility, navigate to the OIM_HOME/server/bin/ directory.
Before running the PurgeCache utility, you must run the DOMAIN_HOME/bin/setDomainEnv.sh script.
To use the PurgeCache utility, run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the category that must be purged. For example, the following commands purge all FormDefinition entries from a system and its clusters:
PurgeCache.bat FormDefinition PurgeCache.sh FormDefinition
To purge all Oracle Identity Manager categories, pass a value of "All" to the PurgeCache utility. It is recommended to clear all the categories.
Note:
The wlfullclient.jar file must be in the classpath for the PurgeCache utility to run correctly.
This section describes how to tune Oracle WebLogic Server for Oracle Identity Manager to improve performance. For additional Oracle WebLogic Server performance tuning information, see Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server.
Note:
All tuning parameter suggestions and values in this section are for reference purposes only. Values should be modified based on your requirement, application usage patterns, loads, and hardware specifications.
Changing any of the settings may require you to restart the server.
Tuning the Number of Message Driven Beans for Oracle Identity Manager
Tuning the User Interface Threads for Oracle Identity Manager
Disabling the Reloading of Adapters and Plug-in Configuration
Changing the Number of Open File Descriptors for UNIX (Optional)
Tuning the JVM Garbage Collection for Solaris Sparc T3 or T4
These settings should be used in addition to those described in Chapter 2, "Tuning Java Virtual Machines (JVMs)".
It is recommended to increase the heap and permgen memory for production environments as in Table 26-2 and monitor the memory usage pattern. Based on the usage, you can choose to increase or decrease the memory settings.
Table 26-2 JVM Parameters to be set for Tuning JVM Memory Settings
| JVM Parameter | HotSpot JVM | JRockit JVM |
|---|---|---|
|
|
4GB |
4GB |
|
|
4GB |
4GB |
|
|
500m |
N/A |
|
|
1GB |
N/A |
To change the JVM memory setting:
If you have OIM version 11.1.2.1.0 or above, use DOMAIN_HOME/bin/setOIMDomainEnv.sh (Unix) or set OIMDomainEnv.cmd (Windows). If not, continue to use DOMAIN_HOME/bin/setSOADomainEnv.sh (Unix) or setSOADomainEnv.cmd (Windows) to change the heap size settings.
Change the value of DEFAULT_MEM_ARGS and PORT_MEM_ARGS from the default value and save.
Restart the OIM Server
Note:
For a clustered or multi-node installation, repeat the above steps on all the install locations.
Oracle Identity Manager uses the oimOperationsDB and oimJMSStoreDS datasources deployed on Oracle WebLogic Server. By default, maximum connections is set at 50. You may have to increase this based on the requirement. To increase the capacity of the JDBC connection pools:
Open the WebLogic Server Administration Console.
For JDBC Datasource xlXADS:
Click Services, JDBC, Data Sources, oimOperationsDB, and then click the Connection Pool tab.
Adjust the Initial Capacity and Maximum Capacity based on requirement.
Set the Inactive Connection Timeout parameter to 30.
For JDBC Datasource xlDS:
Click Services, JDBC, Data Sources, oimJMSStoreDS, and then click the Connection Pool tab.
Adjust the Initial Capacity and Maximum Capacity based on requirement.
Set the Inactive Connection Timeout parameter to 30.
Save and activate the changes.
Note:
Ensure that any increase in number of connections on the application server connection pools are compensated by database configuration changes. You might have to increase the MAX SESSIONS settings on Oracle Database.
Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activities, such as reconciliation, auditing, requests, attestation, and for its internal kernel operations. By default, total of 80 MDB instances concurrently serve requests. However, based on the requirement, this can be increased by modifying the OIMMDBWorkManager configuration. To do so:
Login to WebLogic Administrative Console.
Navigate to Environment, Work Managers, and then to MaxThreadsConstraint-1.
Change the count from 80 to a higher number per your requirement.
By default, Oracle Identity Manager provides 20 front-end thread configurations. These threads are used for serving front-end requests. To change the number of front-end thread configurations:
Login to WebLogic Administrative Console.
