This chapter provides guidelines for tuning and sizing specific to Oracle Identity Manager (OIM). It contains these topics:
Note:
As with any enterprise class business application, there is no simple procedure for tuning that works for all systems. The tuning sections in this chapter provide (in some cases) sample configurations and outline the principles for tuning Oracle Identity Manager. Consider your own use case scenarios to determine which settings are appropriate.
Oracle Identity Manager (OIM) provides operational and business efficiency through centralized administration and complete automation of identity and user provisioning events across the enterprise, as well as extranet applications.
For more information on using Oracle Identity Manager, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
To identify performance bottlenecks, you can monitor real-time performance metrics for the Oracle Identity Manager database. For more information on how to monitor your Oracle Fusion Middleware components, see Chapter 4, "Monitoring Oracle Fusion Middleware".
For Oracle Identity Manager it is recommended that you perform the following at regular intervals:
Monitor real-time performance by using a performance-monitoring tool such as Oracle Enterprise Manager console or Automatic Workload Repository (AWR) in Oracle Database 11g.
Note:
You can use Oracle Enterprise Manager 11g Fusion Middleware Control to monitor Oracle Identity Manager. To do so:
Under Identity Management, select Oracle Identity Manager to go to the home page. On the Home page, you can monitor Oracle Identity Manager.
From the Oracle Identity Manager menu, select Performance to view performance metrics.
Collect routine statistics and report by using Oracle Database Enterprise Manager (EM), which is available in Oracle Database as a standard offering.
Routine Statistics Gathering
Routine statistics gathering can be taken care by the 'Automated Maintenance Tasks', which is available in the following navigation path in Oracle Database:
Oracle EM, the Server tab, Query Optimizer, Manage Optimizer Statistics, the Automated Maintenance Tasks link
Reporting requirements of statistics through Oracle Database 11g EM
To report on the state of the currently gathered statistics, EM provides a reporting interface in the following navigation path:
Oracle EM, the Server tab, Query Optimizer, Manage Optimizer Statistics, the Object Statistics link
This interface can be used for the reporting purpose for All Objects (of the Schema or even the Object of choice), which have Stale, Missing, or Locked states or are already analyzed.
Collect complete schema statistics upon implementation of Oracle Identity Manager.
Update schema statistics regularly, so that the Cost-Based Optimizer (CBO) can access the latest statistics. You must consider complete schema or table statistics on mass data change events such as bulkload of users or accounts, import of a new connector, a huge reconciliation run from a new target system, or use of an archival utility.
This helps the CBO determine an efficient query execution plan that is based on the current state of data. The following is a sample SQL command to collect database statistics on a regular basis:
See Also:
Gathering routine statistics and reporting can be done by performing the automated maintenance tasks available in Oracle Database 11g. See Oracle Database Performance Tuning Guide 11g Release 1 (11.1) for details.
DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> schema_owner, DEGREE=>8, OPTIONS=>'GATHER AUTO', CASCADE=>TRUE);
Look for relevant recommendations provided in advisory sections in the Automatic Database Diagnostic Monitor (ADDM) or Automatic Workload Repository (AWR) report, and adjust the instance configuration parameters according to the recommended settings. This is specially required after importing a new connector and completing a round of reconciliation from a new target system so that you can identify the need of any new indexes according to your matching rules.
Depending on your Oracle Identity Manager usage and performance issues, you may consider tuning the following basic parameters. See Chapter 2, "Top Performance Areas" for additional tuning considerations.
Oracle Identity Manager allows caching of metadata, which reduces DB activities. This results in reduced network load and improved performance.
By default, caching for most of the configurations are disabled (set to false) so that the configuration changes are reflected immediately without having to restart the application servers in the development environments.
The following sections provide some recommended cache values for tuning Oracle Identity Manager:
Caching is configured in the /db/oim-config.xml configuration file, which is located in MDS. See "Using Enterprise Manager for Managing Oracle Identity Manager Configuration" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about how to make changes to this file.
Oracle recommends the following settings for the production environments for optimal and better performance.
