28 Directory Proxy Server Monitoring and Alerts

Monitoring detects failure of Directory Proxy Server and of data sources.

For a description of the monitoring framework for Directory Proxy Server, and for a detailed layout of the cn=monitor entry, see Monitoring Directory Proxy Server in the Reference for Oracle Directory Server Enterprise Edition. This chapter covers the following topics:

• Retrieving Monitored Data About Directory Proxy Server

• Retrieving Monitored Data About Data Sources

• Configuring Administrative Alerts for Directory Proxy Server

• Retrieving Monitored Data About Directory Proxy Server by Using the JVM

28.1 Retrieving Monitored Data About Directory Proxy Server

To retrieve monitored data about Directory Proxy Server, use the cn=monitor entry. This entry is managed by Directory Proxy Server in a local, in-memory database. You can retrieve attributes under cn=monitor by performing an LDAP search on the cn=monitor entry. You must bind as the Proxy Manager to search this entry.

For the best Directory Proxy Server monitoring results, search for the cn=monitor entry using the base scope. Together with the search baseDN, the base scope examines only the level specified by the baseDN (and none of its child entries). You specify a base scope by using the -s base option. For example:

$ ldapsearch -h HOSTNAME -p LDAP_PORT -D"cn=proxy manager" -w PROX_MANAGER_PASSWORD -s base -b "cn=monitor" "(objectclass=*)"
version: 1
dn: cn=monitor
objectClass: top
objectClass: extensibleObject
cn: monitor

For information about using the JVM to retrieve monitored data, see Retrieving Monitored Data About Directory Proxy Server by Using the JVM.

28.2 Retrieving Monitored Data About Data Sources

For a description of how Directory Proxy Server monitors the health of data sources, see Monitoring Data Sources in the Reference for Oracle Directory Server Enterprise Edition. This section describes how to configure the monitoring of data sources.

Note:

In addition to LDAP data source, you can also monitor the health of JDBC data source using monitoring-inactivity-timeout, monitoring-interval, and monitoring-mode properties.

The proactive monitoring is implemented for LDAP data source as well as for JDBC data source. The implementation for both the data sources is not the same as the nature of the data sources is different.

28.2.1 To Monitor a Data Source by Listening for Errors

In this type of monitoring, Directory Proxy Server listens for errors on the traffic between Directory Proxy Server and the data sources. This type of monitoring is called reactive monitoring because Directory Proxy Server reacts if an error is detected, but does not actively test data sources.

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Set the monitoring mode for the data source to reactive.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource monitoring-mode:reactive
   

2. Configure an alert to be sent when an error is detected or when a data source goes offline or online, as described in Configuring Administrative Alerts for Directory Proxy Server.

28.2.2 To Monitor a Data Source by Periodically Establishing Dedicated Connections

Directory Proxy Server creates a dedicated connection to a data source if there have been no requests to or responses from the data source for a specified interval.

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Set the monitoring mode for the data source to proactive.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource monitoring-mode:proactive
   

2. Configure the monitoring search request that is performed by Directory Proxy Server.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource \
     monitoring-bind-timeout:timeout monitoring-entry-dn:dn \
     monitoring-search-filter:filter monitoring-entry-timeout:timeout
   

   The following properties are used in the search request:

   monitoring-bind-timeout

   The length of time that Directory Proxy Server waits to establish a connection to the data source. By default, the value of this property is 5 seconds.

   monitoring-entry-dn

   The DN of the target entry in the search request. By default, this property is the root DSE entry ("").

   monitoring-search-filter

   The search filter.

   monitoring-entry-timeout

   The length of time that Directory Proxy Server waits for the search response. By default, the value of this property is 5 seconds.

3. Configure the proactive monitoring to bind as a specific user.

   $ dpconf set-ldap-data-source-prop ldap-data-source \
   monitoring-bind-dn:uid=user-id monitoring-bind-pwd-file:password-file
   

   Replace the user-id with a valid dn such as uid=bjensen,dc=example,dc=com and password-file with a path to the file containing password.