Navigate to Environment, Work Managers, and then to MaxThreadsConstraint-0.
Change the value of the count from 20 to number per your requirement.
By default, reloading of adapters and plug-in configuration are enabled for ease of development. These should be disabled in the production environment. To do so:
Export the /db/oim-config.xml file from MDS as described in "Exporting and Importing Configuration Files" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the oim-config.xml file, replace the following:
<ADPClassLoaderConfig adapterReloadingEnabled="true" loadingStyle="ParentFirst" reloadInterval="15" reloadingEnabled="true">
With:
<ADPClassLoaderConfig adapterReloadingEnabled="false" loadingStyle="ParentFirst" reloadInterval="15" reloadingEnabled="false">
Replace the following:
<storeConfig reloadingEnabled="true" reloadingInterval="20"/>
With:
<storeConfig reloadingEnabled="false" reloadingInterval="20"/>
Save the oim-config.xml file and import it back to MDS.
WebLogic limits the number of open file descriptors in the WEBLOGIC_HOME/common/bin/commEnv.sh script to 1024. In some cases, if there is a large number of concurrent users, WebLogic may throw the "TOO MANY OPEN FILES" exception. If you receive this error, then consider increasing the limit beyond 1024 in the script. Ensure that the operating system is able to handle the increase in the number of open files.
To tune the JVM garbage collection for Solaris Sparc T3 or T4:
In a text editor, open the setSOADomainEnv.sh or setSOADomainEnv.cmd file in the DOMAIN_HOME/bin/ directory.
Set the value of USER_MEM_ARGS similar to the following:
Note:
The values shown for USER_MEM_ARGS are examples. You can change the values based on your requirement.
USER_MEM_ARGS="-Xms3048m -Xmx3048m -Xmn1648m -Xss256k -XX:PermSize=384m -XX:MaxPermSize=384m"
Set the value of JAVA_OPTIONS similar to the following:
Note:
The values shown for JAVA_OPTIONS are examples. You can change the values based on your requirement.
JAVA_OPTIONS="-Xnoclassgc -XX:SurvivorRatio=8 -XX:TargetSurvivorRatio=90 -XX:PermSize=350m -XX:MaxPermSize=350m -XX:+AggressiveOpts -XX:+UseParallelOldGC -XX:ParallelGCThreads=8 -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:ReservedCodeCacheSize=64m -XX:CICompilerCount=8 -XX:+AlwaysPreTouch -XX:+PrintReferenceGC -XX:+ParallelRefProcEnabled -XX:-UseAdaptiveSizePolicy -XX:+PrintAdaptiveSizePolicy -XX:+DisableExplicitGC"
Save and close the file.
This section describes one sample configuration and outlines the principles for tuning Oracle Database for Oracle Identity Manager. For general database tuning information, see Tuning Database Parameters.
Oracle Identity Manager has many configuration options. The best way to identify bottlenecks and optimize performance is to monitor key database performance indicators in your production environment and adjust the configuration accordingly. Review the monitoring tasks described in Monitoring Oracle Identity Manager Performance and then use the guidelines in this section to help you choose the initial baseline database configuration.
Note:
It is important that you maintain the baseline database tuning parameters when working with Oracle Identity Manager. See the Oracle Database Performance Tuning Guide 11g Release 1 (11.1) for information on setting Oracle Database instance parameters.
Table 26-3 provides information on some important performance-related database initialization parameters.
SGA,PGA size are limited by the underlying operating system restrictions on the maximum available memory in some platforms. See Support Note: Oracle Database Server and the Operating System Memory Limitations [ID 269495.1].
Note:
For the Database Instance Parameters listed in Table 26-3, any one of the following memory management approaches can be used based on the Oracle Database versions:
Using Automatic Memory Management feature available in Oracle Database 11g: Here, the MEMORY_TARGET and MEMORY_MAX_TARGET parameters can be used to manage the SGA and PGA together.
