4 Tuning and Troubleshooting for Oracle RADIUS Agent

Topics

• Tuning

• Troubleshooting Tips

• Known Issues

4.1 Tuning

The performance of the RADIUS Agent depends on several factors. External factors such as hardware, OS level tunings, network latency, performance tuning of LDAP and Oracle Advanced Authentication (OAA) must be tuned appropriately. This page summarizes only the common important tuning parameters within RADIUS Agent. For complete list of configuration parameters, see Configuration Properties

Topics

• JVM

• RADIUS Agent Configurations

4.1.1 JVM

JVM options can be passed into RADIUS Agent from the docker run command when bringing up a new container. For eg: (Values given here are just for showing a sample):

-e java_args='-Xms1g -Xmx4g -Duser.language=en'

Any jvm parameter can be provided the same way.

Providing JVM Options via a java.properties file:

Alternatively, if you want to provide a long list of jvm parameters, they can also be provided using a java.properties file that needs to exist within the config/ directory(for example, if the volume is mapped as /home/opc/Radius:/u01/oracle/user_projects, then java.properties file should pre-exist under /home/opc/Radius/config/). This file will be automatically picked up when docker container starts.

Example contents of java.properties should be similar to:

java_args= -server -XX:+UnlockExperimentalVMOptions -XX:+UseZGC -Xms1g -Xmx4g -Duser.language=en

4.1.2 RADIUS Agent Configurations

You can use the following configuration properties for tuning in the RADIUS Agent:

Listener

• numberOfWorkerThreads - The maximum number of worker threads allowed, this maps to maximum PoolSize value for the underlying ThreadPoolExecutor of the worker threads.
• coreThreadPoolSize - CorePoolSize value for the underlying ThreadPoolExecutor of the worker threads. It is the minimum number of worker threads the underlying ThreadPoolExecutor maintains.
• threadPoolKeepAliveTime - Thread Pool Keep Alive Time in ms for the underlying ThreadPoolExecutor of the worker threads. When the thread pool more than minimum number of threads configured (coreThreadPoolSize), excess threads will be terminated if they have been idle for more than this threadPoolKeepAliveTime. This provides a means of reducing resource consumption when the thread pool is not being actively used. If the pool becomes more active later, new threads will be constructed. Value 0 means excess threads created will never be cleaned up, so it's recommended to not use 0.
• threadPoolMaxQueueSize - Allowed maximum work queue size value for the underlying queue used by ThreadPoolExecutor of the worker threads. 0 means queue is unbounded.

Note:

numberOfWorkerThreads and coreThreadPoolSize need to be configured based on CPU Cores available on the server hardware.

LDAP Connection Pool

• initSize - This property indicates the number of connections that are created when connection pool is initialized
• maxSize - The maximum number of connections the pool maintains. If minSize is greater than maxSize then minSize is set to maxSize.
• minSize - The minimum number of connections the pool maintains. If initSize is less than minSize then connection pool is initialized with minSize connections.
• poolIncrementSize - Number of connections to be made at a time when all existing connections are in use and number of connections are less than maxSize

4.2 Troubleshooting Tips

Topics:

• RADIUS client unable to connect to Oracle RADIUS Agent

• User Primary Authentication Fails in RADIUS Request

• User MFA Authentication Fails in RADIUS Request

• RADIUS Request Taking Time

• Enable Administrator REST Endpoint Using the CLI Utility

4.2.1 RADIUS client unable to connect to Oracle RADIUS Agent

You can use the following troubleshooting tips:

• Make sure Oracle RADIUS Agent host and port is reachable from the RADIUS client host
• Check Oracle RADIUS Agent logs and see if Oracle RADIUS Agent is dropping requests because of RADIUS client registration issues, you can fix the client registration on Oracle RADIUS Agent.
• Make sure RADIUS client application is registered correctly with Oracle RADIUS Agent using the correct hostname or IP address
• Verify the shared secret on RADIUS client side and make sure that it is correct
• Change log level for Oracle RADIUS Agent to FINE or FINEST and check Oracle RADIUS Agent logs

4.2.2 User Primary Authentication Fails in RADIUS Request

You can use the following troubleshooting tips:

• Check Oracle RADIUS Agent logs to find underlying error.
• Verify the shared secret on RADIUS client side and make sure that it is correct. An incorrect shared secret on client side can lead to this error.
• Change log level for Oracle RADIUS Agent to FINE or FINEST and check Oracle RADIUS Agent logs.

