Previous      Contents      Next
Sun Java System Identity Manager 2005Q4M3 Administration

6

Data Synchronization and Loading

This chapter provides information and procedures for using Identity Manager data synchronization and loading features.

Topics in this Chapter

In this chapter, you will learn more about:

Identity Manager data synchronization tools (discovery, reconciliation, and ActiveSync)
How to use the discovery, reconciliation, and ActiveSync features to keep data current

---

Data Synchronization Tools: Which to Use?

Follow these guidelines when selecting Identity Manager data synchronization tools to perform a task.

If you want to:	Then choose this feature:
Initially pull resource accounts into Identity Manager, without viewing before loading	Load from Resource
Initially pull resource accounts into Identity Manager, optionally viewing and editing data before loading	Extract to File, Load from File
Periodically pull resource accounts into Identity Manager, taking action on each account according to configured policy	Reconcile with Resources
Push or pull resource account changes into Identity Manager	ActiveSync (multiple resource implementations)

---

Discovery

Identity Manager account discovery features help facilitate rapid deployment and speed account creation tasks. These features are:

Extract to File — Extracts the resource accounts returned by a resource adapter to a file (in CSV or XML format). You can manipulate this file before importing the data into Identity Manager.
Load from File — Reads accounts in a file (in CSV or XML format) and loads them into Identity Manager.
Load from Resource — Combines the other two discovery features, extracting accounts from a resource and loading them directly into Identity Manager.

Using these tools, you can create new Identity Manager users or correlate accounts on a resource with existing Identity Manager user accounts.

Extract to File

Use this feature to extract resource accounts from a resource to an XML or CSV text file. Doing this allows you to view and make changes to extracted data before importing it into Identity Manager.

To extract accounts:

From the menu bar, select Accounts, and then select Extract to File.
Select a resource from which to extract accounts.
Select a file format for the output account information. You can extract data to an XML file, or to a text file with account attributes arranged in comma-separated value (CSV) format.
Click Download. Identity Manager displays a File Download dialog, which lets you choose to save or view the extracted file.

---

Tip  If you choose to open the file, you may have to select a program to view it.

---

Load from File

Use this feature to load resource accounts — either those extracted from a resource through Identity Manager, or from another file source — into Identity Manager. A file created by the Identity Manager Extract to File feature is in XML format. If you are loading a list of new users, the data file typically is in CSV format.

About CSV File Format

Often, accounts to be loaded are listed in a spreadsheet (such as Excel) and saved in comma-separated value (CSV) format for loading into Identity Manager. CSV file contents must follow these format guidelines:

Line 1 — Lists column headings or schema attributes for each field, separated by commas.

Lines 2 to end — Lists values for each attribute defined in line 1, separated by commas. If data does not exist for a field value, that field must be represented by adjacent commas.

For example, the first three lines of a file might look like this:

In this example, the second user (Jane Doe) does not have a department. The missing value is represented by adjacent commas (,,).

To load accounts:

From the menu bar, select Accounts, and then select Load from File.

Identity Manager displays the Load from File page, which lets you specify load options before continuing:

User Form — When load creates an Identity Manager user, the user form assigns an organization as well as roles, resources, and other attributes. Select the user form to apply to each resource account.
Account Correlation Rule — An account correlation rule selects Identity Manager users that might own each unowned resource account. Given the attributes of an unowned resource account, a correlation rule returns a list of names or a list of attribute conditions that will be used to select potential owners. Select a rule to look for Identity Manager users that may own each unowned resource account.
Account Confirmation Rule — An account confirmation rule eliminates any non-owner from the list of potential owners that the correlation rule selects. Given the full View of an Identity Manager user and the attributes of an unowned resource account, a confirmation rule returns true if the user owns the account and false otherwise. Select a rule to test each potential owner of a resource account. If you select No Confirmation Rule, Identity Manager accepts all potential owners without confirmation.

---

Note  In your environment, if the correlation rule will select at most one owner for each account, then you do not need a confirmation rule.