Set the caching to true for all the components except the following two sections:
threadLocalCacheEnabled="false" "StoredProcAPI" enabled="false"
Set clustered="false" for non-clustered installation and clustered="true" for clustered installation.
Table 26-1 shows a snippet from the /db/oim-config.xml file, with all the caching enabled for production systems.
Example 26-1 Sample Cache Values for oim-config.xml in a Clustered Production Environment
<cacheConfig clustered="true" enabled="true" expirationTime="144000" provider="oracle.iam.platform.utils.cache.OSCacheProvider" threadLocalCacheEnabled="false"> <cacheCategoriesConfig> <cacheCategoryConfig name="DataObjectEventHandlers" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ProcessDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="EmailDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="RuleDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="FormDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ColumnMap" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="UserDefinedColumns" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ObjectDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="StoredProcAPI" enabled="false" expirationTime="600"/> <cacheCategoryConfig name="NoNeedToFlush" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="MetaData" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="User" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="AdapterInformation" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="OrgnizationName" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="Reconciliation" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="SystemProperties" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="LookupDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="UserGroups" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="LookupValues" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ITResourceKey" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="RecordExists" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ServerProperties" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="ColumnMetaData" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="API" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="CustomResourceBundle" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="CustomDefaultBundle" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="ConnectorResourceBundle" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="LinguisticSort" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="GenericConnector" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="GenericConnectorProviders" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="AccessPolicyDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="UserConfig" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="OESDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="RoleContainerToDescrMap" enabled="true" expirationTime="-1"/> <cacheCategoryConfig name="PluginFramework" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="CallbackConfiguration" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="SchedulerTaskDefinition" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="UserStatus" enabled="true" expirationTime="14400"/> <cacheCategoryConfig name="LocaleCodeLanguageMapping" enabled="true" expirationTime="14400"/> </cacheCategoriesConfig>
If you want to purge the cache, use the PurgeCache utility in the OIM_HOME/server/bin/ directory. This utility purges all elements in the cache.
Note:
Purging is required when caching is enabled and if you make any system configuration changes. It is not required if caching is disabled.
Before running the PurgeCache utility, navigate to the OIM_HOME/server/bin/ directory.
Before running the PurgeCache utility, you must run the DOMAIN_HOME/bin/setDomainEnv.sh script.
To use the PurgeCache utility, run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the category that must be purged. For example, the following commands purge all FormDefinition entries from a system and its clusters:
PurgeCache.bat FormDefinition PurgeCache.sh FormDefinition
To purge all Oracle Identity Manager categories, pass a value of "All" to the PurgeCache utility. It is recommended to clear all the categories.
Note:
The wlfullclient.jar file must be in the classpath for the PurgeCache utility to run correctly.
This section describes how to tune Oracle WebLogic Server for Oracle Identity Manager to improve performance. For additional Oracle WebLogic Server performance tuning information, see Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server.
Note:
All tuning parameter suggestions and values in this section are for reference purposes only. Values should be modified based on your requirement, application usage patterns, loads, and hardware specifications.
Changing any of the settings may require you to restart the server.
Tuning the Number of Message Driven Beans for Oracle Identity Manager
Tuning the User Interface Threads for Oracle Identity Manager
Disabling the Reloading of Adapters and Plug-in Configuration
Changing the Number of Open File Descriptors for UNIX (Optional)
Tuning the JVM Garbage Collection for Solaris Sparc T3 or T4
These settings should be used in addition to those described in Chapter 2, "Tuning Java Virtual Machines (JVMs)".
To change the JVM memory setting:
Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Change the value of DEFAULT_MEM_ARGS and PORT_MEM_ARGS from the default value.
Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Note:
Add the following option to prevent StringIndexOutOfBoundsException error:
-XX:-UseSSE42Intrinsics
This parameter is required only for Sun JDK.
Oracle Identity Manager uses the oimOperationsDB and oimJMSStoreDS datasources deployed on Oracle WebLogic Server. By default, maximum connections is set at 50. You may have to increase this based on the requirement. To increase the capacity of the JDBC connection pools:
Open the WebLogic Server Administration Console.