4.2.3 User MFA Authentication Fails in RADIUS Request

You can use the following troubleshooting tips:

• Check Oracle RADIUS Agent logs to find underlying error.
• Make sure that Oracle Advanced Authentication is up and running.
• Oracle Advanced Authentication configuration steps are correctly followed and present in Oracle RADIUS Agent configuration.
• Factors are seeded in Oracle Advanced Authentication for user
• Make sure that RADIUS client supports RADIUS challenge, if not, synchronous authentication mode needs to be used.
• Check Oracle Advanced Authentication logs to get further details if error is coming from Oracle Advanced Authentication.
• Change log level for Oracle RADIUS Agent to FINE or FINEST and check Oracle RADIUS Agent logs

4.2.4 RADIUS Request Taking Time

You can use the following troubleshooting tips:

• Check Oracle RADIUS Agent access logs to find which layer is taking time.
• Rule out network latency between RADIUS client and Oracle RADIUS Agent.
• Ensure LDAP and Oracle Advanced Authentication are tuned properly by referring to their corresponding documentations.
• Perform tuning on Oracle RADIUS Agent if needed

4.2.5 Enable Administrator REST Endpoint Using the CLI Utility

You should use the CLI utility only to unblock the administrator to gain access of HTTP-REST administration to manage configuration and the RADIUS client. For example, if the administrator user or the administrator group has changed, then you have to reset either the administrator user or the administrator group using the CLI utility to again invoke the HTTP-REST endpoint. Similarly, if LDAP details are changed then you can use the CLI utility to reset LDAP details so that the administrator user can invoke the HTTP-REST endpoint.

Note:

You need to use the CLI Utility from the docker container.

The command line utility provides the following nine operations:

1. Reset Config
2. Reset Admin Users
3. Reset Admin Groups
4. Print Admin Users and Groups
5. Print Configuration
6. Reset LDAP Config
7. Print HTTPS Secret Store Password
8. Print Bootstrap Secret Store Password
9. Reset Bootstrap Secret Store Password

Note:

The environment variable, ORACLE_RADIUS_AGENT_COMMON_DIR should be set to point to the configuration directory location.

Reset Config

The resetConfig option resets the configuration in oracleRadiusAgent.json . The resetConfig option removes all existing configuration in oracleRadiusAgent.json.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetConfig

Reset Admin Users

The resetAdminUsers option resets the administrator users defined for Oracle RADIUS agent. The administrator users separated by delimiter ';' needs to be passed as argument.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetAdminUsers "uid=adminUser,ou=People,dc=example,dc=com;uid=test,ou=People,dc=example,dc=com"

Reset Admin Groups

The resetAdminGroups option resets the administrator groups defined for Oracle RADIUS agent. The administrator groups separated by delimiter ';' needs to be provided as argument.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetAdminGroups "group1;group2"

Print Admin Users and Groups

The printAdminUsersGroups option prints the list of users and groups defined for Oracle RADIUS agent.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli printAdminUsersGroups

Print Configuration

The printConfiguration option prints the Oracle RADIUS Agent's configuration details present in oracleRadiusAgent.json.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli printConfiguration

