While working on OAM OVD integration for one of my client, I have been involved in the performance test of the products wherein I encountered OAM authentication failures while talking to OVD during heavy load. OAM logs revealed the following:
oracle.security.am.common.policy.common.response.ResponseException: oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20012: Exception in getting user attributes for user : dummy_user1, idstore MyIdentityStore with exception javax.naming.NamingException:
LDAP response read timed out, timeout used:2000ms.; remaining name 'ou=people,dc=oracle,dc=com' at oracle.security.am.common.policy.common.response.IdentityValueProvider.getUserAttribute(IdentityValueProvider.java:271)
...
During the authentication and authorization process, OAM complains that the
LDAP repository is taking too long to return user attributes.The default value is 2 seconds as can be seen from the exception, "2000ms". While troubleshooting the issue, it was found that we can increase the
ldap read timeout in oam-config.xml.
For reference, the attribute to add in the oam-config.xml file is:
<Setting Name="LdapReadTimeout" Type="xsd:string">2000</Setting>
However it is not recommended to increase the time out unless it is absolutely necessary and ensure that back-end directory servers are working fine. Rather I took the path of tuning OVD in the following manner:
1) Navigate to ORACLE_INSTANCE/config/OPMN/opmn
folder and edit opmn.xml. Search for <data
id="java-options" ………> and edit the contents of the file with the highlighted items:
<category id="start-options"><data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/><data id="java-options" value="-server -Xms1024m -Xmx1024m -Dvde.soTimeoutBackend=0 -Didm.oracle.home=$ORACLE_HOME -Dcommon.components.home=$ORACLE_HOME/../oracle_common -XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:/opt/bea/Middleware/asinst_1/diagnostics/logs/OVD/ovd1/ovdGClog.log -XX:+UseConcMarkSweepGC -Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/><data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/></category></module-data><stop timeout="120"/><ping interval="60"/></process-type>
When the system is busy, a ping from the Oracle Process Manager and Notification Server (OPMN) to Oracle Virtual Directory may fail. As a result, OPMN will restart Oracle Virtual Directory after 20 seconds (the default ping interval). To avoid this, consider increasing the ping interval to 60 seconds or more.
2) Navigate to ORACLE_INSTANCE/config/OVD/ovd1
folder.
Open
listeners.os_xml file and perform the following changes:
· Search for <ldap id=”Ldap Endpoint”…….>
and point the cursor to that line.
· Change threads count to 200.
· Change anonymous bind to Deny.
· Change workQueueCapacity to 8096.
Add a new parameter <useNIO> and set its
value to false viz: <useNIO>false</useNio>
Snippet: <ldap version="8" id="LDAP Endpoint">
.......
.......
<socketOptions><backlog>128</backlog> <reuseAddress>false</reuseAddress> <keepAlive>false</keepAlive> <tcpNoDelay>true</tcpNoDelay> <readTimeout>0</readTimeout> </socketOptions> <useNIO>false</useNIO></ldap>
Restart OVD server.
For more information on OVD tuneup refer to http://docs.oracle.com/cd/E25054_01/core.1111/e10108/ovd.htm.
Please Note: There were few patches released from OAM side for performance tune-up as well. Will provide the updates shortly !!!