---

Load Only Matching — Select to load into Identity Manager only those accounts that match an existing Identity Manager user. If you select this option, load will discard any unmatched resource account.
Update Attributes — Select to replace the current Identity Manager user attribute values with the attribute values from the account being loaded.
Merge Attributes — Enter one or more attribute names, separated by commas, for which values should be combined (eliminating duplicates) rather than overwritten. Use this option only for list-type attributes, such as groups and mailing lists. You must also select the Update Attributes option.
Result Level — Select a threshold at which the load process will record an individual result for an account:
Errors only — Record an individual result only when loading an account produces an error message.
Warnings and errors — Record an individual result when loading an account produces a warning or an error message.
Informational and above — Record an individual result for every account. This causes the load process to run more slowly.
In the File to Upload field, specify a file to load, and then click Load Accounts.

---

Notes:

---

If the input file does not contain a user column, you must select a confirmation rule for the load to proceed correctly.
The task instance name associated with the load process is based on the input file name; therefore, if you re-use a file name, then the task instance associated with the latest load process will overwrite any previous task instances.





Figure 1. Load from File

If an account matches (or correlates with) an existing user, the load process will merge the account into the user. The process will also create a new Identity Manager user from any input account that does not correlate (unless Correlation Required is specified).

The bulkAction.maxParseErrors configuration variable sets a limit on the number of errors that can be found when a file is loaded. By default, the limit is 10 errors. If the maxParseErrors number of errors is found, then parsing stops.

Load from Resource

Use this feature to directly extract and import accounts into Identity Manager according to the load options you specify.

To import accounts, select Accounts from the menu bar, and then select Load from Resource.

---

Note  Identity Manager lets you specify load options before continuing. Load options available from the Load from Resource page, and the actions that result, are the same as those on the Load from File page.

---

---

Reconciliation

Use the reconciliation feature to highlight inconsistencies between the resource accounts on Identity Manager and the accounts that actually exist on a resource, and to periodically correlate account data.

Because reconciliation is designed for ongoing comparison, it:

Diagnoses account situations more specifically and supports a wider range of responses than the discovery process
Can be scheduled (discovery cannot)
Offers an incremental mode (discovery is always full mode).
Can detect native changes (discovery cannot)

You can also configure reconciliation to launch an arbitrary workflow at each of the following points in processing a resource:

Before reconciling any account
For each account
After reconciling all accounts

Access Identity Manager reconciliation features from the Resources area. The Resources list shows when each resource was last reconciled and its current reconciliation status.

About Reconciliation Policies

Reconciliation policies allow you to establish a set of responses, by resource, for each reconciliation task. Within a policy, you select the server to run reconciliation, determine how often and when reconciliation takes place, and set responses to each situation encountered during reconciliation. You can also configure reconciliation to detect changes made natively (not made through Identity Manager) to account attributes.

Editing Reconciliation Policies

To edit a reconciliation policy:

Select Resources from the menu bar.
Select a resource in the Resources list hierarchy.
Select Edit Reconciliation Policy from the Resource Actions options list.

Identity Manager displays the Edit Reconciliation Policy page, where you can make these policy selections:

Reconciliation Server — In a clustered environment, each server may run reconciliation. Specify which Identity Manager server will run reconciliation against resources in the policy.
Reconciliation Modes — Reconciliation can be performed in different modes, which optimize different qualities:
Full reconciliation — Optimizes for thoroughness at a cost of speed.
Incremental reconciliation — Optimizes for speed at the expense of some thoroughness.

Select the mode in which Identity Manager should run reconciliation against resources in the policy. Select Do not reconcile to disable reconciliation for targeted resources.

Full Reconciliation Schedule — If full mode reconciliation is enabled, it is performed automatically on a fixed schedule. Specify how frequently full reconciliation should be run against resources in the policy. Select the Inherit option to inherit the indicated schedule from a higher-level policy.
Incremental Reconciliation Schedule — If incremental mode reconciliation is enabled, it is performed automatically on a fixed schedule. Specify how frequently incremental reconciliation should be run against resources in the policy. Select the Inherit option to inherit the indicated schedule from a higher-level policy.