ORACLE_RADIUS_AGENT_COMMON_DIR

Reset Ldap Config

The resetLdapConfig resets the primary authenticator details that are present in the oracleRadiusAgent.json. The LDAP details such as new LDAP url, dn, password, truststore (Base 64 certificate) and truststore type (JKS or PKC12, optional for base 64 certificate) along with old LDAP url needs to be provided as argument. Dn and password, if not provided, will be picked from the existing LDAP configuration details along with loginAttr and baseDN.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetLdapConfig -oldLdapUrl "ldap://slc14xzv.us.oracle.com:1389" -newLdapUrl "ldaps://slc10nty.us.oracle.com:636" -dn "Administrator@ipf.com" -password "Welcome123" -truststore "-----BEGIN CERTIFICATE-----\nMIIF4DCCBMigAwIBAgITSwAAAALbKU4kkH5mlgAAAAAAAjANBgkqhkiG9w0BAQUF\nADBDMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDaXBmMRcw\nFQYDVQQDEw51cy1TTEMxME5UWS1DQTAeFw0yMDA3MjIxMjQxMzdaFw0yMTA3MjIx\nMjQxMzdaMCExHzAdBgNVBAMTFnNsYzEwbnR5LnVzLm9yYWNsZS5jb20wggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Ze3otkd+5CLAHEsFK0+rYvqrhfHP\njh46SyANv8qTYzht7k00ijZLOftfDw98wUDTUc+8GQ6O/UZPtDuEdPHpUGVz0G9/\nJZqiMFcFCBMc5gCrc8UYGeQzTVAfFlx6B/2rbTVDCND3huMZO0pIt+/QM1xJmtuA\ns/6lUMyJAuK23A+qIjcvhHvzGu196384WGMlr43N85j2Git+u6hEa5xv8aWxO1ne\nFkS1pb1s153EGqH4V849hJHI+v0nyOz7Ex7mjjl8tUdbfaIgXgWWVDJQCZ4airwk\n3PcK53bXSO1gxqhAUDKSLK2AYLtyu9fdhDLfZyqQhOHzKaHms+me111LAgMBAAGj\nggLtMIIC6TAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBv\nAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB\n/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG\n9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIw\nCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBSuJVQB\nyLox1hotAXeKwWOg1ZOPgTAfBgNVHSMEGDAWgBSue+W/t+6CQmrn/6+ySlpXnNu7\npjCByQYDVR0fBIHBMIG+MIG7oIG4oIG1hoGybGRhcDovLy9DTj11cy1TTEMxME5U\nWS1DQSxDTj1zbGMxMG50eSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj\nZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1pcGYsREM9Y29tP2Nl\ncnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0\ncmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakGCCsGAQUFBzAChoGc\nbGRhcDovLy9DTj11cy1TTEMxME5UWS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5\nJTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1pcGYs\nREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0\naW9uQXV0aG9yaXR5MEIGA1UdEQQ7MDmgHwYJKwYBBAGCNxkBoBIEEE/w10Ud3xFB\nlF4D6wUf4FeCFnNsYzEwbnR5LnVzLm9yYWNsZS5jb20wDQYJKoZIhvcNAQEFBQAD\nggEBAFIjY72T7aoGYliW+ZTuGC/Js07cuwB4LYgjO+MKz82sTJyb9AYhfzmmr1fq\nsVz6hCWz6OmDHX9oDRxa21kq4e3aJmGqQ4NbW+z4hEtBWWWrW7uG4p6CDuB0aAF2\np5IIscXqQpqH0yJC5aABUHCQWJ2225joNPBeR8vLpa0Wx3raV6GbDhczlxAVWdcA\nGpSkKgajj0MPnhLGHtMvjSJbwcEqw1si6bg5yYUTOEsURaxk2YMRKu/5GXGCX0RR\n30b/3Cu9HJap3Gw4a+4bK4zN11qybZqbwLzyloS4I3IMvAA1BD3wMo3D3JDU1xfQ\nzt+1lcqqaXJ9iuD2/UwJYR7uFI4=\n-----END CERTIFICATE-----"

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetLdapConfig -oldLdapUrl "ldap://slc14xzv.us.oracle.com:1389" -newLdapUrl "ldaps://slc10nty.us.oracle.com:636"  -truststore "/u01/oracle/cert/orakeystore.p12" -truststoreType "PKCS12" -truststorePassword welcome

Print HTTPS Secret Store Password

The printHTTPSSecretStorePassword option prints the HTTPS self-signed secret store password.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli printHTTPSSecretStorePassword

Print Bootstrap Secret Store Password

The printBootstrapSecretStorePassword option prints the bootstrap secret store password.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli printBootstrapSecretStorePassword

Reset Bootstrap Secret Store Password

The resetBootstrapSecretStorePassword option resets the password of the bootstrap secret store. The new password must be provided as argument.

java -cp /u01/oracle/idmradius/oracleradiusagent.jar -DORACLE_RADIUS_AGENT_COMMON_DIR=/u01/oracle/user_projects oracle.idm.radius.util.ORACli resetBootstrapSecretStorePassword <new_password>

4.3 Known Issues

Topics:

• Updating Global and Application Configurations

• LDAP Configuration Changes

4.3.1 Updating Global and Application Configurations

If you have multiple containers with the shared configuration and one of the containers adds, updates, or deletes the shared configuration at runtime, in that case implicit refresh for other containers does not happen. To get the latest changes either restart other containers or reload the configuration for other containers.To perform a reload, run a GET request to https://<hostname.domain>/radius-config/v1/configurations/reload . See the Oracle RADIUS Agent REST API guide for more details.

4.3.2 LDAP Configuration Changes

Any LDAP configuration changes results in restart of LDAP connection pool.