   By default, the bind is performed as anonymous, that is, both the monitoring-bind-dn and monitoring-bind-pwd attributes are set to none.

4. Set the polling interval.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource \
   down-monitoring-interval:interval
   

   If a connection is down, Directory Proxy Server polls the connection at this interval to detect its recovery. If the interval is not specified, the value of monitoring-interval is used.

5. Configure the availability monitor to specify the number of times it will poll the connection when it is first detected as down.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource monitoring-retry-count:count
   

6. Configure an alert to be sent when a data source is detected as offline or online, as described in Configuring Administrative Alerts for Directory Proxy Server.

28.2.3 To Monitor a Data Source by Testing Established Connections

In this type of monitoring, Directory Proxy Server performs a search on each connection to each data source at a regular interval. In this way, Directory Proxy Server detects closed connections and prevents connections from being dropped because of inactivity.

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Set the monitoring mode for the data source to proactive.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource monitoring-mode:proactive
   

2. Set the time interval after which Directory Proxy Server sends a request to a data source to prevent connections from being dropped.

   $ dpconf set-ldap-data-source-prop -h host -p port datasource \
    monitoring-inactivity-timeout:time
   

   By default, the inactivity timeout is 120 seconds.

3. Configure the proactive monitoring to bind as a specific user.

   $ dpconf set-ldap-data-source-prop ldap-data-source
   monitoring-bind-dn:uid=user-id monitoring-bind-pwd-file:password-file
   

   Replace the user-id with a valid dn such as uid=bjensen,dc=example,dc=com and password-file with a path to the file containing password.

   By default, the bind is performed as anonymous, that is, both the monitoring-bind-dn and monitoring-bind-pwd attributes are set to none.

4. Configure an alert to be sent when a data source is detected as offline or online, as described in Configuring Administrative Alerts for Directory Proxy Server.

28.3 Configuring Administrative Alerts for Directory Proxy Server

For information about how to configure administrative alerts, see the following procedures.

28.3.1 To Enable Administrative Alerts

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. View the enabled alerts.

   % dpconf get-server-prop -h host -p port enabled-admin-alerts
   

2. Enable one or more administrative alerts.

   % dpconf set-server-prop -h host -p port enabled-admin-alerts:alert1 \
     [enabled-admin-alerts:alert2 ...]
   

   For example, to enable all available alerts, run this command:

   % dpconf set-server-prop -h host -p port \
    enabled-admin-alerts:error-configuration-reload-failure-with-impact \
    enabled-admin-alerts:error-resource-limit-exceeded \
    enabled-admin-alerts:error-server-shutdown-abrupt \ 
    enabled-admin-alerts:info-configuration-reload \
    enabled-admin-alerts:info-data-source-available \
    enabled-admin-alerts:info-server-shutdown-clean \
    enabled-admin-alerts:info-server-startup \
    enabled-admin-alerts:warning-configuration-reload-failure-no-impact \
    enabled-admin-alerts:warning-data-source-unavailable \
    enabled-admin-alerts:warning-data-sources-inconsistent \
    enabled-admin-alerts:warning-listener-unavailable \
    enabled-admin-alerts:warning-resource-limit-exceeded
   

   To disable all email alerts, run this command:

   % dpconf set-server-prop -h host -p port email-alerts-enabled:false
   

   To add an alert to an existing list of enabled alerts, run this command:

   % dpconf set-server-prop -h host -p port enabled-admin-alerts+:alert-name
   

   To remove an alert from an existing list of enabled alerts, run this command:

   % dpconf set-server-prop -h host -p port enabled-admin-alerts-:alert-name
   

   By default, all alerts are enabled. For example, once all the email alerts are enabled (email-alerts-enabled:true), run the following command to receive all the email alerts:

   % dpconf set-server-prop -h host -p port enabled-admin-alerts:all 
   

See Also

For more information, see enabled-admin-alerts.

28.3.2 To Configure Administrative Alerts to Be Sent to Syslog

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Select the alerts that will be sent to the syslog daemon, as described in To Enable Administrative Alerts.