For JDBC Datasource xlXADS:
Click Services, JDBC, Data Sources, oimOperationsDB, and then click the Connection Pool tab.
Adjust the Initial Capacity and Maximum Capacity based on requirement.
Set the Inactive Connection Timeout parameter to 30.
For JDBC Datasource xlDS:
Click Services, JDBC, Data Sources, oimJMSStoreDS, and then click the Connection Pool tab.
Adjust the Initial Capacity and Maximum Capacity based on requirement.
Save and activate the changes.
Note:
Ensure that any increase in number of connections on the application server connection pools are compensated by database configuration changes. You might have to increase the MAX SESSIONS settings on Oracle Database.
Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activities, such as reconciliation, auditing, requests, attestation, and for its internal kernel operations. By default, total of 80 MDB instances concurrently serve requests. However, based on the requirement, this can be increased by modifying the OIMMDBWorkManager configuration. To do so:
Login to WebLogic Administrative Console.
Navigate to Environment, Work Managers, and then to MaxThreadsConstraint-1.
Change the count from 80 to a higher number per your requirement.
By default, Oracle Identity Manager provides 20 front-end thread configurations. These threads are used for serving front-end requests. To change the number of front-end thread configurations:
Login to WebLogic Administrative Console.
Navigate to Environment, Work Managers, and then to MaxThreadsConstraint-0.
Change the value of the count from 20 to number per your requirement.
By default, reloading of adapters and plug-in configuration are enabled for ease of development. These should be disabled in the production environment. To do so:
Export the /db/oim-config.xml file from MDS as described in "Exporting and Importing Configuration Files" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the oim-config.xml file, replace the following:
<ADPClassLoaderConfig adapterReloadingEnabled="true" loadingStyle="ParentFirst" reloadInterval="15" reloadingEnabled="true">
With:
<ADPClassLoaderConfig adapterReloadingEnabled="false" loadingStyle="ParentFirst" reloadInterval="15" reloadingEnabled="false">
Replace the following:
<storeConfig reloadingEnabled="true" reloadingInterval="20"/>
With:
<storeConfig reloadingEnabled="false" reloadingInterval="20"/>
Save the oim-config.xml file and import it back to MDS.
WebLogic limits the number of open file descriptors in the WEBLOGIC_HOME/common/bin/commEnv.sh script to 1024. In some cases, if there is a large number of concurrent users, WebLogic may throw the "TOO MANY OPEN FILES" exception. If you receive this error, then consider increasing the limit beyond 1024 in the script. Ensure that the operating system is able to handle the increase in the number of open files.
To tune the JVM garbage collection for Solaris Sparc T3 or T4:
In a text editor, open the setSOADomainEnv.sh or setSOADomainEnv.cmd file in the DOMAIN_HOME/bin/ directory.
Set the value of USER_MEM_ARGS similar to the following:
Note:
The values shown for USER_MEM_ARGS are examples. You can change the values based on your requirement.
USER_MEM_ARGS="-Xms3048m -Xmx3048m -Xmn1648m -Xss256k -XX:PermSize=384m -XX:MaxPermSize=384m"
Set the value of JAVA_OPTIONS similar to the following:
Note:
The values shown for JAVA_OPTIONS are examples. You can change the values based on your requirement.
JAVA_OPTIONS="-Xnoclassgc -XX:SurvivorRatio=8 -XX:TargetSurvivorRatio=90 -XX:PermSize=350m -XX:MaxPermSize=350m -XX:+AggressiveOpts -XX:+UseParallelOldGC -XX:ParallelGCThreads=8 -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:ReservedCodeCacheSize=64m -XX:CICompilerCount=8 -XX:+AlwaysPreTouch -XX:+PrintReferenceGC -XX:+ParallelRefProcEnabled -XX:-UseAdaptiveSizePolicy -XX:+PrintAdaptiveSizePolicy -XX:+DisableExplicitGC"
Save and close the file.
This section describes one sample configuration and outlines the principles for tuning Oracle Database for Oracle Identity Manager. For general database tuning information, see Tuning Database Parameters.
