--- title: Tune JVM settings description: This section gives some initial guidance on configuring the JVM for running AM when the deployment has a dedicated CTS token store, and AM is configured to use server-side sessions. component: pingam version: 8.1 page_id: pingam:maintenance:tuning-jvm-for-openam canonical_url: https://docs.pingidentity.com/pingam/8.1/maintenance/tuning-jvm-for-openam.html page_aliases: ["maintenance-guide:tuning-jvm-for-openam.adoc"] --- # Tune JVM settings This section gives some initial guidance on configuring the JVM for running AM when the deployment has a dedicated CTS token store, and AM is configured to use server-side sessions. These settings provide a strong foundation to the JVM before a more detailed garbage collection tuning exercise, or as best practice configuration for production: **Heap size settings** | JVM parameters | Suggested value | Description | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-Xms` & `-Xmx` | At least 1 GB. In production environments, at least 2 to 3 GB. This setting depends on the available physical memory and whether a 32- or 64-bit JVM is used. | | | `-XX:MetaspaceSize` & `-XX:MaxMetaspaceSize` | Set both to 256 MB Metadata space (Metaspace) is a dedicated region within Native Memory. It can grow automatically if you don't set a maximum size. The ideal Metaspace size depends on your deployment and the number of scripts you're running. 256 MB is considered a safe value for production deployments, but you might need to tweak this for your specific deployment. | Controls the size of the metaspace in the JVM. | | `-Dsun.net.client.defaultReadTimeout` | 60000 | Controls the read timeout in the Java HTTP client implementation.This applies only to the Sun/Oracle HotSpot JVM. | | `-Dsun.net.client.defaultConnectTimeout` | High setting: 30000 (30 seconds) | Controls the connect timeout in the Java HTTP client implementation.When you have hundreds of incoming requests per second, reduce this value to avoid a huge connection queue.This applies only to the Sun/Oracle HotSpot JVM. | **Security settings** | JVM parameters | Suggested value | Description | | ----------------------------------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `-Dhttps.protocols` | `TLSv1.2` | Controls the protocols used for outbound HTTPS connections from AM.Specify one or more of the following values, separated by commas:- TLSv1.2 - TLSv1.3This setting applies only to Sun/Oracle Java environments. | | `-Dorg.forgerock.openam.ldap.secure.protocol.version` | `TLSv1.2` | Controls the protocol AM uses to connect to affected external resources.Specify one or more of the following values, separated by commas:- TLSv1.2 - TLSv1.3This setting overrides the default server value. Learn more in [advanced properties](../setup/deployment-configuration-reference.html#org.forgerock.openam.ldap.secure.protocol.version). | **Garbage collection settings** | JVM parameters | Suggested value | Description | | --------------------------------- | ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | `-verbose:gc` | | Verbose garbage collection reporting. | | `-Xlog:gc*` | `-Xlog:gc=info:file=$CATALINA_HOME/logs/gc-info.log` | Logs detailed information about garbage collection. When using the `-Xlog:gc` option, you can also specify the level, and output file. | | `-XX:+HeapDumpOnOutOfMemoryError` | | Out of Memory errors generate a heap dump automatically. | | `-XX:HeapDumpPath` | `$CATALINA_HOME/logs/heapdump.hprof` | Location of the heap dump. | | `-XX:+PrintClassHistogram` | | Prints a heap histogram when the JVM receives a SIGTERM signal. | **Other settings** | JVM parameters | Description | | ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--add-opens java.xml/com.sun.org.apache.xerces.internal.dom=ALL-UNNAMED` | When running AM, SAML Artifact flows, WS-Federation flows and any flows that use Xerces SOAP libraries can fail with the following error:`Caused by: java.lang.IllegalAccessError: superclass access check failed: class com.sun.xml.messaging.saaj.soap.SOAPDocumentImpl (in unnamed module @0x774ca796) cannot access class com.sun.org.apache.xerces.internal.dom.DocumentImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xerces.internal.dom to unnamed module @0x774ca796`Set these JVM parameters to avoid this error. | | `--add-exports java.xml/com.sun.org.apache.xerces.internal.jaxp=ALL-UNNAMED` | | | `--add-exports java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED` | |