Using Automatic Shared Memory Management (ASMM) available in Oracle Database 10g onward: Here, the SGA components can be managed by specifying the SGA_TARGET and SGA_MAX_SIZE parameters. PGA is managed separately through PGA_AGGREGATE_TARGET.
You should set the processes parameter to accommodate the following connection pool requirements and few extra connections for external programs:
Connection pool size of XA data-source configured in Application Server
Connection pool size for non-XA data-source configured in Application Server
Direct database connection pool size configured in xlconfig.xml
Table 26-3 Sample Configuration Parameters
| Parameter | Recommended Initial Settings for Oracle Database 11g |
|---|---|
|
|
Using Automatic Memory Management feature in Oracle Database 11g, the Following are the memory settings for all the releases of IDM: SGA_target - 4G PGA_AGGREGATE_TARGET - 2G You can unset the When considering |
|
|
800M |
|
|
FORCE |
|
|
800 |
|
|
800 |
|
|
TRUSTED |
|
|
TRUE |
|
|
Based on connection pool settings |
|
|
0 |
|
|
0 |
|
|
True |
The basic installation of Oracle Identity Manager uses three physical tablespaces to store the OIM database objects:
Data Tablespace to store the data of tables, their indexes and other objects.
LOB Tablespace to store OIM Orchestration LOB data.
Archival Tablespace to store OOTB Archival Tables of the OIM Entities catering to the Real-time Purge feature.
Tip:
To minimize disk space consumption, Oracle recommends the following:
During the initial startup phase of the deployment, Oracle Identity Manager tablespace is expected to grow at the rate 20G for every hundred thousand users reconciled into Oracle Identity Manager. LOB tablespace grows at around 30% of the size of main Oracle Identity Manager tablespace for the same users. Depending on the usage of orchestration in Oracle Identity Manager, which affects the LOB tablespace growth, the LOB tablespace can grow at a rate of 60% to 100% of the main tablespace in scenarios where orchestration is widely used.
Database administrators must monitor the exact growth rate in the real system for efficient disk space management.
For better performance, create multiple locally managed tablespaces and store each category of database object in a dedicated tablespace. This storage optimization helps efficient data access. The tables that are frequently accessed and have potential growth are highlighted in the following sections. Oracle recommends that you place these tables in their own dedicated tablespace(s).
Note that the tables highlighted in the following sections generally grow bigger and are accessed frequently in a typical Oracle Identity Manager deployment. In addition, you can use performance metrics to identify tables that are accessed frequently (hot tables). To reduce I/O contention, move hot tables to dedicated tablespaces.
Note:
Oracle Identity Manager offers archival and purge solution in both Real-time online mode and Command Line mode to contain the data growth in most of these tables. See "Using the Archival Utilities" in Using the Archival and Purge Utilities for Controlling Data Growth for more information.
Oracle Identity Manager stores provisioning and approval task details in the following tables. These tables have lot of potential to grow big overtime. It is recommended to group these in one or more dedicated tablespaces.
OSI
OSH
SCH
The reconciliation schema of Oracle Identity Manager has both static and dynamic tables. The following is a list of static tables. The dynamic tables can be identified by querying the RECON_TABLE_NAME column in the RECON_TABLES table.
RECON_ACCOUNT_OLDSTATE
RECON_BATCHES
RECON_CHILD_MATCH
RECON_EVENTS
RECON_EVENT_ASSIGNMENT
RECON_EXCEPTIONS
RECON_HISTORY
RECON_JOBS
RECON_TABLES
RECON_UGP_OLDSTATE
RECON_USER_OLDSTATE
RECON_ACCOUNT_MATCH
RECON_ORG_MATCH
RECON_ROLE_HIERARCHY_MATCH
RECON_ROLE_MATCH
RECON_ROLE_MEMBER_MATCH
RECON_USER_MATCH
RA_LDAPUSER
RA_MLS_LDAPUSER
RA_LDAPROLE
RA_MLS_LDAPROLE
RA_LDAPROLEMEMBERSHIP
RA_LDAPROLEHIERARCHY
If your environment generates a large amount of reconciliation data, then move these tables to one or more dedicated tablespace(s).
