Access Manager connections to directory services can inadvertently time out with negative consequences if idle timeout values are not set correctly with respect to Directory Server (or the directory service load balancer).
This task consists of the following procedures:
Access Manager uses a pool of open connections to access the directory service. If these connections remain idle for longer than the Directory Server's idle timeout period, the connections will be closed on the Directory Server end, and Access Manager will restart them.
However, if a load balancer (or firewall) is located between Access Manager and Directory Server, the idle timeout of the load balancer (or firewall) might close the connection before Directory Server does. Some load balancers (or firewalls) do not close the connection cleanly, and Access Manager is not notified of the closure. In this case, connections in the pool can be exhausted, requiring a restart of Access Manager. In addition, when a connection is not closed cleanly by a load balancer (or firewall), the Directory Server might not close the socket, causing the open sockets to accumulate.
To avoid this set of circumstances, the Directory Server's idle timeout for Access Manager connections must be less than the idle timeout interval of the directory service load balancer (or firewall).
Set the value of the Directory Server idle timeout to less than that of the directory service load balancer.
Run the following command on ds1:
# ldapmodify -h ds1.pstest.com -p 389 -D "cn=Directory Manager" <<EOF
dn: cn=amldapuser,ou=DSAME Users, dc=example,dc=com
changetype: modify
add: nsIdleTimeout
nsIdleTimeout: timeout-value
EOF
where timeout-value is a value in seconds less then the load balancer's idle timeout.
When prompted, type the directory-manager-password.
Access Manager uses Directory Server persistent searches to obtain asynchronous notifications of changes on the Directory Server. The persistent search mechanism provides an active channel through which information about changes that occur can be communicated back to Access Manager.
Each active, persistent search requires that an open TCP connection be maintained between Access Manager and Directory Server. If the persistent search connections are made through a load balancer (or firewall), then these connections are subject to being closed by the load balancer (or firewall). For some load balancers (and firewalls), the connection is not closed cleanly. As a result, the persistent searches are not automatically restarted, and change notifications are interrupted until a persistent search connection is re-established.
This interruption in persistent searches can be prevented by configuring the Access Manager idle timeout for persistent search to be shorter than the TCP idle timeout of the directory service load balancer (or firewall). Hence, persistent searches are restarted before the load balancer (or firewall) can time out.
On am1, open the AMconfig.properties file in a text editor.
The file is located at:
/etc/opt/SUNWam/config/AMconfig.properties
Locate the persistent search timeout property:
com.sun.am.event.connection.idle.timeout
This property specifies the timeout value in minutes after which persistent searches will be restarted. A value of “0” (the default) indicates that the connection does not time out, so that searches will not be restarted.
Set the persistent search timeout value as follows and save the change:
com.sun.am.event.connection.idle.timeout=timeout-value
where timeout-value is a value in minutes less than the load balancer's idle timeout value.
Restart the Access Manager instance, am-inst-am1 on am1.
# /opt/SUNWappserver/appserver/bin/asadmin stop-domain
# /opt/SUNWappserver/appserver/bin/asadmin start-domain --user admin domain1
When prompted, type the app-server-admin-password.
Repeat Steps 1–4 on am2.
Replace all occurrences of am1 with am2 in these steps.