IBM Security Identity Manager Performance Tuning
Perfomance tuning
LDAP
- Schedule runstats to run weekly at 1:05am on Sundays.
echo "5 1 * * 7 /opt/ibm/ldap/V6.4/sbin/idsrunstats -I isimldap" > /etc/cron.d/ldaprunstats
Run on both LDAPs.3. Increase LDAP Cache sizes
ibm-slapdACLCacheSize 100 ibm-slapdEntryCacheSize 100000 # max_users * (average_accounts + 1) bound by memory size ibm-slapdFilterCacheSize 100
idsrunstats.cmd -I ldapinstance
- Other items you'd want to do:
- Clean empty/unused OUs per analysis from the codeextractor.py
- Analyze unused provisioning policies, old workflows etc and remove obsolete entries
- Clean the LDAP recycle bin. If enrole.recyclebin.enable in from enRole.properties is set to false, the LDAP recycle bin might contain deleted entries after the upgrade. These entries were deleted from a previous version of Tivoli Identity Manager. They might be returned by IBM Security Identity Manager user interface when searching for entries. If this problem exists then you must delete all the entries from the recycle bin in LDAP server or set this property to true.
WebSphere
- Disable WAS PMI for URI tracking
- In WAS ISC click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI), Click the name of the server you want to manage.
- Select Custom and click the Custom link, Select Web Applications from the tree listing, Select URIConcurrentRequests, URIRequestCount, URIServiceTime.
- Click Disable at the top of the pane. Click Save to save the configuration.
- Repeat this procedure for each application server that runs IBM Security Identity Manager.
- Restart all application servers for the changes to take effect.
- Set proper WAS JVM heap sizes
- In the WAS ISC, open JVM configs:
- Expand the Servers list, Select Application Servers, Select the application (or JMS) server to manage (see settings below)
- Expand the Java and Process Management list under the Server Infrastructure pane,Select Process Definition
- Select Java Virtual Machine from the Additional Properties pane on the right. Set the Initial Heap Size and the Maximum Heap Size
- In the WAS ISC, open JVM configs:
APP_SERVER_MIN_HEAP_SIZE=1024 APP_SERVER_MAX_HEAP_SIZE=4096 MSG_SERVER_MIN_HEAP_SIZE=512 MSG_SERVER_MAX_HEAP_SIZE=1024
Oracle DB
You must gather and update database statistics at regular intervals. Intervals can be one week to one month on a production IBM Security Identity Manager system or after processing a large amount of data.
Oracle uses statistics to make query decisions on locating information that impact how fast Oracle can return requests. Generate statistics during off-peak times. Generating statistics can take from several minutes to several hours for a large database.
- Make sure Oracle has the DBMS_STAT package installed.
- Create a file named Oracle_dbms.stat_cmds.txt.
- Edit the file and insert the following text:
exec dbms_stats.gather_schema_stats(ownname => 'itimdb',cascade => true);
- Start sqlplus at a command prompt, Connect to the database as the system user. In the SQLPlus interface, run the following command:
@ Oracle_dbms.stat_cmds.txt
DB2 tuning for ISIM
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time
/etc/init.d/network restart
db2 cli: db2 connect to itds_dbname user itds_dbadmin_name using itds_dbadmin_password db2 update db cfg for itimdb using logprimary 25 db2 update db cfg for itimdb using logsecond 200 db2 update db cfg for itimdb using logfilsiz 10000 db2 update db cfg for itimdb using locktimeout 1500 db2 disconnect current
IBM Security Identity Manager 6.0/7.0 Performance Tuning Guide
DB2 tuning for SDS
In the DB2 command window, enter these commands to tune the IBM Tivoli Directory Server database instance:
db2 connect to itds_dbname user itds_dbadmin_name using itds_dbadmin_password
db2 alter bufferpool IBMDEFAULTBP size computed
db2 alter bufferpool ldapbp size computed
db2 update db cfg for ldapdb using logsecond 200
db2 update db cfg for ldapdb using logfilsiz 10000
db2 update db cfg for ldapdb using database_memory 40000
db2 disconnect current
db2stop
db2start
If entering db2stop fails and the database remains active, enter db2 force application all to deactivate the database. Enter db2stop again.
Disable WAS PMI for URI tracking
- In WAS ISC click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI), Click the name of the server you want to manage.
- Select Custom and click the Custom link, Select Web Applications from the tree listing, Select URIConcurrentRequests, URIRequestCount, URIServiceTime.