Oracle Identity Manager audits the transactions based on the audit level setting. Most of the audit levels are likely to increase data growth significantly. Oracle recommends storing audit tables in their own tablespace. Oracle Identity Manager audit tables are of two categories. Following are the tables that store audit data in XML format. In this list, UPA table is especially expected to grow big and it is important to place it in a dedicated tablespace.
UPA
GPA
The user profile audit data is stored in the following flat structured tables. These tables are used by Oracle Identity Manager historical reports for compliance reporting. It is recommended to store these tables and their indexes in a dedicated tablespace.
UPA_FIELDS
UPA_GRP_MEMBERSHIP
UPA_RESOURCE
UPA_USR
UPA_UD_FORMS
UPA_UD_FORMFIELDS
You can use the Archival Utilities to maintain a large growth table. For more information, see Using the Archival Utilities in Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.
Depending on the reconciliation processes configured in Oracle Identity Manager, the volume of database transactions and commits during a reconciliation run can be high. Oracle recommends that you use multiple redo-log files. The total allocated redo-log space should be 1 GB to 2 GB.
Oracle recommends use of at least three redo log groups with redo log members with minimum size of 500 MB for each. The multiplexing and the exact number of members and disk space for each member can be considered in accordance with the planning for failure.
By default, Oracle Identity Manager assigns frequently referenced small tables to be cached in the database by using a keep pool buffer. See db_keep_cache_size in Table 26-3. If your installation contains more than 50,000 users, then Oracle recommends that you use the default database buffer for USR and PCQ tables instead of the keep pool buffer. You can use the following commands to put these tables in default buffer pool.
ALTER TABLE USR STORAGE(buffer_pool default); ALTER TABLE PCQ STORAGE(buffer_pool default);
To ensure that the Oracle Identity Manager is performing at the optimal level, it is important to tune the Oracle Internet Directory as described in Chapter 23, "Oracle Internet Directory Performance Tuning".
Application Module tuning is a critical setting which affects the UI performance. You must ensure that the recommended application module settings for Oracle Identity Manager are set in the setDomainEnv.sh file. These settings are already set out-of-box (OOB) in later releases of Oracle Identity Manager 11g Release 2 (11.1.2). To add the recommended application module settings for Oracle Identity Manager, do the following:
Open the file $DOMAIN_HOME/bin/setDomainEnv.sh in a text editor.
In the setDomainEnv.sh file, find the following lines:
JAVA_OPTIONS="${JAVA_OPTIONS}"
export JAVA_OPTIONS
Change the first line to the following:
JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1
-Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60
-Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true
-Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1
-Djbo.connectfailover=false -Djbo.max.cursors=5
-Doracle.jdbc.implicitStatementCacheSize=5
-Doracle.jdbc.maxCachedBufferSize=19 ${JAVA_OPTIONS}"
Note:
These recommended settings assume 100 concurrent users per node. If your number of concurrent users is different, use the following formula to change Djbo.ampool.maxavailablesize:
Djbo.ampool.maxavailablesize = # of concurrent users + 20%
Save the setDomainEnv.sh file.
Restart the WebLogic Administration Server and the Oracle Identity Manager Managed Servers.
For more information on AM Pool tunings, see section 8.3.5 "Application Module Pooling" in the Oracle Fusion Middleware Performance and Tuning Guide.
This section provides advanced tuning recommendations which may or may not apply to your environment. Review the following recommendations to determine if the changes would improve your Oracle Identity Manager performance.
Three distinct process stages or functional modules come into play during the end-to-end reconciliation flow. The following are the three functional modules or stages that need to be optimized separately, but in relation to each other, to achieve complete performance optimization:
The Target System And The Connector
The Connector fetches data from the target system, and invokes reconciliation create event APIs to create events and event data in reconciliation staging tables in the OIM database schema.