Oracle Identity Manager has many configuration options. The best way to identify bottlenecks and optimize performance is to monitor key database performance indicators in your production environment and adjust the configuration accordingly. Review the monitoring tasks described in Monitoring Oracle Identity Manager Performance and then use the guidelines in this section to help you choose the initial baseline database configuration.
Note:
It is important that you maintain the baseline database tuning parameters when working with Oracle Identity Manager. See the Oracle Database Performance Tuning Guide 11g Release 1 (11.1) for information on setting Oracle Database instance parameters.
As a database administrator, you can create roles to grant all privileges to a secure application role required to run a database application. You can then grant the secure application role to other roles or users. An application can have various roles, each granted a different set of privileges that allow the user access more or less data while using the application. For example, you can create a role with a password to prevent unauthorized use of the privileges granted to the role. An application can be designed in such a way so that when it starts, it enables the proper role. As a result, an application user does not need to know the password for an application's role.
Depending on what is granted or revoked, a grant or revoke takes effect at different times, such as:
All grants and revokes for system and object privileges to users, roles, and PUBLIC grants take immediate effect.
All grants and revokes of roles to users, other roles, and PUBLIC take effect only when a current user session issues a SET ROLE statement to re-enable the role after the grant and revoke, or when a new user session is created after the grant or revoke.
You can see which roles are currently enabled by examining the SESSION_ROLES data dictionary view.
In Oracle Identity Manager, there are prerequisite grants that are provided to Oracle Identity Manager schema to create necessary objects before installing Oracle Identity Manager. Some of these grants can be revoked later on after installing the Oracle Identity Manager and can be granted to particular users in future as required by the application.
Table 26-1 describes the grants required for database applications:
Table 26-1 Role Grants for Database Applications
| Role Name | Description | Usage Specific to Oracle Identity Manager | If Revoked... |
|---|---|---|---|
|
CREATE TABLE |
Enables a user to create, modify, and delete tables in the user's schema. |
Although this is part of grant resource, this is explicitly required because the grant resource does not allow to create a table through a procedure. |
User will not be able to create any new tables programmatically. You can revoke this grant when the Oracle Identity Manager deployment is stable, which means all the components and connectors are imported and working as expected. This is because each connector creates its own schema object. This grant is needed for initial run of any archival utility because the archival utilities create tables programmatically. |
|
CONNECT |
Provides the create session privileges |
To create sessions for users |
This can be replaced with create session after installation. You can do this when the Oracle Identity Manager deployment is stable, which means all the components and connectors are imported and working as expected. This is because each connector creates its own schema object. |
|
RESOURCE |
Enables a user to create, modify, and delete certain types of schema objects in the schema associated with that user. Grant this role only to developers and to other users that must create schema objects. This role grants a subset of the create object system privileges. For example, it grants the CREATE TABLE system privilege, but does not grant the CREATE VIEW system privilege. It grants the following privileges:
In addition, this role grants the UNLIMITED TABLESPACE system privilege, which effectively assigns a space usage quota of UNLIMITED on all tablespaces in which the user creates schema objects. |
To create sequences, indexes, procedures, triggers, and packages |
User will not be able to create any database objects. Only SYS user will be able to do so. You can revoke this grant when the Oracle Identity Manager deployment is stable, which means all the components and connectors are imported and working as expected. This is because each connector creates its own schema object. Specify the quota for tablespaces correctly. |
|
CREATE VIEW |
Enables a user to create, modify, and delete views in the user's schema |
To create SDP_VISIBLE_V, SDP_REQUIRED_V, SDP_LOOKUPCODE_V, and SDP_RECURSIVE_V views in Oracle Identity Manager |
The user will not be able to create any views. Only SYS user will be able to do so. |
|
DBMS_SHARED_POOL |
Fits a database object in a shared pool memory |
Used for pinning all the procedures and functions used in Oracle Identity Manager in shared memory |
It can be revoked after installation but may impact performance because some of the procedures and functions may not be pinned explicitly. The pin_obj procedure is created only for Oracle Identity Manager. It is used to explicitly pin database objects into shared memory. Before revoking this role, make sure that the database-level trigger cache_seq is dropped, if already created. |
