Access Management 7.2.2

Tuning server settings

AM has a number of settings that can be tuned to increase performance.

Logging settings

The following general points apply:

  • Set debug logging level to error.

  • Set container-level logging to a low level, such as error or severe.

Notification settings

AM has two thread pools used to send notifications to clients. The Service Management Service (SMS) thread pool can be tuned in the AM admin UI, under Configure > Server Defaults > SDK > Data Store:

SMS notification setting
Property Default value Suggestions

Notification Pool Size

1

Specifies the size of the thread pool used to send notifications. A value of 1 causes notifications to be processed sequentially, avoiding any potential out-of-order conditions. In production, where configuration is unlikely to change often, keeping the default of 1 is recommended.

(com.sun.identity.sm.notification.threadpool.size)

The session service has its own thread pool to send notifications to listeners about changes to server-side sessions. This is configured under Configure > Server Defaults > Session > Notification:

Session service notification settings
Property Default value Suggestions

Notification Pool Size

10

This is the size of the thread pool used to send notifications. In production this should be around 25-30.

(com.iplanet.am.notification.threadpool.size)

Notification Thread Pool Threshold

5000

This is the maximum number of notifications in the queue waiting to be sent. The default value should be fine in the majority of installations.

(com.iplanet.am.notification.threadpool.threshold)

Session settings

The Session service has additional properties to tune, which are configured under Configure > Server Defaults > Session > Session Limits. The following suggestion applies to deployments using server-side sessions:

Session Settings
Property Default Value Suggestion

Maximum Session Cache Size

5000

Maximum number of AM sessions to cache on the server.

In production, this value can safely be set into the 100,000s. The maximum session cache size is really controlled by the maximum size of the JVM heap which must be tuned appropriately to match the desired session cache size.

(org.forgerock.openam.session.service.access.persistence.caching.maxsize)

Policy evaluation settings

The AM policy engine places policies for evaluation on a queue in batches. Use ssoadm to optimize performance evaluation throughput by configuring the number of threads available for this queue.

This example increases the number of threads from the default value of 10 to 20:

./ssoadm set-entitlement-conf -u <admin_id> -f <password_file> -a evalThreadSize=20

For more information about this command, refer to set-entitlement-conf.