OIM Reconciliation Engine
The OIM reconciliation engine extracts data from the staging tables and reconciles into OIM. The process includes verification, matching of data, and taking actions based on the rules. The engine uses database's bulk collection mechanism to do all of the above processing in bulk.
Oracle Identity Manager Post-processing for Reconciliation
Post-processing stage kicks in after reconciliation engine has completed processing of incoming data from the target. During this stage, OIM kernel orchestrations get triggered to execute event-handlers to do things like default password generation as per policy, role assignment, resource provisioning, audit processing and so on.
This section includes the following topics:
This section describes the tuning that needs to be applied on your target systems as well as Oracle Identity Manager Connectors.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. It is recommended that "paged reconciliation" is configured to optimize performance.
To configure paged reconciliation, you must specify a value for the PageSize attribute of the user reconciliation scheduled task. The default value of 100 for PageSize suits for most of the scenarios.
Note:
OID LDAP Server (the target system in this case) v10.1.4 or later versions support the paged reconciliation related LDAP operations.
SAP
It is recommended that you use a reconciliation batch size of 100.
Active Directory (11.1.1.5.0 and 11.1.1.6.0 Connector)
Performance improvement patch
If you are using Active Directory 11.1.1.5.0, make sure that you apply patch # 15916848. You can download the patch from My Oracle Support. For patching instructions, refer to the Readme that is available with the patch.
If you are using Active Directory 11.1.1.6.0, download the patch # 15916848 from My Oracle Support. Import only the ReconAttributeMap.xml that is provided as part of the patch, using the deployment manager. You can ignore ActiveDirectory.Connector.dll provided in the patch, as it is updated in the 11.1.1.6.0 version itself. For patching instructions, refer to the Readme that is available with the patch.
Configuring the reconciliation engine to skip the ignore event API
The default behavior would be to first check to create a recon event or to ignore it for each of the user records returned by the connector. This process involves comparing the values of all the attributes of the user coming in from the connector against the values stored in the OIM database. To ignore this, open the lookup definition Lookup.Configuration.ActiveDirectory and add below entry.
Code Key: Ignore Event Disabled
Decode: true
Note:
You must evaluate the pros and cons of disabling the ignore event API call before you make the above changes.
Batching
If batching is used in the AD connector, then the result set needs to be sorted. Therefore, batching can be used when number of records to be reconciled is less than 10000. The recommended batch size is 500.
Paging
When number of records to be reconciled is more than 10000, use the Page Size Configuration property present in Lookup.Configuration.ActiveDirectory and Lookup.Configuration.ActiveDirectory.Trusted.
If paging is configured to be used, then you must make sure that no value is specified for the scheduled task parameters - Batch Size, Batch Start, Number of Batches, Sort By, and Sort Direction.
Paging splits the entire result set of a query into smaller subsets called, appropriately enough, pages. In general, it is recommended to set this value to the maximum page size for simple searches. By setting the page size to the maximum value, you can minimize the network round trips necessary to retrieve each page, which tends to be more expensive operation for simple searches. If you specify a PageSize greater than the MaxPageSize of the target system, the Active Directory server ignores it and uses the MaxPageSize instead. No exception is generated in this case. In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server. Some queries are especially expensive. Therefore, limiting the number of results in a single page can help avoid this. For the Active Directory Connector, use the default value 1000 for the best performance.
Filters
It is recommended to use Filters and provide the value for the Search Base, if a specific set of records is to be retrieved from the target. Filter provided in the scheduled task is converted into LDAP query. The filters help narrow down the search, making the searching and processing of the data quicker. For more information about the filters, refer to the Active Directory Connector Documentation.
For the reconciliation in the forest topology, you can use connector for reconciling the data from the complete forest (via Global Catalog Server) or you can use the connector for reconciling the data from the specific domain or domain controller. It is recommended to use the second approach whenever the data from the specific data center is to be reconciled, instead of using first option with search base.
For example:
Assume that there are 10 data centers in the Active Directory forest namely DC1, DC2, … , DC10. To reconcile data from an organization (tempOrg) which is present on DC2, you have use one of the following approaches:
Use Global Catalog and provide the DN of the organization in the Search Base.
