Access Management 7.2.2

Tune LDAP connectivity

AM instances use pools of connections when communicating to LDAP data stores. You can tune these connection pools to improve performance, and help with load balancing in the case of failover.

AM provides a global timeout setting for connections in a pool, and each store has properties for the maximum pool size, and in some cases, the minimum pool size.

AM will attempt to use as few connections to LDAP data stores as possible, down to the minimum pool value, if specified. Under heavy load, AM creates additional connections to the configured data stores, up to the maximum pool value. These connections are made to any of the available LDAP data stores that are configured for the relevant purpose.

When the load begins to drop, some of those connections become idle. If a connection is idle for longer than the configured connection idle time, AM closes the connection, until any specified minimum pool size is reached.

By closing idle connections and recreating them when needed, AM balances connections across all available LDAP servers, rather than keeping the entire pool connected to a single server.

Tuning the connection pool settings can increase performance, or make AM more responsive to LDAP data store outages.

Configure connection pool timeouts

  1. To configure the timeout used for connections to LDAP stores:

    • Open the bootstrapConfig.properties file in the AM classpath; for example, in /path/to/tomcat/webapps/openam/WEB-INF/classes/.

    • Add, or update the following property, and set the idle timeout, in seconds:

      com.sun.am.ldap.connection.idle.seconds=300
  2. You must also configure the setting in the Advanced section of the server defaults, as follows:

    • In the AM admin UI, go to Configure > Server Defaults > Advanced.

    • Add, or edit the following property, and set the idle timeout, in seconds:

      com.sun.am.ldap.connection.idle.seconds=300
  3. Restart AM or the container in which it runs for these changes to take effect.

    After configuring the timeout for the stores, set the pool sizes assigned to the different stores:

Tune configuration store LDAP connections

To change LDAP configuration store settings, go to Deployment > Servers > Server Name > Directory Configuration.

LDAP Configuration Store Settings
Label Default Notes

Minimum Connection Pool

1

Property: minConnectionPool

Maximum Connection Pool

10

The default value of 10 is suitable for most cases; tuning this setting doesn’t affect operational performance, only system startup.

Property: maxConnectionPool

Tune CTS store LDAP connections

You can increase the number of connections used for connecting to CTS to increase throughput.

One connection is reserved for cleanup of expired CTS tokens. The remaining connections are allocated for CTS operations such that the number is equal to a power of two. Because of this, you should set the maximum number of connections to 2n+1, as in 9, 17, 33, 65, and so forth.

The default maximum number of connections to the CTS is 10. To alter the default, go to Deployment > Servers > Server Name > CTS > CTS Token Store, and alter the Max Connections property.

You may need to click the Inherit Value property to unlock the value for editing.

You can also edit the Max Connections default globally by navigating to Configure > Server Defaults > CTS, click the CTS Token Store tab, and then alter the Max Connection property.

If you need to change the default CTS connection timeout, set the org.forgerock.services.datalayer.connection.timeout.cts.async property under Deployment > Servers > Server Name > Advanced.

Most CTS requests to the directory server are handled quickly, so the default timeout of 10 seconds is suitable in most cases.

You must restart AM or the container in which it runs for these changes to take effect.

Tune external policy and applications store LDAP connections

To change external policy and application data store settings, go to Configure > Global Services > External Data Stores > Secondary Configurations > Store Name.

Policy and application data is stored in the configuration data store if not configured separately. To manage the configuration store connection pool, see Tune configuration store LDAP connections.

LDAP Policy and Application Store Settings
Label Default Notes

Minimum Connection Pool Size

1

Must be less than the maximum size to allow reaping to function.

Property: minimumConnectionPool

Maximum Connection Pool Size

10

Property: maximumConnectionPool

Tune identity store LDAP connections

To change LDAP data store settings, go to Realms > Realm Name > Identity Stores > Identity Store Name in the AM admin UI. Each store has its own connection pool, so each store needs its own tuning:

LDAP Identity Store Settings
Label Default Notes

LDAP Connection Pool Minimum Size

1

A good tuning value for this property is 10.

Property: sun-idrepo-ldapv3-config-connection_pool_min_size

LDAP Connection Pool Maximum Size

10

The maximum LDAP connection pool size; a high tuning value for this property is 65, though you might well be able to reduce this for your deployment. Ensure your LDAP server can cope with the maximum number of clients across all the AM servers.

Property: sun-idrepo-ldapv3-config-connection_pool_max_size

Tune UMA store LDAP connections

To change the various UMA-related data store settings, go to Deployment > Servers > Server Name.

To increase the number of connections used for the various UMA-related data stores, go to Deployment > Servers > Server Name > UMA > UMA Store Type, and alter the Max Connections property.

You may need to click the Inherit Value property to unlock the value for editing.

You can also edit the Max Connections defaults globally by navigating to Configure > Server Defaults > UMA, click the relevant UMA store tab, and then alter the Max Connection property.

LDAP UMA Store Settings
Label Default Notes

UMA Resource Store > Max Connections

10

Property: org.forgerock.services.resourcesets.store.max.connections

UMA Audit Store > Max Connections

10

Property: org.forgerock.services.umaaudit.store.max.connections

Pending Requests Store > Max Connections

10

Property: org.forgerock.services.pendingrequests.store.max.connections

UMA Resource Labels Store > Max Connections

2

Property: org.forgerock.services.uma.labels.store.max.connections

Tune authentication node/module LDAP connections

To change connection pool settings for the LDAP Decision node and LDAP Authentication Module, in the AM admin UI, go to Configure > Authentication > Core Attributes > Global Attributes.

LDAP Authentication Node/Module Settings
Label Default Notes

Default LDAP Connection Pool Size

1:10

The minimum and maximum LDAP connection pool used by the LDAP authentication node/module, separated by a colon (:) character.

Use 10:65 for production AM instances.

Property: iplanet-am-auth-ldap-connection-pool-default-size

Copyright © 2010-2024 ForgeRock, all rights reserved.