---

Note  Not all resources support incremental reconciliation.

---

Attribute-level Reconciliation — Reconciliation can be configured to detect changes made natively (that is, not made through Identity Manager) to account attributes. Specify whether reconciliation should detect native changes to the attributes specified in Reconciled Account Attributes.
Account Correlation Rule — An account correlation rule selects Identity Manager users that might own each unowned resource account. Given the attributes of an unowned resource account, a correlation rule returns a list of names or a list of attribute conditions that will be used to select potential owners. Select a rule to look for Identity Manager users that may own each unowned resource account.
Account Confirmation Rule — An account confirmation rule eliminates any non-owner from the list of potential owners that the correlation rule selects. Given the full View of an Identity Manager user and the attributes of an unowned resource account, a confirmation rule returns true if the user owns the account and false otherwise. Select a rule to test each potential owner of a resource account. If you select No Confirmation Rule, Identity Manager accepts all potential owners without confirmation.

---

Note  In your environment, if the correlation rule will select at most one owner for each account, then you do not need a confirmation rule.

---

Proxy Administrator — Specify the administrator to use when reconciliation responses are performed. The reconciliation can perform only those actions that the designated proxy administrator is permitted to do. The response will use the user form (if needed) associated with this administrator.

You can also select the No Proxy Administrator option. When selected, reconciliation results are available to view, but no response actions or workflows are run.

Situation Options (and Response)— Reconciliation recognizes several types of situations. Specify in the Response column any action reconciliation should take:
CONFIRMED — The expected account exists.
DELETED — The expected account does not exist.
FOUND — The reconciliation process found a matching account on an assigned resource.
MISSING — No matching account exists on a resource assigned to the user.
COLLISION — Two or more Identity Manager users are assigned the same account on a resource.
UNASSIGNED — The reconciliation process found a matching account on a resource not assigned to the user.
UNMATCHED — The account does not match any users.
DISPUTED — The account matches more than one user.

Select from one of these response options (available options vary by situation):

Create new Identity Manager user based on resource account — Runs the user form on the resource account attributes to create a new user. The resource account is not updated as a result of any changes.
Create resource account for Identity Manager user — Recreates the missing resource account, using the user form to regenerate the resource account attributes.
Delete resource account and Disable resource account — Deletes/disables the account on the resource.
Link resource account to Identity Manager user and Unlink resource account from Identity Manager user — Adds or removes the resource account assignment to or from the user. No form processing is performed.
Pre-reconciliation Workflow — Reconciliation can be configured to run a user-specified workflow prior to reconciling a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.
Per-account Workflow — Reconciliation can be configured to run a user-specified workflow after responding to the situation of a resource account. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.
Post-reconciliation Workflow — Reconciliation can be configured to run a user-specified workflow after completing reconciliation for a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

Click Save to save policy changes.

Starting Reconciliation

Two options are available for starting reconciliation tasks:

Reconciliation schedule — You can set a reconciliation schedule on the Edit Reconciliation Policy page, which runs reconciliation at regular intervals.
Immediate reconciliation — Runs reconciliation immediately. To do this, select a resource in the resources list, and then select one of the following options in the Resource Actions list:
Full Reconcile Now
Incremental Reconcile Now

Reconciliation will run according to the parameters you have set in the policy. If the policy has a regular schedule set for reconciliation, it will continue to run as specified.

Canceling Reconciliation

To cancel reconciliation, select the resource, and then select Cancel Reconciliation from the Resource Actions list.

Viewing Reconciliation Status

The Status column in the Resources list reports several reconciliation status conditions. These are:

unknown — Status is not known. Results for the latest reconciliation task are not available.
disabled — Reconciliation is disabled.
failed — The latest reconciliation failed to complete.
success — The latest reconciliation completed successfully.
completed with errors — The latest reconciliation completed, but with errors.

---

Note  You must refresh this page to view changes to status (the information does not automatically refresh).

