Access Management 7.4.1

Tune JVM settings

This section gives some initial guidance on configuring the JVM for running AM when the deployment has a dedicated CTS token store, and AM is configured to use server-side sessions.

These settings provide a strong foundation to the JVM before a more detailed garbage collection tuning exercise, or as best practice configuration for production:

Heap size settings
JVM parameters Suggested value Description

-Xms & -Xmx

At least 1 GB (2 GB with embedded DS), in production environments at least 2 GB to 3 GB. This setting depends on the available physical memory, and on whether a 32- or 64-bit JVM is used.

-XX:MetaspaceSize & -XX:MaxMetaspaceSize

Set both to 256 MB

Controls the size of the metaspace in the JVM

-Dsun.net.client.defaultReadTimeout

60000

Controls the read timeout in the Java HTTP client implementation.

This applies only to the Sun/Oracle HotSpot JVM.

-Dsun.net.client.defaultConnectTimeout

High setting: 30000 (30 seconds)

Controls the connect timeout in the Java HTTP client implementation

When you have hundreds of incoming requests per second, reduce this value to avoid a huge connection queue.

This applies only to the Sun/Oracle HotSpot JVM.

Security settings
JVM parameters Suggested value Description

-Dhttps.protocols

TLSv1.2

Controls the protocols used for outbound HTTPS connections from AM.

Specify one or more of the following values, separated by commas:

  • TLSv1.2

  • TLSv1.3

This setting applies only to Sun/Oracle Java environments.

-Dorg.forgerock.openam.ldap.secure.protocol.version

TLSv1.2

Controls the protocol AM uses to connect to affected external resources.

Specify one or more of the following values, separated by commas:

  • TLSv1.2

  • TLSv1.3

This setting overrides the default server value. For details, refer to advanced properties.

Garbage collection settings
JVM parameters Suggested value Description

-verbose:gc

Verbose garbage collection reporting.

-Xlog:gc*

-Xlog:gc=info:file=$CATALINA_HOME/logs/gc-info.log

Logs detailed information about garbage collection. When using the -Xlog:gc option, you can also specify the level, and output file.

-XX:+HeapDumpOnOutOfMemoryError

Out of Memory errors generate a heap dump automatically.

-XX:HeapDumpPath

$CATALINA_HOME/logs/heapdump.hprof

Location of the heap dump.

-XX:+PrintClassHistogram

Prints a heap histogram when the JVM receives a SIGTERM signal.

Java 17-specific settings
Module flag Suggested value Description

--add-opens

java.xml/com.sun.org.apache.xerces.internal.dom=ALL-UNNAMED

When running AM with JRE 17, SAML Artifact flows (or any flows that use Xerces SOAP libraries) can fail with the following error:

Caused by: java.lang.IllegalAccessError: superclass access check failed: class com.sun.xml.messaging.saaj.soap.SOAPDocumentImpl (in unnamed module @0x774ca796) cannot access class com.sun.org.apache.xerces.internal.dom.DocumentImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xerces.internal.dom to unnamed module @0x774ca796

Set this module flag to avoid this error.