Use DC2 and provide the DN of the organization in the Search Base.
It is recommended to use the second approach for better performance.
Reconciliation uses matching algorithm to find if the user/account/role/organization for which the change is requested, already exists in OIM. The matching algorithm compares the data in set of columns in OIM with the data in target staging table columns. The columns that contain the matching rules are defined in the reconciliation profile and they are defined at run-time. To improve the performance of the matching operation, there must be correct indexes created on the matching rule columns.
To illustrate the recommended method of identifying the appropriate indexes, a sample Active Directory (AD) user profile present in the Meta Data Store (MDS) repository is taken as an example. This example covers the following:
Note:
Starting OIM 11g Release 2 (11.1.2.1.0), the indexes are automatically created in some cases where possible. It is still recommended to follow the below procedure and make sure that all of the indexes required for reconciliation matching rule are in place.
Selecting Indexes For Trusted Source Reconciliation
To select indexes based on the matching rule criteria in trusted source reconciliation, you must complete the following steps:
Open the Active Directory user profile file in a text editor. You can open Active Directory user profile using Validate Recon Profile test present in the diagnostic dashboard, or by using Validate Recon Profile MBean present in EM.
Search for ownerMatchingRuleWhereClause or matchingRule for all entities:
ownerMatchingRuleWhereClause = (((UPPER(USR.USR_LOGIN)=UPPER(RA_ADUSER7.RECON_USERID5A729570)) OR (UPPER(USR.USR_UDF_OBGUID)=UPPER(RA_ADUSER7.RECON_OBJECTGUID))))
After identifying the columns constituting the matching rule in the profile, create the indexes accordingly.
For example, following indexes are needed for matching rule in the above example.
Table 26-4 Table Names and Columns to be Indexed
| Table Name | Column to be Indexed |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Note:
It is important that the indexes are created along with functions like UPPER, SUBSTR in the matching rule. In Table 26-4, UPPER is the function used on all columns.
Some of the columns and functions might have been indexed already. In Table 26-4, USR table should already have function-based index on UPPER(USR_LOGIN).
Selecting Indexes For Target Source Reconciliation
To select indexes based on the matching rule criteria in target resource reconciliation, you must complete the following steps:
Open the Active Directory user profile file in a text editor. You can open Active Directory user profile using Validate Recon Profile test present in the diagnostic dashboard, or by using Validate Recon profile MBean present in EM.
Search for account search tag <matchingruleWhereClause>:
<matchingruleWhereClause>((UD_ADUSER.UD_ADUSER_OBJECTGUID=RA_ADUSER7.RECON_OBJECTGUID))</matchingruleWhereClause>
After identifying the columns constituting the matching rule in the profile, create the indexes accordingly.
For example, following indexes are needed for matching rule in the above example.
Table 26-5 Table Names and Columns to be Indexed
| Table Name | Column to be Indexed |
|---|---|
|
|
|
|
|
|
Note:
It is important that the indexes are created along with functions like UPPER, SUBSTR in the matching rule.
Some of the columns and functions might have been indexed already.
Selecting Indexes For Target Source Reconciliation With Multi-Valued Data
To select indexes based on the matching rule criteria in target resource reconciliation with multi-valued data, you must complete the following steps:
Open the Active Directory user profile file in a text editor. You can open Active Directory user profile using Validate Recon Profile test present in the diagnostic dashboard, or by using Validate Recon profile MBean present in EM.
For entitlements, search for the <matchingruleWhereClause> tag under <childreconeventdata>:
<matchingruleWhereClause>((UD_ADUSRC.UD_ADUSRC_GROUPNAME=RA_UD_ADUSRC.RECON_MEMBEROF))</matchingruleWhereClause>
After identifying the columns constituting the matching rule in the profile, create the indexes accordingly. For example, following indexes are needed for matching rule in the above example.