2. Enable alerts to be sent to the syslog daemon.

   $ dpconf set-server-prop -h host -p port syslog-alerts-enabled:true
   

   All alerts are sent to the syslog with the facility of USER.

3. Set the host name of the syslog daemon to which alerts are to be sent.

   $ dpconf set-server-prop -h host -p port syslog_hostname:hostname
   

4. (Solaris 11 platform only) Set the following property:

   $ svccfg -s svc:/system/system-log setprop config/log_from_remote=true
   

28.3.3 To Configure Administrative Alerts to Be Sent to Email

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Select the alerts that will be sent to the syslog, as described in To Enable Administrative Alerts.

2. Configure the address and characteristics of the email.

   $ dpconf set-server-prop -h host -p port email-alerts-smtp-host:host-name \
     email-alerts-smtp-port:port-number \
     email-alerts-message-from-address:sender-email-address \
     email-alerts-message-to-address:receiver-email-address \
     [email-alerts-message-to-address:receiver-email-address ...] \
     email-alerts-message-subject:email-subject
   

3. Enable alerts to be sent to email.

   $ dpconf set-server-prop -h host -p port email-alerts-enabled:true
   

4. Set a flag to include the alert code in the email

   $ dpconf set-server-prop -h host -p port \
    email-alerts-message-subject-includes-alert-code:true
   

28.3.4 To Configure Administrative Alerts to Run a Script

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. Select the alerts that will be sent to the syslog, as described in To Enable Administrative Alerts.

2. Enable alerts to run a script.

   $ dpconf set-server-prop -h host -p port scriptable-alerts-enabled:true
   

3. Set the name of the script that will be run.

   $ dpconf set-server-prop -h host -p port scriptable-alerts-command:script-name
   

28.4 Retrieving Monitored Data About Directory Proxy Server by Using the JVM

Directory Proxy Server runs inside a Java Virtual Machine (JVM) and depends on the memory of the JVM machine. To ensure that Directory Proxy Server is running correctly, you must monitor the memory consumption of the JVM machine.

For information about how to tune parameters for the JVM machine, see Hardware Sizing For Directory Proxy Server in the Deployment Planning Guide for Oracle Directory Server Enterprise Edition.

By default, the heap size of the JVM machine is 1 Gb. Directory Proxy Server should never be swapped-out from main memory. Directory Proxy Server should be configured to use no more than the actual available memory (considering it coexists with other applications and the OS).

The 1Gb size is generic and might not be suitable for all cases. Should you need to modify the heap size, using a ratio of 2/3 of the total heap for the New Generation (-XX:NewSize and -XX:MaxNewSize arguments) produces the best results. Instances created with previous versions of Directory Proxy Server assigned only 250Mb of memory to the heap, and the default Garbage Collector was used. After an upgrade, these values are not modified on existing instances. The following command can be used to set the new tuning on old instances.

$ dpadm set-flags instance-path jvm-args="-Xms1G -Xmx1G -XX:NewSize=683M 
    -XX:MaxNewSize=683M -XX:+UseParNewGC -XX:+UseConcMarkSweepGC"

When Directory Proxy Server is running, you can monitor the heap size of the JVM machine to ensure that it is not running out of memory. To do this, use the standard tools delivered with the Java Development Kit (JDK): $JAVA_HOME/bin/jps and $JAVA_HOME/bin/jstat.

28.4.1 To View the Heap Size of the JVM

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

View the heap size of JVM.

$ dpadm get-flags instance-path jvm-args
    jvm-args: -Xms1G -Xmx1G -XX:NewSize=683M -XX:MaxNewSize=683M -XX:+UseParNewGC 
    -XX:+UseConcMarkSweepGC

28.4.2 To Monitor the Heap Size of JVM When Directory Proxy Server is Running

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

1. View the PID of your instance of Directory Proxy Server.

   $ jps
   

2. View the memory used by the JVM machine.

   $ jstat -gcutil PID
   

   • If the zero column is near to 100%, the JVM machine does not have enough memory.

   • FGC is the number of full garbage collection (GC) events. Garbage collection is expansive.

   • GCT (garbage collection time) is the amount of time spent by the GC.