Command line interface and REST commands timeout in OpenIDM 4.0 when communicating over SSL
The purpose of this article is to provide assistance if you experience issues where command line interface (cli.sh) and REST commands timeout in OpenIDM 4.0 when communicating over SSL. When the timeout occurs, CPU usage is high (~100%).
1 reader recommends this article
This article has been archived and is no longer maintained by ForgeRock.
Running a cli.sh command or a REST command that communicates over SSL intermittently times out / hangs. On the server, you will notice that the OpenIDM Java® process is consuming ~100% CPU when the timeout occurs.
Example commands that will cause an issue are:
- REST: $ curl -k -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -X GET "https://localhost:8443/openidm/managed/user/?_queryId=query-all-ids"
- cli.sh: $ cli.sh configexport --user openidm-admin:openidm-admin --port 8443 --url https://localhost:8443/openidm/ /tmp/config-export
Running the same commands with http instead of https succeeds.
If you locate the thread that is consuming the CPU as described in How do I find which thread is consuming CPU in a Java process in IDM?, you will see that the thread corresponds to a Restlet JVM thread similar to the following:"Restlet-2001136342" daemon prio=10 tid=0x00007faa28018000 nid=0xd1c runnable [0x00007faa1c84e000] java.lang.Thread.State: RUNNABLE
An infinite loop occurs in the Restlet code when attempting the SSL handshake, which is caused by Restlet Issue #805. An affected version of Restlet (2.1.2) is bundled with OpenIDM.
This issue can be resolved by upgrading to OpenIDM 4.5 or later; you can download this from BackStage.
Related Issue Tracker IDs
OPENIDM-5438 (Infinite loop within Restlet 2.1.2 library when using ExternalRest over SSL)