---

Detailed status information for each account on a resource is available. Select a resource in the list, and then select View Reconciliation Status from the Resource Actions list.

Working with the Account Index

The Account Index records the last known state of each resource account known to Identity Manager. It is primarily maintained by reconciliation, but other Identity Manager functions will also update the Account Index, as needed.

---

Note  Discovery tools do not update the Account Index.

---

Searching the Account Index

To search the account index, select Search Account Index from the Resource Actions list.

Select a search type, and then enter or select search attributes. Click Search to find accounts that match all search criteria.

Resource account name — Select this option, select one of the modifiers (starts with, contains, or is), and then enter part or all of an account name.
Resource is one of — Select this option, and then select one or more resources from the list, to find reconciled accounts that reside on the specified resources.
Owner — Select this option, select one of the modifiers (starts with, contains, or is), and then enter part or all of an owner name. To search for unowned accounts, search for accounts in the UNMATCHED or DISPUTED situation.
Situation is one of — Select this option, and then select one or more situations from the list to find reconciled accounts in the specified situations.

Click Search to search for accounts according to your search parameters. To limit the results of the search, optionally specify a number in the Limit results to first field. The default limit is the first 1000 accounts found.

Click Reset Query to clear the page and make new selections.

Examining the Account Index

It is also possible to view all Identity Manager user accounts and optionally reconcile them on a per-user basis. To do this, select Resources, and then select Examine Account Index.

The table displays all of the resource accounts that Identity Manager knows about (whether or not an Identity Manager user owns the account). This information is grouped by resource or by Identity Manager organization. To change this view, make a selection from the Change index view list.

Working with Accounts

To work with the accounts on a resource, select the Group by resource index view. Identity Manager displays folders for each type of resource. Navigate to a specific resource by expanding a folder. Click + or - next to the resource to display all resource accounts that Identity Manager knows about.

---

Note  Accounts that have been added directly to the resource since the last reconciliation on that resource are not displayed.

---

Depending on the current situation of a given account, you may be able to perform several actions. You can also view account details or choose to reconcile that one account.

Working with Users

To work with Identity Manager users, select the Group by user index view. In this view, Identity Manager users and organizations are displayed in a hierarchy similar to the Accounts List page. To see accounts currently assigned to a user in Identity Manager, navigate to the user and click the indicator next to the user name. The user’s accounts and the current status of those accounts that Identity Manager knows about are displayed under the user name.

Depending on the current situation of a given account, you may be able to perform several actions. You can also view account details or choose to reconcile that one account.

---

ActiveSync Adapters

The Identity Manager ActiveSync feature allows information that is stored in an authoritative external resource (such as an application or database) to synchronize with Identity Manager user data. Setting up active synchronization for an Identity Manager resource enables it to “listen” or poll for changes to the authoritative resource.

Setting Up Active Synchronization

Use the Active Sync Wizard in the Identity Manager resources area to set up active synchronization. This wizard leads you through a varying set of steps, depending on the choices you make, to set up active synchronization for a resource.

To launch the Active Sync Wizard, select a resource in the resources list, and then select Active Sync Wizard from the Resource Actions list of options.

The Active Sync Wizard Synchronization Mode page appears.

Synchronization Mode

The Synchronization Mode page lets you determine the range of configuration options you can choose during active synchronization setup.

Select from these options:

Input Form Usage — Select the mode to use when setting up active synchronization. You can choose to use a pre-existing form, which limits configuration choices for this resource. Alternatively, you can use a form that is generated by the Active Sync Wizard, which offers a complete set of configuration choices.

If you select Pre-Existing Input Form (the default), then make selections for these options:
Input Form — Select an input form that will process data updates. This optional configuration item allows attributes to be transformed before they are saved on the accounts.
Process Rule — Optionally select a process rule to run for each incoming account. This selection overrides all other options. If you specify a process rule, the process will be run for every row, regardless of other settings on the resource. It can be either a process name, or a rule evaluating to a process name.