- Click Disable at the top of the pane. Click Save to save the configuration.
- Repeat this procedure for each application server that runs IBM Security Identity Manager.
- Restart all application servers for the changes to take effect.
Ensure proper WAS JVM heap sizes
In the WAS ISC, select JVM config and set initialHeapSize 1024 maximumHeapSize 4096
Increase JDBC Connection pools
bus_data_source_size - 30
bus_shared_data_source_size - 30
data_source_size - 75
Modify LDAP Cache sizes
ibm-slapdACLCacheSize 100
ibm-slapdEntryCacheSize 100000
ibm-slapdFilterCacheSize 100
Reduce TCP keepalive on the WAS servers
As root echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl /etc/init.d/network restart
- Tune WebSphere Application Server parameters
- Disable PMI for URI requests and enable ISIM specific PMI metrics
- From the left navigation pane, click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI). Click the name of the server you want to manage.
- Select Custom and click the Custom link.
- Select Web Applications from the tree listing.
- Select URIConcurrentRequests,URIRequestCount.,URIServiceTime.
- Click Disable at the top of the pane.
- Expand the IBM Security Identity Manager Module and select All.
- Click Enable.
- Click Save to save the configuration.
- Repeat this procedure for each application server that runs IBM Security Identity Manager.
- Restart all application servers for the changes to take effect.
- Change TCP keepalive
- Disable PMI for URI requests and enable ISIM specific PMI metrics
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
DB2
- Tune itimdb DB Performance, reindex all tables per the pertuning manual
- Check for the auto-resize enabled
db2 get snapshot for tablespaces on itimdb
LDAP
- Tune LDAP and LDAP DB2 instance
- Clean the LDAP recycle bin
- If enrole.recyclebin.enable in from enRole.properties is set to false, the LDAP recycle bin might contain deleted entries after the upgrade. These entries were deleted from a previous version of Tivoli Identity Manager. They might be returned by IBM Security Identity Manager user interface when searching for entries. If this problem exists then you must delete all the entries from the recycle bin in LDAP server or set this property to true.
DB2 tuning for SDS
In the DB2 command window, enter these commands to tune the IBM Tivoli Directory Server database instance:
db2 connect to itds_dbname user itds_dbadmin_name using itds_dbadmin_password
db2 alter bufferpool IBMDEFAULTBP size computed
db2 alter bufferpool ldapbp size computed
db2 update db cfg for ldapdb using logsecond 200
db2 update db cfg for ldapdb using logfilsiz 10000
db2 update db cfg for ldapdb using database_memory 40000
db2 disconnect current
db2stop
db2start
If entering db2stop fails and the database remains active, enter db2 force application all to deactivate the database. Enter db2stop again.
Disable WAS PMI for URI tracking
- In WAS ISC click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI), Click the name of the server you want to manage.
- Select Custom and click the Custom link, Select Web Applications from the tree listing, Select URIConcurrentRequests, URIRequestCount, URIServiceTime.
- Click Disable at the top of the pane. Click Save to save the configuration.
- Repeat this procedure for each application server that runs IBM Security Identity Manager.
- Restart all application servers for the changes to take effect.
Ensure proper WAS JVM heap sizes
In the WAS ISC, select JVM config and set initialHeapSize 1024 maximumHeapSize 4096
Increase JDBC Connection pools
bus_data_source_size - 30
bus_shared_data_source_size - 30
data_source_size - 75
Reduce TCP keepalive on the WAS servers
As root echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl /etc/init.d/network restart
- Tune WebSphere Application Server parameters
- Disable PMI for URI requests and enable ISIM specific PMI metrics
- From the left navigation pane, click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI). Click the name of the server you want to manage.
- Select Custom and click the Custom link.
- Select Web Applications from the tree listing.
- Select URIConcurrentRequests,URIRequestCount.,URIServiceTime.
- Click Disable at the top of the pane.
- Expand the IBM Security Identity Manager Module and select All.
- Click Enable.
- Click Save to save the configuration.
- Repeat this procedure for each application server that runs IBM Security Identity Manager.
- Restart all application servers for the changes to take effect.
- Change TCP keepalive
- Disable PMI for URI requests and enable ISIM specific PMI metrics
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
DB2
- Tune itimdb DB Performance, reindex all tables per the pertuning manual
- Check for the auto-resize enabled
db2 get snapshot for tablespaces on itimdb
LDAP
- Tune LDAP and LDAP DB2 instance
- