High CPU usage in OpenAM 11.0.0 and 11.0.1 when encoding and decoding SAML2 messages
The purpose of this article is to provide assistance if you are experiencing high CPU usage on the OpenAM 11.0.0 and 11.0.1 server when encoding and decoding SAML2 messages (SAML2Utils.encodeForRedirect and SAML2Utils.decodeFromRedirect).
This article has been archived and is no longer maintained by ForgeRock.
When high CPU usage is noticed, you see many running threads in the stack trace, similar to the following example stack trace:"http-8080-5" daemon prio=3 tid=0x017f9400 nid=0xc3 runnable [0xa627e000] java.lang.Thread.State: RUNNABLE at java.util.zip.Inflater.inflateBytes(Native Method) at java.util.zip.Inflater.inflate(Inflater.java:238) - locked <0xc0f7bff0> (a java.util.zip.ZStreamRef) at java.util.zip.Inflater.inflate(Inflater.java:256) at com.sun.identity.saml2.common.SAML2Utils.decodeFromRedirect(SAML2Utils.java:1290) at com.sun.identity.saml2.profile.IDPSingleLogout.processLogoutResponse(IDPSingleLogout.java:782) at org.apache.jsp.saml2.jsp.idpSingleLogoutRedirect_jsp._jspService(idpSingleLogoutRedirect_jsp.java:121) ...
If you need help capturing stack traces, see How do I collect JVM data for troubleshooting AM? for further information.
When using Oracle® JDK 1.6.x and early versions of 1.7.x, SAML2 message encoding and decoding requests (using SAML2Utils) can end up in a never-ending loop. This is caused by the way the Zlib library handles zip inflation and deflation; this can lead to stuck threads and consequently high CPU usage.
This issue can be resolved by upgrading to OpenAM 11.0.2 or later; you can download this from BackStage.
How do I collect data for troubleshooting high CPU utilization on AM (All versions) servers?
How do I find which thread is consuming CPU in a Java process in AM?
How do I collect JVM data for troubleshooting AM?
How do I use the msnapshots script to capture information for troubleshooting AM (All versions)?
Related Issue Tracker IDs
OPENAM-3731 (Sun JDK 1.6.0_43: some requests cause never-ending loop in SAML2Utils.decodeFromRedirect)