Tuning LDAP Connectivity
AM instances use pools of connections when communicating to LDAP data stores. You can tune these connection pools to improve performance, and help with load balancing in the case of failover.
AM provides a global timeout setting for connections in a pool, and each store has properties for the maximum pool size, and in some cases, the minimum pool size.
AM will attempt to use as few connections to LDAP data stores as possible, down to the minimum pool value, if specified. Under heavy load, AM creates additional connections to the configured data stores, up to the maximum pool value. These connections are made to any of the available LDAP data stores that are configured for the relevant purpose.
When the load begins to drop, some of those connections become idle. If a connection is idle for longer than the configured connection idle time, AM closes the connection, until any specified minimum pool size is reached.
By closing idle connections and recreating them when needed, AM balances connections across all available LDAP servers, rather than keeping the entire pool connected to a single server.
Tuning the connection pool settings can increase performance, or make AM more responsive to LDAP data store outages.
To configure the timeout used for connections to LDAP stores:
Open the
bootstrapConfig.properties
file in the AM classpath; for example, in/path/to/tomcat/webapps/openam/WEB-INF/classes/
.Add, or update the following property, and set the idle timeout, in seconds:
com.sun.am.ldap.connection.idle.seconds=300
You also need to configure the setting in the Advanced section of the server defaults, as follows:
In the administration console, navigate to Configure > Server Defaults > Advanced.
Add, or edit the following property, and set the idle timeout, in seconds:
com.sun.am.ldap.connection.idle.seconds=300
Restart AM or the container in which it runs for these changes to take effect.
After configuring the timeout for the stores, you can set the pool sizes assigned to the different stores:
Tuning Configuration Store LDAP Connections
To change LDAP configuration store settings, navigate to Deployment > Servers > Server Name > Directory Configuration.
Label | Default | Notes |
---|---|---|
Minimum Connection Pool | 1 | Property: |
Maximum Connection Pool | 10 | Property: |
Tuning CTS Store LDAP Connections
You can increase the number of connections used for connecting to CTS to increase throughput.
One connection is reserved for cleanup of expired CTS tokens. The remaining connections are allocated for CTS operations such that the number is equal to a power of two. Because of this, you should set the maximum number of connections to 2n+1, as in 9, 17, 33, 65, and so forth.
The default maximum number of connections to the CTS is 10. To alter the default, navigate to Deployment > Servers > Server Name > CTS > CTS Token Store, and alter the Max Connections property.
You may need to click the Inherit Value property to unlock the value for editing.
Tip
You can also edit the Max Connections default globally by navigating to Configure > Server Defaults > CTS, click the CTS Token Store tab, and then alter the Max Connection property.
If you need to change the default CTS connection timeout, set the org.forgerock.services.datalayer.connection.timeout.cts.async
property under Deployment > Servers > Server Name > Advanced.
Most CTS requests to the directory server are handled quickly, so the default timeout of 10 seconds is suitable in most cases.
You must restart AM or the container in which it runs for these changes to take effect.
Tuning External Policy and Applications Store LDAP Connections
To change external policy and application data store settings, navigate to Configure > Global Services > External Data Stores > Secondary Configurations > Store Name.
Note
Policy and application data is stored in the configuration data store if not configured separately. To manage the configuration store connection pool, see "Tuning Configuration Store LDAP Connections".
Label | Default | Notes |
---|---|---|
Minimum Connection Pool Size | 1 | Must be less than the maximum size to allow reaping to function. Property: |
Maximum Connection Pool Size | 10 | Property: |
Tuning Identity Store LDAP Connections
To change LDAP data store settings, navigate to Realms > Realm Name > Identity Stores > Identity Store Name in the AM console. Each store has its own connection pool—so each store needs its own tuning:
Label | Default | Notes |
---|---|---|
LDAP Connection Pool Minimum Size | 1 | A good tuning value for this property is 10. Property: |
LDAP Connection Pool Maximum Size | 10 | The maximum LDAP connection pool size; a high tuning value for this property is 65, though you might well be able to reduce this for your deployment. Ensure your LDAP server can cope with the maximum number of clients across all the AM servers. Property: |
Tuning UMA Store LDAP Connections
To change the various UMA-related data store settings, navigate to Deployment > Servers > Server Name.
To increase the number of connections used for the various UMA-related data stores, navigate to Deployment > Servers > Server Name > UMA > UMA Store Type, and alter the Max Connections property.
You may need to click the Inherit Value property to unlock the value for editing.
Tip
You can also edit the Max Connections defaults globally by navigating to Configure > Server Defaults > UMA, click the relevant UMA store tab, and then alter the Max Connection property.
Label | Default | Notes |
---|---|---|
UMA Resource Store > Max Connections | 10 | Property: |
UMA Audit Store > Max Connections | 10 | Property: |
Pending Requests Store > Max Connections | 10 | Property: |
UMA Resource Labels Store > Max Connections | 2 | Property: |
Tuning Authentication Node/Module LDAP Connections
To change connection pool settings for the "LDAP Decision Node" and LDAP Authentication Module, in the AM console, go to Configure > Authentication > Core Attributes > Global Attributes.
Label | Default | Notes |
---|---|---|
Default LDAP Connection Pool Size | 1:10 | The minimum and maximum LDAP connection pool used by the LDAP authentication node/module, separated by a colon (:) character. Use Property: |