If you have deployed a Distributed Authentication UI server, you can run the Access Manager tuning scripts to tune the Solaris or Linux operating system and the web container. Except for the amtune-identity and amtune-prepareDSTuner scripts, the tuning scripts do not require an instance of Access Manager server to run.
This chapter provides the following information:
For more information about a Distributed Authentication UI server, see Chapter 11, Deploying a Distributed Authentication UI Server, in Sun Java System Access Manager 7.1 Postinstallation Guide.
Because Access Manager server is not installed on the system where the Distributed Authentication UI server is deployed, you must copy the following tuning scripts and files from an Access Manager 7.1 server installation:
amtune-os, if you plan to tune the Solaris or Linux OS
Appropriate web container script:
Web Server 7.0: amtune-ws7
Web Server 6.1 2005Q4: amtune-ws61
Application Server Enterprise Edition 8.2: amtune-as8
Application Server 7: amtune-as7
amtune-env configuration file and amtune-utils script
The scripts and files are available on an Access Manager server installation in the following directory, depending on your platform:
Solaris systems: AccessManager-base/SUNWam/bin/amtune
Linux systems: AccessManager-base/identity/bin/amtune
Windows systems: javaes-install-directory\identity\bin\amtune
AccessManager-base is the Access Manager 7.1 base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.
On Windows systems, the default value for javaes-install-directory is C:\Program Files\Sun\JavaES5.
To tune the operating system for the Distributed Authentication UI server, run the amtune-os script. This script tunes the operating system kernel and TCP/IP parameters for both the Solaris OS and Linux OS. The script determines the OS type from the uname -s command.
On Solaris 10 and higher systems, the amtune-os script will not run if the wrapper amtune script is run in a local zone.
To run the amtune-os script, you first must copy it from an Access Manager server installation, as described in Copying the Tuning Scripts.
After you deploy the Distributed Authentication UI server on a web container, you can tune the web container by running the appropriate web container tuning script:
Web Container |
Tuning Script |
---|---|
Web Server 7.0 |
amtune-ws7 |
Web Server 6.1 |
amtune-ws61 |
Application Server Enterprise Edition 8.2 |
amtune-as8 |
Application Server 7 |
amtune–as7 |
Make sure you have copied the necessary scripts from an Access Manager server installation, as described in Copying the Tuning Scripts.
Edit the parameters in the amtune-env configuration file to specify the specific web container and tuning options.
To run the script in REVIEW mode, set AMTUNE_MODE=REVIEW in the amtune-env file.
Run the web container tuning script in REVIEW mode.
In REVIEW mode, the tuning script suggests tuning recommendations but does not make any changes to the deployment.
Review the tuning recommendations in the output log file, which is available in the same directory as the tuning scripts.
If needed, make changes to the amtune-env file based on this run.
To run the script in CHANGE mode, set AMTUNE_MODE=CHANGE in the amtune-env file.
To make actual tuning changes to your deployment, run the script in CHANGE mode.
Check the tuning results in the output log file.
When you deploy a Distributed Authentication UI server using the default application user, performance can drop significantly due to the default application user's restricted privileges in Directory Server.
In the Access Manager console, create a new user. For example: DistAuthUIuser.
In Directory Server, add the DistAuthUIuser user with a new ACI to allow reading, searching, and comparing user attributes. An example of this new ACI is:
dn:ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com changetype:modifyadd:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com") (targetattr = "*"(version 3.0; acl "SunAM client data access for application user"; allow (read, search, compare) userdn = "ldap:///uid=DistAuthUIuser,ou=people,dc=example,dc=com";)
On the Distributed Authentication UI server, set the following variables in the configuration file:
APPLICATION_USER=DistAuthUIuser APPLICATION_PASSWD=DistAuthUIuser-password
On Solaris and Linux systems, the configuration file is based on the amsamplesilent file and is named DistAuth_config in the next step. Set any other variables in the DistAuth_config file, as required for your deployment.
On Windows systems, use the AMConfigurator.properties file to create a new configuration file. For example: AMConfigurator-distauth.properties.
Run the amconfig script using the edited configuration file.
For example, on a Solaris system with Access Manager installed in the default directory:
# cd /opt/SUNWam/bin # ./amconfig -s ./DistAuth_config
On Windows systems, in the amconfig.bat file, change AMConfigurator.properties to AMConfigurator-distauth.properties, and then run the edited amconfig.bat file.
Restart the web container on the Distributed Authentication UI server.