PingAM 7.5.1

Tune LDAP connectivity

AM instances use pools of connections when communicating to LDAP data stores. You can tune these connection pools to improve performance, and help with load balancing in the case of failover.

AM provides a global timeout setting for connections in a pool, and each store has properties for the maximum pool size, and in some cases, the minimum pool size.

AM will attempt to use as few connections to LDAP data stores as possible, down to the minimum pool value, if specified. Under heavy load, AM creates additional connections to the configured data stores, up to the maximum pool value. These connections are made to any of the available LDAP data stores that are configured for the relevant purpose.

When the load begins to drop, some of those connections become idle. If a connection is idle for longer than the configured connection idle time, AM closes the connection, until any specified minimum pool size is reached.

By closing idle connections and recreating them when needed, AM balances connections across all available LDAP servers, rather than keeping the entire pool connected to a single server.

Tuning the connection pool settings can increase performance, or make AM more responsive to LDAP data store outages.

Configure connection pool timeouts

  1. To configure the timeout used for connections to LDAP stores:

    • Open the bootstrapConfig.properties file in the AM classpath; for example, in /path/to/tomcat/webapps/openam/WEB-INF/classes/.

    • Add, or update the following property, and set the idle timeout, in seconds:

      com.sun.am.ldap.connection.idle.seconds=300
  2. You must also configure the setting in the Advanced section of the server defaults, as follows:

    • In the AM admin UI, go to Configure > Server Defaults > Advanced.

    • Add, or edit the following property, and set the idle timeout, in seconds:

      com.sun.am.ldap.connection.idle.seconds=300
  3. Restart AM or the container in which it runs for these changes to take effect.

    After configuring the timeout for the stores, set the pool sizes assigned to the different stores in the AM admin UI:

Tune configuration store LDAP connections

To change LDAP configuration store settings, go to Deployment > Servers > Server Name > Directory Configuration.

LDAP configuration store settings
Setting Default value Details

Minimum Connection Pool

1

Property: minConnectionPool

Maximum Connection Pool

10

The default value of 10 is suitable for most cases; tuning this setting does not affect operational performance, only system startup.

Property: maxConnectionPool

Tune CTS store LDAP connections

You can increase the number of connections used for connecting to the CTS to increase throughput.

The default maximum number of connections to the CTS is 100.

To change the default, go to Deployment > Servers > Server Name > CTS > CTS Token Store, and set the Max Connections property.

You may need to click the Inherit value property to unlock the value for editing.

You can also edit the Max Connections default setting globally under Configure > Server Defaults > CTS > CTS Token Store tab.

If you need to change the default CTS connection timeout, go to Deployment > Servers > Server Name > Advanced and set the org.forgerock.services.datalayer.connection.timeout.cts.async property.

Most CTS requests to the directory server are handled quickly, so the default timeout of 10 seconds is suitable in most cases.

You must restart AM or the container in which it runs for these changes to take effect.

Tune external policy and applications store LDAP connections

To change external policy and application data store settings, go to Configure > Global Services > External Data Stores > Secondary Configurations > Store Name.

Policy and application data is stored in the configuration data store if not configured separately. To manage the configuration store connection pool, refer to Tune configuration store LDAP connections.

LDAP policy and application store settings
Setting Default value Information

Minimum Connection Pool Size

1

Must be less than the maximum size to allow reaping to function.

Property: minimumConnectionPool

Maximum Connection Pool Size

10

Property: maximumConnectionPool

Tune identity store LDAP connections

To change LDAP data store settings, go to Realms > Realm Name > Identity Stores > Identity Store Name. Each store has its own connection pool, so each store needs its own tuning:

LDAP identity store settings
Setting Default value Details

LDAP Connection Pool Minimum Size

1

A good tuning value for this property is 10.

Property: sun-idrepo-ldapv3-config-connection_pool_min_size

LDAP Connection Pool Maximum Size

10

The maximum LDAP connection pool size; a high tuning value for this property is 65, though you might well be able to reduce this for your deployment. Ensure your LDAP server can cope with the maximum number of clients across all the AM servers.

Property: sun-idrepo-ldapv3-config-connection_pool_max_size

Tune UMA store LDAP connections

To increase the number of connections used for UMA-related data stores, go to Deployment > Servers > Server Name > UMA > UMA Store Type, and edit the Max Connections property.

You may need to click the Inherit value property to unlock the value for editing.

You can also edit the Max Connections default settings globally under Configure > Server Defaults > UMA > UMA Store Type.

LDAP UMA store settings
Setting Default value Details

UMA Resource Store > Max Connections

10

Property: org.forgerock.services.resourcesets.store.max.connections

UMA Audit Store > Max Connections

10

Property: org.forgerock.services.umaaudit.store.max.connections

Pending Requests Store > Max Connections

10

Property: org.forgerock.services.pendingrequests.store.max.connections

UMA Resource Labels Store > Max Connections

2

Property: org.forgerock.services.uma.labels.store.max.connections

Tune authentication node/module LDAP connections

To change connection pool settings for the LDAP Decision node and LDAP Authentication Module, go to Configure > Authentication > Core Attributes > Global Attributes.

LDAP authentication node/module settings
Setting Default value Details

Default LDAP Connection Pool Size

1:10

The minimum and maximum LDAP connection pool used by the LDAP authentication node/module, separated by a colon (:) character.

Use 10:65 for production AM instances.

Property: iplanet-am-auth-ldap-connection-pool-default-size