Figure 2. Active Sync Wizard: Synchronization Mode, Pre-Existing Form Selections

If you select Use Wizard Generated Input Form, then make selections for these options:
Configuration Mode — Select whether to use basic or advanced mode within the Active Sync Wizard. Basic mode is the default option. If you select advanced mode, you can define event types and set process rules.
Process Rule — (Displays with advanced configuration mode only.) Optionally select a process rule to run for each incoming account. This selection overrides all other options. If you specify a process rule, the process will be run for every row, regardless of other settings on the resource. It can be either a process name, or a rule evaluating to a process name.
Post-Process Form — (Displays with advanced configuration mode only.) Optionally select a form to run, in addition to the form generated by the Active Sync Wizard. This form overrides any settings from the Active Sync Wizard.





Figure 3. Active Sync Wizard: Synchronization Mode, Wizard Generated Form Selections

Click Next to continue with the wizard. The Active Sync Running Settings page appears.

Running Settings

This page lets you establish settings for active sync:

Startup
Polling
Logging

Startup Settings

Make selections for active sync startup:

Startup Type — Select one of:
Automatic or Automatic with failover — Starts the authoritative source when the Identity system is started.
Manual — Requires that an administrator start the authoritative source.
Disabled — Disables the resource.
Proxy Administrator — Select the administrator who will process updates. All actions will be authorized through capabilities assigned to this administrator. You should select a proxy administrator with an empty user form.

Polling Settings

If you set a polling start date and time that is in the future, then polling will begin when specified. If you set a polling start date and time that is in the past, then Identity Manager determines when to begin polling based on this information and the polling interval. For example:

You configure active synchronization for the resource on July 18, 2005 (Tuesday)
You set the resource to poll weekly, with a start date of July 4, 2005 (Monday) and time of 9:00 a.m.

In this case, the resource will begin polling on July 25, 2005 (the following Monday).

If you do not specify a start date or time, then the resource will poll immediately. However, setting a start date and time is recommended; otherwise, each time the application server is restarted, all resources configured for active synchronization will begin polling immediately.

Make selections to set up polling:

Poll Every — Specify how often to poll. Enter a number, and then select the unit of time (Days, Hours, Minutes, Months, Seconds, or Weeks). Minutes is the default unit.
Polling Start Date —- Enter the day that the first scheduling interval should start, in yyyyMMdd format.
Polling Start Time — Enter the time of day that the first scheduling interval should start, in HH:mm:ss format.

Logging Settings

Make selections to set up logging information and levels:

Maximum Log Archives — If greater than zero, then retain the latest N log files. If zero, then a single log file is re-used. If -1, then log files are never discarded.
Maximum Active Log Age — After this period of time has elapsed, the active log will be archived. If the time is zero, then no time-based archival will occur. If Maximum Log Archives is zero, then the active log will instead be truncated and re-used after this time period. This age criteria is evaluated independently of the time criteria specified by Maximum Log File Size.

Enter a number, and then select the unit of time (Days, Hours, Minutes, Months, Seconds, or Weeks). Days is the default unit.

Log File Path — Enter the path to the directory in which to create the active and archived log files. Log file names begin with the resource name.
Maximum Log file Size — Enter the maximum size, in bytes, of the active log file. The active log file will be archived when it reaches maximum size. If Maximum Log Archives is zero, then the active log will instead be truncated and re-used after this time period. This size criteria is evaluated independently of the age criteria specified by Maximum Active Log Age.
Log Level — Enter the level of logging:
0 — no logging
1 — error
2 — information
3 — verbose
4 — debug





Figure 4. Active Sync Wizard: Running Settings

Click Next to continue with the wizard. The General Active Sync Settings page appears.

General Active Sync Settings

Use this page to specify general active sync configuration parameters.

Resource Specific Settings

---

Note  Available resource-specific settings vary depending on resource type. One or more of the following selections may not appear. The following settings apply to an LDAP resource.