|
SYS.DBMS_SYSTEM |
Enables an XA Resource Manager and sets privileges so that the XA Resource Manager can manage the interaction between the Oracle database and the applications. Note: Each database connection is enlisted with the transaction manager as a transactional resource. The transaction manager obtains an XA Resource for each connection participating in a global transaction. The transaction manager uses the start method to associate the global transaction with the resource, and it uses the end method to disassociate the transaction from the resource. The resource manager associates the global transaction to all work performed on its data between the start and end method invocations. |
For XA resource and database transactions |
On Oracle Database version 10.2.0.4 onwards, it can be removed safely. Oracle has redeemed themselves by moving the DIST_TXN_SYNC procedure to a new package called DBMS_XA that is available to the public. Therefore, XA clients do not require execute privilege on DBMS_SYSTEM for later oracle versions. |
|
SYS.DBMS_FLASHBACK |
Enables self-service repair. If you accidentally delete rows from a table, then you can recover the deleted rows. |
For any failure during reconciliation, you can roll back the changes by using this. |
This is required for new reconciliation engine in Oracle Identity Manager 11g Release 2 (11.1.2) for error handling. |
|
CREATE_MATERIALIZED_VIEW |
Creates a materialized view in the grantee's schema |
To create the OIM_RECON_CHANGES_BY_RES_MV materialized view |
User will not be able to create any materialized view. Only SYS user will be able to do so. This materialized view is required for reporting purpose only. |
|
SELECT ON V$XATRANS SELECT ON PENDING_TRANS$ SELECT ON DBA_2PC_PENDING SELECT ON DBA_PENDING_TRANSACTIONS |
Enables an XA Resource Manager and sets privileges so that the XA Resource Manager can manage the interaction between the Oracle database and the applications. |
NA |
Not recommended to remove. Required for XA support. |
|
ADMINISTER DATABASE TRIGGER |
Allows the creation of database-level triggers. |
To create DDL trigger named ddl_trigger in Oracle Identity Manager |
Users will not be able to create new DDL triggers. It can be removed after schema creation. |
Table 26-2 provides information on some important performance-related database initialization parameters.
SGA,PGA size are limited by the underlying operating system restrictions on the maximum available memory in some platforms. See Support Note: Oracle Database Server and the Operating System Memory Limitations [ID 269495.1].
Note:
For the Database Instance Parameters listed in Table 26-2, any one of the following memory management approaches can be used based on the Oracle Database versions:
Using Automatic Memory Management feature available in Oracle Database 11g: Here, the MEMORY_TARGET and MEMORY_MAX_TARGET parameters can be used to manage the SGA and PGA together.
Using Automatic Shared Memory Management (ASMM) available in Oracle Database 10g onward: Here, the SGA components can be managed by specifying the SGA_TARGET and SGA_MAX_SIZE parameters. PGA is managed separately through PGA_AGGREGATE_TARGET.
You should set the processes parameter to accommodate the following connection pool requirements and few extra connections for external programs:
Connection pool size of XA data-source configured in Application Server
Connection pool size for non-XA data-source configured in Application Server
Direct database connection pool size configured in xlconfig.xml
Table 26-2 Sample Configuration Parameters
| Parameter | Recommended Initial Settings for Oracle Database 11g |
|---|---|
|
db_block_size |
8192 |
|
memory_target |
Using Automatic Memory Management feature in Oracle Database 11g, the MEMORY_TARGET and MEMORY_MAX_TARGET parameters can be used to manage the SGA and PGA together. Recommended value is 3 GB. When considering MEMORY_TARGET for managing the database memory components, SGA_TARGET and PGA_AGGREGATE_TARGET can be left unallocated, which is 0. |
|
db_keep_cache_size |
800M |
|
log_buffer |
15 MB |
|
cursor_sharing |
FORCE |
|
open_cursors |
500 |
|
session_cached_cursors |
500 |
|
query_rewrite_integrity |
TRUSTED |
|
query_rewrite_enabled |
TRUE |
|
db_file_multiblock_read_count |
16 |
|
db_writer_processes |
2 |
|
processes |
Based on connection pool settings |
The basic installation of Oracle Identity Manager uses two physical tablespace to store database objects: tablespace oim_lob for orchestration-related LOB data and oim for everything else. Oracle Identity Manager database objects belong to one of the following categories:
Physical tables
Indexes
Large objects (LOBs or CLOBs)
Tip:
To minimize disk space consumption, Oracle recommends the following:
During the initial startup phase of the deployment, Oracle Identity Manager tablespace is expected to grow at the rate 20G for every hundred thousand users reconciled into Oracle Identity Manager. LOB tablespace grows at around 30% of the size of main Oracle Identity Manager tablespace for the same users. Depending on the usage of orchestration in Oracle Identity Manager, which affects the LOB tablespace growth, the LOB tablespace can grow at a rate of 60% to 100% of the main tablespace in scenarios where orchestration is widely used.
