Chapter 4 Distributed Authentication UI Server Tuning

If you have deployed a Distributed Authentication UI server, you can run the Access Manager tuning scripts to tune the Solaris or Linux operating system and the web container. Except for the amtune-identity and amtune-prepareDSTuner scripts, the tuning scripts do not require an instance of Access Manager server to run.

This chapter provides the following information:

• Copying the Tuning Scripts

• Tuning the Operating System

• Tuning a Distributed Authentication UI Server Web Container

• Improving Performance for the Default Application User

For more information about a Distributed Authentication UI server, see Chapter 11, Deploying a Distributed Authentication UI Server, in Sun Java System Access Manager 7.1 Postinstallation Guide.

Copying the Tuning Scripts

Because Access Manager server is not installed on the system where the Distributed Authentication UI server is deployed, you must copy the following tuning scripts and files from an Access Manager 7.1 server installation:

• amtune-os, if you plan to tune the Solaris or Linux OS

• Appropriate web container script:

  • Web Server 7.0: amtune-ws7

  • Web Server 6.1 2005Q4: amtune-ws61

  • Application Server Enterprise Edition 8.2: amtune-as8

  • Application Server 7: amtune-as7

• amtune-env configuration file and amtune-utils script

The scripts and files are available on an Access Manager server installation in the following directory, depending on your platform:

• Solaris systems: AccessManager-base/SUNWam/bin/amtune

• Linux systems: AccessManager-base/identity/bin/amtune

• Windows systems: javaes-install-directory\identity\bin\amtune

AccessManager-base is the Access Manager 7.1 base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.

On Windows systems, the default value for javaes-install-directory is C:\Program Files\Sun\JavaES5.

Tuning the Operating System

To tune the operating system for the Distributed Authentication UI server, run the amtune-os script. This script tunes the operating system kernel and TCP/IP parameters for both the Solaris OS and Linux OS. The script determines the OS type from the uname -s command.

On Solaris 10 and higher systems, the amtune-os script will not run if the wrapper amtune script is run in a local zone.

To run the amtune-os script, you first must copy it from an Access Manager server installation, as described in Copying the Tuning Scripts.

Tuning a Distributed Authentication UI Server Web Container

After you deploy the Distributed Authentication UI server on a web container, you can tune the web container by running the appropriate web container tuning script:

To tune a Distributed Authentication UI server web container:

1. Make sure you have copied the necessary scripts from an Access Manager server installation, as described in Copying the Tuning Scripts.

2. Edit the parameters in the amtune-env configuration file to specify the specific web container and tuning options.

3. To run the script in REVIEW mode, set AMTUNE_MODE=REVIEW in the amtune-env file.

4. Run the web container tuning script in REVIEW mode.

   In REVIEW mode, the tuning script suggests tuning recommendations but does not make any changes to the deployment.

5. Review the tuning recommendations in the output log file, which is available in the same directory as the tuning scripts.

   If needed, make changes to the amtune-env file based on this run.

6. To run the script in CHANGE mode, set AMTUNE_MODE=CHANGE in the amtune-env file.

7. To make actual tuning changes to your deployment, run the script in CHANGE mode.

8. Check the tuning results in the output log file.

Improving Performance for the Default Application User

When you deploy a Distributed Authentication UI server using the default application user, performance can drop significantly due to the default application user's restricted privileges in Directory Server.

To improve performance for the Distributed Authentication UI server default user:

1. In the Access Manager console, create a new user. For example: DistAuthUIuser.

2. In Directory Server, add the DistAuthUIuser user with a new ACI to allow reading, searching, and comparing user attributes. An example of this new ACI is:

   dn:ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com
   changetype:modifyadd:aci
   aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com")
   (targetattr = "*"(version 3.0; acl "SunAM client data access for application user"; 
   allow (read, search, compare) 
   userdn = "ldap:///uid=DistAuthUIuser,ou=people,dc=example,dc=com";)

3. On the Distributed Authentication UI server, set the following variables in the configuration file:

   APPLICATION_USER=DistAuthUIuser
   APPLICATION_PASSWD=DistAuthUIuser-password
   

   On Solaris and Linux systems, the configuration file is based on the amsamplesilent file and is named DistAuth_config in the next step. Set any other variables in the DistAuth_config file, as required for your deployment.

   On Windows systems, use the AMConfigurator.properties file to create a new configuration file. For example: AMConfigurator-distauth.properties.

4. Run the amconfig script using the edited configuration file.

   For example, on a Solaris system with Access Manager installed in the default directory:

   # cd /opt/SUNWam/bin
   # ./amconfig -s ./DistAuth_config

   On Windows systems, in the amconfig.bat file, change AMConfigurator.properties to AMConfigurator-distauth.properties, and then run the edited amconfig.bat file.

5. Restart the web container on the Distributed Authentication UI server.