Monitoring the SCIM servlet extension
The SCIM SDK provides a command-line tool, scim-query-rate
, that measures the SCIM query performance for your extension.
The SCIM extension also exposes monitoring information for each SCIM resource, such as the number of successful operations per request, the number of failed operations per request, the number of operations with XML or JSON to and from the client. Finally, the server automatically logs SCIM-initiated LDAP operations to the default File-based Access Logger. These operations will have an origin='scim'
attribute to distinguish them from operations initiated by LDAP clients. You can also create custom logger or request criteria objects that can track incoming HTTP requests, which the SCIM extension rewrites as internal LDAP operations.
Testing SCIM query performance
You can use the scim-query-rate
tool, provided in the SCIM SDK, to test query performance, by performing repeated resource queries against the SCIM server.
The scim-query-rate
tool performs searches using a query filter or can request resources by ID. For example, you can test performance by using a filter to query randomly across a set of one million users with eight concurrent threads. The user resources returned to the client in this example is in XML format and includes the userName
and name
attributes.
scim-query-rate --hostname server.example.com --port 80 \ --authID admin --authPassword password --xml \ --filter 'userName eq "user.[1-1000000]"' --attribute userName \ --attribute name --numThreads 8
You can request resources by specifying a resource ID pattern using the --resourceID
argument as follows:
scim-query-rate --hostname server.example.com --port 443 \ --authID admin --authPassword password --useSSL --trustAll\ --resourceName User \ --resourceID 'uid=user.[1-150000],ou=people,dc=example,dc=com'
The scim-query-rate
tool reports the error "java.net.SocketException: Too many open files"
if the open file limit is too low. You can increase the open file limit to increase the number of file descriptors.
Monitoring resources using the SCIM extension
The monitor provider exposes the following information for each resource:
-
Number of successful operations per request type (such as GET, PUT, and POST).
-
Number of failed operations and their error codes per request type.
-
Number of operations with XML or JSON from client.
-
Number of operations that sent XML or JSON to client.
In addition to the information about the user-defined resources, monitoring information is also generated for the schema, service provider configuration, and monitor resources. The attributes of the monitor entry are formatted as follows:
{resource name}-resource-{request type}-{successful or error status code}
You can search for one of these monitor providers using an ldapsearch
such as the following:
$ bin/ldapsearch --port 1389 bindDN uid=admin,dc=example,dc=com \
--bindPassword password --baseDN cn=monitor \
--searchScope sub "(objectclass=scim-servlet-monitor-entry)"
For example, the following monitor output was produced by a test environment with three distinct SCIM servlet instances, Aleph, Beth, and Gimel. Note that the first instance has a custom resource type called host.
$ bin/ldapsearch --baseDN cn=monitor \
'(objectClass=scim-servlet-monitor-entry)'
dn: cn=SCIM Servlet (SCIM HTTP Connection Handler),cn=monitor
objectClass: top
objectClass: ds-monitor-entry
objectClass: scim-servlet-monitor-entry
objectClass: extensibleObject
cn: SCIM Servlet (SCIM HTTPS Connection Handler) [from
ThirdPartyHTTPServletExtension:SCIM (Aleph)]
ds-extension-monitor-name: SCIM Servlet (SCIM HTTPS Connection Handler)
ds-extension-type: ThirdPartyHTTPServletExtension
ds-extension-name: SCIM (Aleph)
version: 1.2.0
build: 20120105174457Z
revision: 820
schema-resource-query-successful: 8
schema-resource-query-401: 8
schema-resource-query-response-json: 16
user-resource-delete-successful: 1
user-resource-put-content-xml: 27
user-resource-query-response-json: 3229836
user-resource-put-403: 5
user-resource-put-content-json: 2
user-resource-get-401: 1
user-resource-put-response-json: 23
user-resource-get-response-json: 5
user-resource-get-response-xml: 7
user-resource-put-400: 2
user-resource-query-401: 1141028
user-resource-post-content-json: 1
user-resource-put-successful: 22
user-resource-post-successful: 1
user-resource-delete-404: 1
user-resource-query-successful: 2088808
user-resource-get-successful: 10
user-resource-put-response-xml: 6
user-resource-get-404: 1
user-resource-delete-401: 1
user-resource-post-response-json: 1
