Layer7 Identity Management

Expand all | Collapse all

Performance Notes for CA Identity Manager (IM)

ausch0206-26-2018 12:42 PM

  • 1.  Performance Notes for CA Identity Manager (IM)

    Posted 12-06-2013 12:20 AM

    Hello All,

    I have been updating my deck around performance of various solutions with regards to technical and business processes.

    I collected over thirty (30) processes that range from rapid to those that require updates of an architecture.

     

    I have refined the top high-value processes that can be deployed rapidly and with a listing of impacts.

    I have put together an updated deck that lists these performance enhancements; along with some useful debugging processes; and a feasible method to document your complex business processes within the IM solution.

     

    The only bottleneck in your solution stack should be database I/O or endpoint responses.  Don't let any other tier/component prevent the solution from being under utilzed.

    If these processes don't give you the performance you are looking for, it will be necessary to dive a bit deeper or perhaps review the solution architecture.

     

     

    Regards,

    Alan Baugher

     

     

     

    Edit 09/10/2015  -  Added updated IM performance deck with strategic steps as well.



  • 2.  RE: Performance Notes for CA Identity Minder (IM)

    Posted 12-09-2013 06:30 PM
    alan_baugher:

    Hello All,

    I have been updating my deck around performance of various solutions with regards to technical and business processes.  

    I collected over thirty (30) processes that range from rapid to those that require updates of an architecture.

     

    I have refined the top high-value processes that can be deployed rapidly and with a listing of impacts.

    I have put together an updated deck that lists these performance enhancements; along with some useful debugging processes; and a feasible method to document your complex business processes within the IM solution.

     

    The only bottleneck in your solution stack should be database I/O or endpoint responses.  Don't let any other tier/component prevent the solution from being under utilzed.

    If these processes don't give you the performance you are looking for, it will be necessary to dive a bit deeper or perhaps review the solution architecture.

     

     

    Regards,

    Alan Baugher


    Thanks for sharing this with the community Alan!



  • 3.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 07-16-2014 02:11 PM

    Thanks Alan for sharing, this helped us a lot



  • 4.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 07-16-2014 02:31 PM

    Hi Itamar,

     

    Thanks for the note.   I am continually updating this deck from my field notes & working with the support team.

     

    Some of these items have made it into the IM bookshelf.

     

    Now that IM r12.6.4 is out, (7/11/14) I will likely update my references.

     

     

    The two (2) most common feedback responses I get back on usefulness are TP cleanup and Entropy that were of great help.

     

    Cheers,



  • 5.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 07-16-2014 02:47 PM

    well, heap configuration is very important as well thread pool.

     

    so, in our project, we use WAS 7 and i ended up changing the default thread pools for the WebContainer and SIBJMSRAThreadPool to higher number as we noticed that not doing that can cause Out-Of-Memory errors

     

    thread.png

    Also, one need to make sure the DB server (in our case Oracle 11gR2) has all the fix packs (ours had a memory leak)

     

    as for heap, i found out that in WAS 7 running 12.6 SP2, you need to have the following heap settings:

     

    Initial Heap Size: 1024

    Maximum Heap Size: 4096

     

    Java options:

     

    -Xgcpolicy:gencon -Dsun.reflect.inflationThreshold=0 -Xdump:none -Dcom.sun.jndi.ldap.connect.pool.protocol=plain\tssl -Dcom.sun.jndi.ldap.connect.pool.debug=fine -Dcom.sun.jndi.ldap.connect.timeout=5000 -Dcom.sun.jndi.ldap.connect.pool.maxsize=300 -Dcom.sun.jndi.ldap.connect.pool.prefsize=128

     

    note that i am using the gencon GC policy

     

    http://publib.boulder.ibm.com/infocenter/realtime/v1r0/index.jsp?topic=%2Fcom.ibm.rt.doc.10%2Frealtime%2Frt_xoptions_gc_standard.html

     

    and only using the LDAP connection pool settings.

     

    using any of the other settings in the document actually cause a reduction in performance.

     

    Also, starting from 12.6 SP4, you can now control how many threads you assign to the object feeder event (was hard coded to 30) so that also can improve your performance,

     

    thanks

     

    Itamar



  • 6.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 09-10-2015 03:38 PM

    Thanks Itamar,

     

    I have updated my deck with your input and others.

     

    I have also include not only the quick and tactical "tweaks" but also some strategic views and possible re-architecture.

     

     

    Cheers,



  • 7.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 09-11-2015 03:06 PM

    Any time



  • 8.  Re: Performance Notes for CA Identity Minder (IM)

    Posted 07-17-2014 10:41 AM

    Alan,  - I´m grateful for the information you've shared 

     

    Thanks

     

    Efren



  • 9.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 02-19-2016 12:49 PM

    Alan,

     

    i have a specific question on the exposed IM and IMS tasks which can be set to DEBUG to track execution for troubleshooting, performance evaluation, etc. In the attached PDF (pg 30 on Advanced/Strategic Planning 03) you list the following:

    Useful for tracking IM business logic from feed to PX rules:

    • i. im.feeder = DEBUG {Must be added in Edit box}
    • ii. ims.policyxpress = DEBUG
    • iii. ims.tasktrack.custom = DEBUG {Must restart IME to fully capture debug at startup of IME}

    At one time IM Dev published a list of all available classes with loggers enabled. Is the assumption that all IM and IMS classes have java.util.logging included, so any class can be set to DEBUG via the logging.jsp UI or updating the log4j xml?



  • 10.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 03-29-2016 03:42 PM

    Hi Enrique,

     

    That is my understanding.   If the class does not show up in the logging.jsp page as a drop down, I have directly added the class to the edit box and submitted.

    I was able to then see that class reported in the J2EE logs.

     

    The challenge I have found it how to ensure that "noise" is limited, to avoid overwhelming the administrator to debug.

     

    One answer, was to directly update the log4j properties file with another "appender", and have ONLY select loggers go to that file.

    I have one just for im.feeder, ims.policyxpress, ims.tasktrack.custom to allow a capture of the business flow.

    I would like to update this process to have all the PX rules (currently in use) to create a screen LAH with a unique GUID and pass that GUID from event to event.

     

    Only three (3) ways I have found to persist this data was to store it temporary

    1) on the user profile (a I/O hit) or

    2)  file (an I/O hit) or 

    3) use the IME's Advanced Settings › Miscellaneous > User Defined Properties   {this will be available to the entire IME, but use it for one-id-and-one-use-case at a time}

     

    However, since the attempt to capture business logic, the above methods do assist.

     

     

    Cheers,

    A.



  • 11.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 03-30-2016 09:01 AM

    Hi

     

    Some more settings for WAS.

     

    By default, WAS only support 50 concurrent connections for each JVM, you can change that using the following JVM properties (I have also included some other settings i have been using to fine tune connections)

     

    -Dsun.net.inetaddr.ttl=0 -DdisableWSAddressCaching=true

    -Dcom.ibm.websphere.webservices.http.connectionKeepAlive=true

    -Dcom.ibm.websphere.webservices.http.maxConnection=1200

    -Dcom.ibm.websphere.webservices.http.connectionIdleTimeout=6000

    -Dcom.ibm.websphere.webservices.http.connectionPoolCleanUpTime=6000

    -Dcom.ibm.websphere.webservices.http.connectionTimeout=0



  • 12.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 06-05-2016 06:13 PM

    JBOSS Deployment Scanner  (Wildfly)    -   Small I/O performance improvement

     

    The OOTB deployment of JBOSS enables a 5000 millisecond deployment scanner.   For the IMAG solutions, this process is not require.    Only upon start is the deployment scanner required.

     

    To update the deployment scanner, one may edit the JBOSS_HOME\standalone\configuration\standalone*.xml

     

    But it is easily updated via the JBOSS_HOME\bin\jboss-cli.bat (jboss-cli.sh) script

     

    1)  JBOSS_HOME\bin\jboss-cli.bat     

    2)  Type  connect   at the new prompt

    3)  To view the current settings, type   /subsystem=deployment-scanner:read-resource(recursive=true)

    4)   To update the interval from default of 5000 to -1, type the following:

    /subsystem=deployment-scanner/scanner=default:write-attribute(name="scan-interval",value=-1)

     

     

    REF:

    Deployment Scanner configuration - JBoss AS 7.0 - Project Documentation Editor

    8.4.8. Configure the Deployment Scanner with the Management CLI



  • 13.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 06-07-2016 04:51 PM

    Another great tip - very useful and helpful. Thanks Alan !

     

    Sagi



  • 14.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 08-19-2016 12:55 PM

    Team,

     

    Two (2) DB enhancements to review for CA IMAG solution stack.

     

    How enhance the Task Persistence DB performance when running on Oracle 11gR2 DB  [Thanks to Itamar Budin]

    https://communities.ca.com/docs/DOC-231169480

     

    IMAG SQL Server Maintenance

    https://communities.ca.com/thread/241759078

     

     

    Provisioning Server Connection Improvements -  [Thanks to Itamar Budin]

     

    Operation Details / Operation Details Expiration Time = Change from 96 to 4500

     

     

    Operation Details / Maximum Operation Details = Change from 100 to 200000

     

     

    And the usual suspect, logs.

    Transaction Log / Level = change from 7 to 3

     

     

     

    Regards,

    A.



  • 15.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 08-19-2016 04:49 PM

    The document you referenced on Transaction Persistence on Oracle [https://communities.ca.com/docs/DOC-231169480] gives me an authorization error when I try to view it.  Is that a document you can share?



  • 16.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 08-19-2016 04:55 PM

    Hi

     

    please try now

     

    thanks

     

    Itamar



  • 17.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 08-19-2016 06:05 PM

    Thanks, works great now.



  • 18.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 06-26-2018 12:42 PM

    Great Content!



  • 19.  Re: Performance Notes for CA Identity Manager (IM)

    Posted 07-27-2018 12:23 PM

    Team,

     

    Just a reminder; even on the vApp or standalone deployments; do not forget to add indexes to the IM Screens Tables.

    See the readme under the CA Identity Suite samples / tool kit / examples.

     

    NOTE:  These IM Screen Tables are built ONLY after an IME is created.   If you delete an IME, you will need to re-add these indexes upon creating the new IME.

     

     

     

     

    <Paste in this section to allow easier search ability:>

     

    config@vapp0001 VAPP-14.1.0 (192.168.242.146):/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/samples/ObjectStore >
    config@vapp0001 VAPP-14.1.0 (192.168.242.146):/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/samples/ObjectStore > cat Readme.txt
    The following files will add indices for Objectstore tables IM_SCREEN_LD & IM_SCREEN_FIELD_LD.

    objectstore_db_oracle.sql
    objectstore_db_sqlserver.sql

    Please note that the tables must exist before attempting to run these files. Also, these tables are not created if no environment exists i.e. this is a fresh installation, hence the files should be run AFTER environment creation.config@vapp0001 VAPP-14.1.0 (192.168.242.146):/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/samples/ObjectStore >
    config@vapp0001 VAPP-14.1.0 (192.168.242.146):/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/samples/ObjectStore > cat objectstore_db_oracle.sql
    -- Adding indices for Objectstore tables IM_SCREEN_LD & IM_SCREEN_FIELD_LD
    create index idx_IM_SCREEN_LD on IM_SCREEN_LD(REF_ID);
    create index idx_IM_SCREEN_FIELD_LD on IM_SCREEN_FIELD_LD(REF_ID);
    commit;
    config@vapp0001 VAPP-14.1.0 (192.168.242.146):/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/samples/ObjectStore >

     

     

     

    EXAMPLE BEFORE:   (no indexes on the two IM Screen Tables)

     

     

    CREATING INDEXES:

    - Copy/Paste example from CA Identity Suite samples; update for your correct naming convention for these two (2) tables, e.g.    service_id.IM_SCREEN_LD   &    service_id.IM_SCREEN_FIELD_LD

     

     

     

    AFTER EXAMPLE:   Indexes added

     

     

     

     

    Test your startup & Run-n-Operate metrics before and after.

     

     

    Cheers,

     

    Alan