Database administrators must monitor the exact growth rate in the real system for efficient disk space management.
For better performance, create multiple locally managed tablespaces and store each category of database object in a dedicated tablespace. This storage optimization helps efficient data access. The tables that are frequently accessed and have potential growth are highlighted in the following sections. Oracle recommends that you place these tables in their own dedicated tablespace(s).
Note that the tables highlighted in the following sections generally grow bigger and are accessed frequently in a typical Oracle Identity Manager deployment. In addition, you can use performance metrics to identify tables that are accessed frequently (hot tables). To reduce I/O contention, move hot tables to dedicated tablespaces.
Note:
Oracle Identity Manager offers archival and purge solution to contain the data growth in most of these tables. See "Using the Archival Utilities" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information.
Oracle Identity Manager stores provisioning and approval task details in the following tables. These tables have lot of potential to grow big overtime. It is recommended to group these in one or more dedicated tablespaces.
OSI
OSH
SCH
The reconciliation schema of Oracle Identity Manager has both static and dynamic tables. The following is a list of static tables. The dynamic tables can be identified by querying the RECON_TABLE_NAME column in the RECON_TABLES table.
RECON_ACCOUNT_OLDSTATE
RECON_BATCHES
RECON_CHILD_MATCH
RECON_EVENTS
RECON_EVENT_ASSIGNMENT
RECON_EXCEPTIONS
RECON_HISTORY
RECON_JOBS
RECON_TABLES
RECON_UGP_OLDSTATE
RECON_USER_OLDSTATE
RECON_ACCOUNT_MATCH
RECON_ORG_MATCH
RECON_ROLE_HIERARCHY_MATCH
RECON_ROLE_MATCH
RECON_ROLE_MEMBER_MATCH
RECON_USER_MATCH
RA_LDAPUSER
RA_MLS_LDAPUSER
RA_LDAPROLE
RA_MLS_LDAPROLE
RA_LDAPROLEMEMBERSHIP
RA_LDAPROLEHIERARCHY
If your environment generates a large amount of reconciliation data, then move these tables to one or more dedicated tablespace(s).
Oracle Identity Manager audits the transactions based on the audit level setting. Most of the audit levels are likely to increase data growth significantly. Oracle recommends storing audit tables in their own tablespace. Oracle Identity Manager audit tables are of two categories. Following are the tables that store audit data in XML format. In this list, UPA table is especially expected to grow big and it is important to place it in a dedicated tablespace.
UPA
GPA
The user profile audit data is stored in the following flat structured tables. These tables are used by Oracle Identity Manager historical reports for compliance reporting. It is recommended to store these tables and their indexes in a dedicated tablespace.
UPA_FIELDS
UPA_GRP_MEMBERSHIP
UPA_RESOURCE
UPA_USR
UPA_UD_FORMS
UPA_UD_FORMFIELDS
Depending on the reconciliation processes configured in Oracle Identity Manager, the volume of database transactions and commits during a reconciliation run can be high. Oracle recommends that you use multiple redo-log files. The total allocated redo-log space should be 1 GB to 2 GB.