---

Object Classes to Synchronize — Enter the object classes to synchronize. The change log is for all objects; this filters updates only to the listed object classes.
LDAP Filter for Accounts to Synchronize — Enter an optional LDAP filter for the objects to synchronize. The change log is for all objects; this filter updates only objects that match the specified filter. If you specify a filter, an object will be synchronized only if it matches the filter and includes a synchronized object class.
Attributes to synchronize — Enter the attribute names to synchronize. This ignores updates from the change log if they do not update any of the named attributes. For example, If only department is listed, then only changes that affect department will be processed. All other updates are ignored. If blank (the default), then all changes are processed.
Change Log Blocksize — Enter the number of change log entries to fetch per query. The default number is 100.
Change Number Attribute Name — Enter the name of the change number attribute in the change log entry.
Filter Changes By — Enter the names (RDNs) of directory administrators to filter from the changes. Changes with the attribute modifiersname that match entries in this list will be filtered.

The standard value is the administrator's name used by this adapter, to prevent loops. Entries should be in the format cn=Directory Manager.

Common Settings

Correlation Rule — Optionally specify a correlation rule to override the correlation rule specified in the resource's reconciliation policy. Correlation rules correlate resource accounts to Identity system accounts.
Confirmation Rule —- Optionally specify a confirmation rule to override the confirmation rule specified in the resource's reconciliation policy.
Resolve Process Rule — Optionally specify the name of a TaskDefinition to run in case of multiple matches to a record in the feed. This should be a process that prompts an administrator for manual action. It can be a process name or a rule evaluating to a process name.
Delete Rule — Optionally specify a rule, which returns true or false, that will be evaluated for each incoming user update to determine if a delete operation should occur.
Create Unmatched Accounts — When true, the adapter will attempt to create accounts that it does not find in the Identity system. When false, the adapter will run the account through the process returned by the Resolve Process Rule.
Assign Active Sync resource on create events — When this option is selected, the Active Sync source resource will be assigned to the user that is created when a create event is detected.
Populate Global — All attributes in the incoming accounts will always be available to the form under the ActiveSync namespace. If this option is selected, then all attributes (except accountId) will be available on the global namespace also.
When reset, ignore past changes — When the adapter is started for the first time or reset, select to ignore past changes. To reset the adapter, delete the configuration object IAPI_resourceName. This option is not available for all adapters.
Pre-Poll Workflow — Select an optional workflow to be executed immediately before each poll.
Post-Poll Workflow — Select an optional workflow to be executed immediately after each poll.

Click Save or Next to save changes to general settings for the resource:

If you are using the pre-existing input form, click Save to complete the wizard selections and return to the Resources list.
If you are using the wizard generated input form, click Next to continue.
If you are using basic configuration mode, the Target Resources page appears. (Skip forward in this chapter to Target Resources.)
If you are using advanced configuration mode, the Event Types page appears.

Event Types

Use this page to configure a mechanism to determine whether a certain type of change event has occurred on the active sync resource.

About Events

An active synchronization event is defined as a change that occurs on an active sync resource. The event types listed for each resource depend on the type of resource and the object affected by the change event. Some event types are create, delete, update, disable, enable, and rename.

Ignoring Events

You can select a mechanism to determine whether to ignore an active sync event. Options are:

None — No active sync events will be ignored.
Rule — Use a rule to determine whether to ignore the active sync event. If you select this option, then you must additionally select a rule from the options list.
Condition — Use a condition to determine whether to ignore the active sync event. After selecting this option, click Edit Condition to use the Condition Panel to define the condition.

Options for determining event types are:

None — There is no method for determining the event type.
Rule — Use a rule to determine the event type. If you select this option, then you must additionally select a rule from the options list.
Condition — Use a condition to determine the event type. After selecting this option, click Edit Condition to use the Condition Panel to define the condition.

Click Next to continue in the wizard. The Process Selection page appears.

Process Selection

Use this page to set up a workflow or process to run when the user view is checked in for a specific active sync event instance or type of active sync event.

Process Mode

You can select from two modes that determine which workflow or process will run when an active sync event occurs:

Rule — You can use a specific rule to determine which workflow or process to run for each active sync event instance. This means that the rule is executed each time an event occurs.

After selecting this option, select a rule (process determination rule) from the list.





