Sun Java System Access Manager 7.1 Performance Tuning and Troubleshooting Guide

Overview of the Access Manager Tuning Scripts

The Access Manager tuning scripts are non-interactive. To run a script, you first edit the parameters in the amtune-env configuration file to specify the tuning options you want to set for your specific environment. Then, you run either the amtune script, which calls other scripts as needed, or a specific script. For example, you might run only the amtune-identity script to tune only Access Manager.

The Access Manager tuning scripts and the amtune-env configuration file are installed in the following directory, depending on your platform:

Solaris systems: AccessManager-base/SUNWam/bin/amtune
Linux systems: AccessManager-base/identity/bin/amtune
Windows systems: javaes-install-directory\identity\bin\amtune

AccessManager-base is the Access Manager 7.1 base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.

On Windows systems, the default value for javaes-install-directory is C:\Program Files\Sun\JavaES5.

The following table describes the tuning scripts that are available in the Access Manager 7.1 release. See also Tuning Scripts for Windows Systems.

Table 2–1 Access Manager Tuning Scripts


Script	Description
`amtune`	Wrapper script that calls other scripts based on values in the `amtune-env` file.
`amtune-identity`	Tunes the installed instance of Access Manager. Before you run the `amtune-identity` tuning script, it is recommended that you add the following property set to `false` to the `AMConfig.properties` file: `com.sun.identity.log.resolveHostName=false` A value of `false` minimizes the impact of resolving host names and thus can improve performance. (However, if you want the client machine's hostname to be printed in the `amAuthentication.access` log, set the value to `true`.) This script supports Web Server in JVM 64-bit mode. If Web Server 7.0 is the web container, it determines if Web Server 7.0 is running in 64-bit or 32-bit mode and then calculates the tuning parameters accordingly.
`amtune-os` Not available on Windows systems	Tunes the operating system kernel and TCP/IP parameters for both the Solaris OS and Linux OS. The script determines the OS type from the `uname -s` command. The `amtune-os`will not run if the wrapper `amtune` script is run in a global zone on Solaris 10 or higher.
`amtune-ws7`	Tunes the Sun Java System Web Server 7.0 web container. This script supports Web Server in JVM 64-bit mode. It determines if Web Server 7.0 is running in 64-bit or 32-bit mode and then calculates the tuning parameters accordingly.
`amtune-ws61`	Tunes the Sun Java System Web Server 6.1 2005Q4 SP5 web container.
`amtune-as8`	Tunes the Sun Java System Application Server Enterprise Edition 8.2 Web container.
`amtune-as7`	Tunes the Sun Java System Application Server 7 Web container.
`amtune-prepareDSTuner`	Generates the `amtune-directory` script, which you can use to tune the Directory Server that supports Access Manager. For more information, see Chapter 3, Directory Server Tuning.

Tuning Scripts for Windows Systems

Access Manager 7.1 includes tuning scripts for Microsoft Windows systems. Running the tuning scripts on a Windows system is similar to running the scripts on a Solaris system or Linux system, with these differences:

The Windows scripts are written in Perl and require Active Perl 5.8 to run.
A script to tune the Windows operating system is not available.
Before running a script, you must set the $BASEDIR parameter in the amtune-env.pl file to the Access Manager installation directory.
If you are tuning Directory Server, after running the amtune-prepareDSTuner.pl script, you must copy the amtune-utils.pl, amtune-directory.pl, and amtune-samplepasswordfile files to the Directory Server system.
Support for zones is not provided.

Tuning Modes

The Access Manager tuning scripts can run in the following modes, as determined by the AMTUNE_MODE parameter in the amtune-env file.

REVIEW mode (default). The scripts return tuning recommendations for an Access Manager deployment, but they do not make any actual changes to the environment.
CHANGE mode. The scripts make all of the tuning modifications that are defined in the amtune-env file, except for Directory Server. For information, see Chapter 3, Directory Server Tuning.

In either mode, the scripts return a list of tuning recommendations to the amtune debug log file and the terminal window. The location of the log file is determined by the com.iplanet.services.debug.directory parameter in the AMConfig.properties file. The default debug directory depends on your platform:

Solaris systems: /var/opt/SUNWam/debug
Linux and HP-UX systems: /var/opt/sun/identity/debug
Windows systems: javaes-install-directory\identity\debug where the default value for javaes-install-directory is C:\Program Files\Sun\JavaES5.

Caution –

Tuning is an iterative process that can vary for different deployments. The Access Manager tuning scripts try to apply the optimal tuning parameter settings. However, each deployment is unique and might require further customization to suit specific requirements.

Therefore, it is recommended that you first run a script in REVIEW mode and check the recommended changes in the amtune debug log file. Run the scripts in CHANGE mode only after you have reviewed the recommended tuning changes that will be applied to your deployment.

Running an Access Manager Tuning Script

To run a tuning script, use the following syntax:

amtune-script admin_password dirmanager_password [ as8_admin_password ]

The tuning script parameters are:

amtune-script is one of the tuning scripts: amtune, amtune-identity, amtune-os, amtune-ws61, amtune-as7, amtune-as8, or amtune-prepareDSTuner.
admin_password is the Access Manager Administrator password.
dirmanager_password is the Directory Manager (cn=Directory Manager) password.
as8_admin_password is the Administrator password that is required if you are tuning Application Server 8 (WEB_CONTAINER=AS8).

To run a tuning script:

Follow these basic steps to run an Access Manager Tuning script.

If you have not run the script in REVIEW mode, ensure that AMTUNE_MODE=REVIEW (which is the default value) in the amtune-env file.

Edit other parameters in the amtune-env file, depending on the components you want to tune and the requirements for your deployment:
- Access Manager Tuning Parameters
- Installation Environment Tuning Parameters
- Web Server 7.0 Tuning Parameters, if Web Server 7.0 is the web container
- Application Server 8 Tuning Parameters, if Application Server 8 is the web container
To tune the Directory Server that supports Access Manager, see Chapter 3, Directory Server Tuning.

In REVIEW mode, run either the amtune script or one of the component scripts.

Review the tuning recommendations in the debug log file. If needed, make changes to the amtune-env file based on this run.

If you are satisfied with the tuning recommendations from the REVIEW mode run, set AMTUNE_MODE=CHANGE in the amtune-env file.

In CHANGE mode, run either the amtune script or one of the component scripts.

For example, to tune the Solaris OS, run the amtune-os script, as follows:
# ./amtune-os admin_password dirmanager_password
Note –
In CHANGE mode, the amtune script might need to restart the web container and Access Manager. In some instances, amtune might also recommend a system restart.

Check the debug log file for the results of the run.

Consideration for the `com.iplanet.am.session.purgedelay` Property

This property specifies the number of minutes to delay the purge session operation. The value recommended by amtune is 0 or 1, depending upon the Access Manager version you're using. For clients such as Sun Java System Portal Server, a higher value may be needed. You must manually set the property after you run the amtune script:

In the AMConfig.properties file, set the property to the new value. For example:
```
com.iplanet.am.session.purgedelay=5
```
Restart the Access Manager web container for the new value to take effect.