Oracle recommends use of at least three redo log groups with redo log members with minimum size of 500 MB for each. The multiplexing and the exact number of members and disk space for each member can be considered in accordance with the planning for failure.
By default, Oracle Identity Manager assigns frequently referenced small tables to be cached in the database by using a keep pool buffer. See db_keep_cache_size in Table 26-2. The USR table which stores user records is also cached by default. If your installation contains more than 50,000 users, then Oracle recommends that you use the default database buffer for USR table instead of the keep pool buffer. You can use the following command to put USR table in default buffer pool.
ALTER TABLE USR STORAGE(buffer_pool default);
To ensure that the Oracle Identity Manager is performing at the optimal level, it is important to tune the Oracle Internet Directory as described in Chapter 23, "Oracle Internet Directory Performance Tuning".
This section provides advanced tuning recommendations which may or may not apply to your environment. Review the following recommendations to determine if the changes would improve your Oracle Identity Manager performance.
When a connector is imported in Oracle Identity Manager, it creates certain database tables (UD_*) and updates metadata in the Oracle Identity Manager schema. The connector may be further customized to suit processes required in a particular installation with reconciliation rules, data flow, and lookup definitions. After a connector is imported, indexes must be created.
Tuning performance in Oracle Identity Manager involves the following:
To increase the max connection pool for Oracle Identity Manager:
Login to Oracle Identity System Administration.
On the left pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed in a new window.
From the IT Resource Type list, select Directory Server, and then click Search.
For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.
In the Maximum pool size field, change the value from 10 to 500.
Ensure that the following configuration parameters have the correct values:
Initial pool size: 20
Minimum pool size: 20
Click Update.
To increase the LDAP synchronization batch size, set the batch size of the following LDAP synchronization reconciliation scheduled jobs to 8000:
LDAP User Create and Update Reconciliation
LDAP Role Create and Update Reconciliation
LDAP Role Hierarchy Reconciliation
LDAP Role Membership Reconciliation
Note:
For details about the LDAP scheduled jobs, see "LDAP Scheduled Tasks" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
When LDAP synchronization with OVD configured for OID is enabled in Oracle Identity Manager, the configuration parameters in OVD, as listed in Table 26-3, must be set:
When LDAP synchronization with OVD/OID is enabled in Oracle Identity Manager, the configuration parameters in OID, as listed in Table 26-4, must be set:
Table 26-4 Configuration Parameters in OID
| Name | Parameter | Value |
|---|---|---|
|
Max Number of DB Connections |
orclmaxcc |
10 |
|
Number of Processes |
orclserverprocs |
2 - 4 |
|
Skip Referral Process |
orclskiprefinsql |
1 |
|
LDAP Connection Timeout |
orclldapconntimeout |
60 |
|
Enable MatchDN Processing |
orclmatchdnenabled |
0 |
|
Enable Entry Cache |
orclcacheenabled |
0 |
To modify the attributes in Table 26-4, use the following syntax:
ldapmodify -h HOST_NAME -p PORT_NUMBER -D cn=orcladmin -w PASSWORD -v <<EOF dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
When LDAP synchronization with Identity Virtualization Library (libOVD) configured for OID is enabled in Oracle Identity Manager, the configuration parameters in Identity Virtualization Library (libOVD), as listed in Table 26-5, must be set:
Note:
You can manage the Identity Virtualization Library (libOVD) tuning parameter configuration by using the WLST command. For more information, see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management.
Table 26-5 Configuration Parameters in Identity Virtualization Library (libOVD)
| Name | Parameter | Value |
|---|---|---|
|
User Adapter |
Max Pool Size |
500 |
|
Operation Timeout |
1500000 |
|
|
Max Pool Wait |
1000 |
|
|
Changelog adapter |
Max Pool Size |
500 |
See Also:
"Enabling Access Logging in Identity Virtualization Library (libOVD)" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management for information about enabling access logging in Identity Virtualization Library (libOVD) to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful in triaging performance issues.
For information about setting configuration parameters in Oracle WebLogic Server and JDBC, see Section 26.3.2, "Tuning the Application Server for Oracle Identity Manager".