FAQ
ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Monitoring DS

Last updated Jun 15, 2021

The purpose of this FAQ is to provide answers to commonly asked questions regarding monitoring in DS.


1 reader recommends this article

Frequently asked questions

Q. How can I check that DS is up and running?

A. You can perform a heartbeat check against DS to verify that the server is up and running.

See How do I perform a heartbeat check against DS (All versions)? for further information.

Q. How can I check if a backend is online?

A. You can check if a backend is online by performing a ldapsearch against the specific backend.

See How do I check if a backend is online in DS (All versions)? for further information.

Q. How can I monitor replication?

A. You can use the status command to give you an overall view of the replication topology, including whether the servers are synchronized. For example:

  • DS 7.1 and later: $ ./dsrepl status --hostname ds1.example.com --port 4444 --bindDN uid=monitor --bindPassword password --trustStorePath /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsrepl status --hostname ds1.example.com --port 4444 --bindDN uid=monitor --bindPassword password --trustStorePath /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • Pre-DS 7: $ ./dsreplication status --adminUID admin --adminPassword password --hostname ds1.example.com --port 4444 --trustAll

See Replication Status (DS7 and later) or How do I troubleshoot replication issues in DS 5.x and 6.x? for further information.

Note

The M.C.and A.O.M.C. metrics returned from the dsreplication status command are deprecated in DS 6 and replaced with replication delay in DS 6.5. You should monitor replication delay instead; you can also monitor this over LDAP and HTTP as detailed in Replication Delay (LDAP) and Replication Delay (Prometheus).

Q. How can I monitor performance?

A. You can monitor performance by performing a ldapsearch against cn=monitor to return operation statistics:

Q. What can I monitor with the cn=monitor entry?

A. DS exposes a lot of different monitoring information over LDAP under this entry:

Q. Do the statistics under the cn=monitor entry persist when the server is restarted?

A. No, the statistics under cn=monitor are reset each time the server is restarted.

Q. Do I have to use the directory superuser (uid=admin or cn=Directory Manager) for JMX monitoring?

A. No, you can use any user for JMX monitoring; you just need to add the JMX privileges (jmx-notify, jmx-read, and jmx-write) to the user you want to access JMX monitoring. No users have access to JMX monitoring by default.

See JMX-Based Monitoring for an example of how to add these privileges to a user.

Q. How can I connect to JMX to ensure mbeans are returned?

A. You must be authenticated to the DS server via a JMX client to see the mbeans with associated attributes and operations. Authenticating to the server is the only way to expose the sensitive elements within the mbeans; connecting to the process directly will not show them. Additionally, you must ensure the user who authenticates has JMX privileges.

See JMX-Based Monitoring for more information.

Q. Can I change the default listen-address for the JMX Connection Handler?

A. Yes you can change the default listen-address. By default, the listen-address for the JMX Connection Handler is 0.0.0.0.

Q. What URL should I use in JConsole to log in?

A. You must always use a remote URL, even if you are using a local connection to the JVM. For example:

service:jmx:rmi:///jndi/rmi://localhost:1689/org.opends.server.protocols.jmx.client-unknown

You can substitute a hostname alias (such as ds1.example.com) or an IP address for the localhost part of this URL. 

Note

If SSL is enabled, you must set up the truststore on the system where JConsole is running and configure SSL properly to monitor a remote application. See Using JConsole for further information.

See Also

FAQ: DS performance and tuning

How do I generate sample user data for performance testing in DS (All versions)?

Unindexed searches causing slow searches and poor performance on DS (All versions) server

Monitoring Guide

Related Training

ForgeRock Directory Services Core Concepts (DS-400)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.