Figure 5. Active Sync Wizard: Process Selection (Rule)

Event Type — You can run a workflow or process based on the event type of each event instance. This is the default selection.

After selecting this option, select a workflow or process to run for each event type listed.





Figure 6. Active Sync Wizard: Process Selection (Event Type)

Click Next to continue in the wizard. The Target Resources page appears.

Target Resources

Use this page to specify target resources to synchronize with this resource.

Select one or more resources from the Available Resources area, and then move them to the Target Resources area.

Figure 7. Active Sync Wizard: Target Resources

Click Next to continue. The Target Attribute Mappings page appears.

Target Attribute Mappings

Use this page to define the target attribute mappings for each target resource.

Select a target resource from the options list. To add a target attribute to the list, click Add Mapping.

Select the attribute, type, and attribute value for each target attribute. In the Applies To column, select one or more actions (Create, Update, or Delete) to which the mapping will apply.

Repeat Steps 1-3 for each target resource. To remove an attribute row from the list, select the row, and then click Remove Mapping.

Figure 8. Active Sync Wizard: Target Attribute Mappings

Click Save to save the attribute mappings and return to the resources list.

Editing ActiveSync Adapters

Before editing an ActiveSync adapter, you should stop active synchronization. From the Running Settings page, select Disable as Startup Type. A warning message will appear to indicate that active synchronization is disabled.

---

Note  Disabling active synchronization for a resource will result in stopping the active sync task when the resource is saved.

---

Active Synchronization in a Clustered Environment

The Error status indicator is present only on the Identity Manager server that performs active synchronization for the resource.

Tuning ActiveSync Adapter Performance

Since active synchronization is a background task, ActiveSync adapter configuration can affect server performance. Tuning ActiveSync adapter performance involves these tasks:

Changing polling intervals
Specifying the host where the adapter will run
Starting and stopping
Managing adapter logs

Manage ActiveSync adapters through the resources list. Select an ActiveSync adapter, and then access start, stop, and status refresh controls actions from the Resource Actions list.

Changing Polling Intervals

The polling interval determines when the ActiveSync adapter will start processing new information. Polling intervals should be determined based on the type of activity being performed. For example, if the adapter reads in a large list of users from a database and updates all users in Identity Manager each time, consider running this process daily in the early morning hours. Some adapters may have a quick search for new items to process and could be set to run every 10 seconds.

Specifying the Host Where the Adapter Will Run

To specify the host where the adapters will run, edit the waveset.properties file. In this file, you can edit either:

Set sources.hosts=hostname1,hostname2,hostname3. This lists the hostnames of machines to run ActiveSync adapters. The adapter will run on the first available host in this field.

or

Set sources.hosts=localhost

Setting the latter causes the adapter to run on the server on which the adapter was configured.

---

Note  In a cluster you should use the first option if you need to specify a specific server.

---

ActiveSync adapters that require more memory and CPU cycles can be configured to run on dedicated servers to help load balance the systems.

Starting and Stopping

ActiveSync adapters can be disabled, manually started, or automatically started just like services in NT. They also have to be assigned to run as an Identity Manager administrator. This administrator will scope the access of what the ActiveSync adapter can do, and will be listed in the audit log as the admin that made the changes. Optional attributes include log file size and path, log level.

When an adapter is set to automatic, the adapter restarts when the application server does. When you start an adapter, it will run immediately and execute at the specified polling interval. When you stop an adapter, the next time the adapter checks for the stop flag, it will stop.

Adapter Logs

Adapter logs capture information about the adapter current processing. The amount of detail that the log captures depends upon the logging level of the logging you have set. Adapter logs are useful for debugging problems and watching the adapter process progress.

Each adapter has its own log file, path, and log level. You specify these values on the Running Settings page.

Deleting Adapter Logs  

Adapter logs should be deleted only when adapter has been stopped. In most cases, make a copy of the log for archive purposes before deleting a log.

Previous      Contents      Next

---

Copyright 2006 Sun Microsystems, Inc. All rights reserved.