Table 26-6 Table Names and Columns to be Indexed
| Table Name | Column to be Indexed |
|---|---|
|
|
|
|
|
|
Note:
It is important that the indexes are created along with functions like UPPER, SUBSTR in the matching rule.
Some of the columns and functions might have been indexed already.
Table 26-7 lists some of the important out-of-the-box event handlers that are invoked during post-processing of reconciliation.
Table 26-7 Event Handlers and Their Descriptions
| Event Handler | Description |
|---|---|
|
|
Responsible for Auditing account/target reconciliation changes |
|
|
Trigger workflows associated with account/target reconciliation |
|
|
Trigger workflows associated with trusted reconciliation |
|
|
Generates custom display name for trusted reconciliation |
|
|
Generates custom login during for reconciliation |
|
|
Generates custom passwords for trusted reconciliation |
|
|
Creates user in LDAP if LDAP synchronization is enabled |
|
|
Updates user in LDAP if LDAP synchronization is enabled |
You can find the rest of out-of-the-box and custom event handlers in DMS metric page of WebLogic Application Server. Use the following URL to go to the DMS metric page:
In this URL, port refers to the WebLogic Administration Server port. To log in, you must use the WebLogic admin credentials.
After you log into the DMS metric page, click on OIM_EventHandler to see the list of event handlers and their processing time metrics. You can use these metrics to identify event handlers that may need to be optimized.
Tuning performance in Oracle Identity Manager involves the following:
To increase the max connection pool for Oracle Identity Manager:
Login to Oracle Identity System Administration.
On the left pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed in a new window.
From the IT Resource Type list, select Directory Server, and then click Search.
For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.
Change the value of the following configuration parameters to 500:
Initial pool size: 500
Minimum pool size: 500
Maximum pool size: 500
Click Update.
To increase the LDAP synchronization batch size, set the batch size of the following LDAP synchronization reconciliation scheduled jobs to 1000:
LDAP User Create and Update Reconciliation
LDAP Role Create and Update Reconciliation
LDAP Role Hierarchy Reconciliation
LDAP Role Membership Reconciliation
Note:
For details about the LDAP scheduled jobs, see "LDAP Scheduled Tasks" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
When LDAP synchronization with OVD configured for OID is enabled in Oracle Identity Manager, the configuration parameters in OVD, as listed in Table 26-8, must be set:
When LDAP synchronization with OVD/OID is enabled in Oracle Identity Manager, the configuration parameters in OID, as listed in Table 26-9, must be set:
Table 26-9 Configuration Parameters in OID
| Name | Parameter | Value |
|---|---|---|
|
Max Number of DB Connections |
|
10 |
|
Number of Processes |
|
2 - 4 |
|
Skip Referral Process |
|
1 |
|
LDAP Connection Timeout |
|
60 |
|
Enable MatchDN Processing |
|
0 |
|
Enable Entry Cache |
|
0 |
To modify the attributes in Table 26-9, use the following syntax:
ldapmodify -h HOST_NAME -p PORT_NUMBER -D cn=orcladmin -w PASSWORD -v <<EOF dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
When LDAP synchronization with Identity Virtualization Library (libOVD) configured for OID is enabled in Oracle Identity Manager, the configuration parameters in Identity Virtualization Library (libOVD), as listed in Table 26-10, must be set:
Note:
You can manage the Identity Virtualization Library (libOVD) tuning parameter configuration by using the WLST command.
Table 26-10 Configuration Parameters in Identity Virtualization Library (libOVD)
| Name | Parameter | Value |
|---|---|---|
|
User Adapter |
|
500 |
|
|
1500000 |
|
|
|
1000 |
|
|
Changelog adapter |
|
500 |
|
|
1500000 |
See Also:
"Enabling Access Logging in Identity Virtualization Library (libOVD)" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management for information about enabling access logging in Identity Virtualization Library (libOVD) to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful in triaging performance issues.
For information about setting configuration parameters in Oracle WebLogic Server and JDBC, see Section 26.3.2, "Tuning the Application Server for Oracle Identity Manager".