This section provides details of the parameters tuned during the performance test to optimize the system performance. You must configure these parameters based on your environments.
It is recommended to test these parameters in the staging environment before running in the production environment.
NOTE:For additional performance tuning information, see Performance Tuning in the NetIQ Access Manager 5.0 Best Practices Guide.
This parameter enables Identity Server to handle more threads simultaneously to improve the performance. The thread number must be fine-tuned for every customer environment based on the number of attributes attached to a user session. When each user session holds a large number of attributes, each user session requires more heap memory. The available stack memory reduces as a result. If the number of threads configured in this scenario is high, Tomcat tries to spawn more threads and fails due to non-availability of the stack memory. You must fine-tune the number of threads based on the attribute usage.
In Identity Server’s server.xml file, set the value of maxThreads to 1000 for 8443 as follows:
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="100" address="x.x.x.x" ciphers="XX, XX ,XX, XX" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="/opt/novell/devman/jcc/certs/idp/connector.keystore" keystorePass="p2SnTyZPHn9qe66" maxThreads="1000" minSpareThreads="5" port="8443" scheme="https" secure="true" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="TLS"/>
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
NOTE:For Access Manager Appliance, the port number is 2443.
The Tomcat configuration file controls the amount of memory that Tomcat can allocate for Java.
If you have installed Identity Server on a machine with a minimum 4 GB memory, you can modify the tomcat.conf file to improve performance under heavy load as follows:
In Identity Server’s tomcat.conf, set the following parameters:
Replace the Xms and Xmx values to 2048: JAVA_OPTS="-server -Xms2048m -Xmx2048m –Xss256k “
This enables the Tomcat process to come up with 2 GB pre-allocated memory. If your Identity Server machine has more than 4 GB memory, the recommendation is to allocate 50% to 75% of the memory to Identity Server Tomcat. This needs to be fine-tuned based on each customer's environment.
Set Identity Server Tomcat to 12288 for both Xms and Xmx.
Change the -Dnids.freemem.threshold value from 0 to a value between 5 and 15. This parameter prevents user sessions from consuming all memory and ensures that free memory is available for other internal Java processes to run. When this threshold is reached, the user receives a 503 server busy message and a threshold error message is logged to the catalina.out file.
JAVA_OPTS="${JAVA_OPTS} -Dnids.freemem.threshold=10"
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
In Identity Server’s web.xml, set ldapLoadThreshold to 600.
<context-param> <param-name>ldapLoadThreshold</param-name> <param-value>600</param-value> </context-param>
This enables Identity Server to make connections to the LDAP user store up to 600.
You can configure the following settings to optimize the performance:
In Access Gateway’s server.xml, set maxThreads="1000" for the port 9009 connector.
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
This parameter enables Access Gateway Appliance ESP to handle more threads simultaneously to improve the performance. The thread number needs to be fine-tuned for every customer environment based on the number of attributes attached to a user session. When each user session holds a large number of attributes, each user session needs more heap memory. The available stack memory reduces as a result. If a number of threads configured in this scenario is high, Tomcat tries to spawn more threads and fails due to non-availability of the stack memory. You need to fine-tune the number of threads based on the attribute usage.
The Tomcat configuration file controls the amount of memory that Tomcat can allocate for Java.
If you have installed Access Gateway on a machine with the minimum 4 GB of memory, you can modify the tomcat.conf file to improve performance under heavy load as follows:
In Access Gateway’s tomcat.conf, replace values of Xms and Xmx to 2048: JAVA_OPTS="-server -Xms2048m -Xmx2048m –Xss256k "
This enables the Tomcat process to come up with 2 GB pre-allocated memory.
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
If the Access Gateway Appliance machine has more than 4 GB memory, the recommendation is to allocate 50% to 75% of the memory to ESP Tomcat. This needs to be fine-tuned based on each customer environment.
Set Xms and Xmx to 12288 for ESP Tomcat.
Change the -Dnids.freemem.threshold value from 0 to a value between 5 and 15.This parameter prevents user sessions from using up all memory and ensures that free memory is available for other internal Java processes to function. When this threshold is reached, the user receives a 503 server busy message and a threshold error message is logged to the catalina.out file. JAVA_OPTS="${JAVA_OPTS} -Dnids.freemem.threshold=10"
Add the following advanced option:
NAGGlobalOptions ESP_Busy_Threshold=5000
In httpd-mpm.conf, mpm_worker_module is configured by default with the following settings:
<IfModule mpm_worker_module> ThreadLimit 300 StartServers 3 MaxClients 3000 MinSpareThreads 3000 MaxSpareThreads 3000 ThreadsPerChild 300 ServerLimit 10 MaxRequestsPerChild 0 </IfModule>
This configuration is for the Appliance machine with the minimum 4 GB memory. If the Appliance machine has more than 6 GB memory, set mpm_worker_module to match the following configuration.
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
The performance tests are conducted with the following configuration when the Appliance machine has 16 GB memory available:
<IfModule mpm_worker_module> ThreadLimit 1000 StartServers 9 ServerLimit 10 MaxClients 9000 MinSpareThreads 9000 MaxSpareThreads 9000 ThreadsPerChild 1000 MaxRequestsPerChild 0 </IfModule>
If the available memory is less or more, you must fine-tune each of these configurations based on your environment.
Access Manager 4.4 onward, Access Gateway supports web socket applications. The scalability of Access Gateway for web socket connections depends on the Access Gateway hardware configuration along with a proper system and Access Gateway tuning.
Consider the following tuning for web socket scalability:
In large scale Web-Socket deployments, Access Gateway may run out of the available maximum number of open file descriptor after reaching the default maximum open file descriptor. It is recommended to configure more number of open file descriptor in such cases. To find the maximum number of open files for a process, run the following command on the Linux server to know the maximum number of open files for the process:
#ulimit -n
Access Gateway requires independent threads to handle individual Web-Socket requests. apache httpd-mpm.conf must be tuned properly based on the web socket traffic that is expected to load to the Access Gateway server. For example, using the following configuration, you can scale 30K Web-Socket connections on an Access Gateway node:
Hardware: 4 CPU, 16 GB Memory
Ulimit setting: ulimit -n 8192
Edit the following setting in httpd-mpm.conf:
<IfModule mpm_worker_module> ThreadLimit 3000 StartServers 9 ServerLimit 10 MaxClients 30000 MinSpareThreads 9000 MaxSpareThreads 9000 ThreadsPerChild 3000 MaxRequestsPerChild 0 </IfModule>
For information about how to modify a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.