host-resource-query-successful: 5773268
host-resource-query-response-json: 11576313
host-resource-query-400: 3
host-resource-query-response-xml: 5
host-resource-query-401: 5788152
dn: cn=SCIM Servlet (SCIM HTTP Connection Handler),cn=monitor
objectClass: top
objectClass: ds-monitor-entry
objectClass: scim-servlet-monitor-entry
objectClass: extensibleObject
cn: SCIM Servlet (SCIM HTTPS Connection Handler) [from
ThirdPartyHTTPServletExtension:SCIM (Beth)]
ds-extension-monitor-name: SCIM Servlet (SCIM HTTPS Connection
Handler)
ds-extension-type: ThirdPartyHTTPServletExtension
ds-extension-name: SCIM (Beth)
version: 1.2.0
build: 20120105174457Z
revision: 820
serviceproviderconfig-resource-get-successful: 3
serviceproviderconfig-resource-get-response-json: 2
serviceproviderconfig-resource-get-response-xml: 1
schema-resource-query-successful: 8
schema-resource-query-401: 8
schema-resource-query-response-json: 16
group-resource-query-successful: 245214
group-resource-query-response-json: 517841
group-resource-query-400: 13711
group-resource-query-401: 258916
user-resource-query-response-json: 107876
user-resource-query-400: 8288
user-resource-get-400: 33
user-resource-get-response-json: 1041
user-resource-get-successful: 2011
user-resource-query-successful: 45650
user-resource-get-response-xml: 1003
user-resource-query-401: 53938
dn: cn=SCIM Servlet (SCIM HTTP Connection Handler),cn=monitor
objectClass: top
objectClass: ds-monitor-entry
objectClass: scim-servlet-monitor-entry
objectClass: extensibleObject
cn: SCIM Servlet (SCIM HTTPS Connection Handler) [from
ThirdPartyHTTPServletExtension:SCIM (Gimel)]
ds-extension-monitor-name: SCIM Servlet (SCIM HTTPS Connection
Handler)
ds-extension-type: ThirdPartyHTTPServletExtension
ds-extension-name: SCIM (Gimel)
version: 1.2.0
build: 20120105174457Z
revision: 820
schema-resource-query-successful: 1
schema-resource-query-401: 1
schema-resource-query-response-json: 2
user-resource-query-successful: 65
user-resource-get-successful: 4
user-resource-get-response-json: 6
user-resource-query-response-json: 132
user-resource-get-404: 2
user-resource-query-401: 67
About the HTTP log publishers
HTTP operations can be logged using either a Common Log File HTTP Operation Log Publisher or a Detailed HTTP Operation Log Publisher. The Common Log File HTTP Operation Log Publisher is a built-in log publisher that records HTTP operation information to a file using the W3C common log format. Because the W3C common log format is used, logs produced by this log publisher can be parsed by many existing web analysis tools.
Log messages are formatted as follows:
-
IP address of the client.
-
RFC 1413 identification protocol. The Ident Protocol is used to format information about the client.
-
The user ID provided by the client in an Authorization header, which is typically available server-side in the REMOTE_USER environment variable. A dash appears in this field if this information is not available.
-
A timestamp, formatted as "'['dd/MM/yyyy:HH:mm:ss Z']'"
-
Request information, with the HTTP method followed by the request path and HTTP protocol version.
-
The HTTP status code value.
-
The content size of the response body in bytes. This number does not include the size of the response headers.
The HTTP Detailed Access Log Publisher provides more information than the common log format in a format that is familiar to administrators who use the File-Based Access Log Publisher.
The HTTP Detailed Access Log Publisher generates log messages such as the following. The lines have been wrapped for readability.
[15/Feb/2012:21:17:04 -0600] RESULT requestID=10834128 from="10.2.1.114:57555" method="PUT" url="https://10.2.1.129:443/Aleph/Users/6272c691- 38c6-012f-d227-0dfae261c79e" authorizationType="Basic" requestContentType="application/json" statusCode=200 etime=3.544 responseContentLength=1063 redirectURI="https://server1.example.com:443/Aleph/Users/6272c691-38c6-012f-d227-0dfae261c79e" responseContentType="application/json"
In this example, only default log publisher properties are used. Though this message is for a RESULT, it contains information about the request, such as the client address, the request method, the request URL, the authentication method used, and the Content-Type requested. For the response, it includes the response length, the redirect URI, the Content-Type, and the HTTP status code.
You can modify the information logged, including adding request parameters, cookies, and specific request and response headers. For more information, see the dsconfig
command-line tool help.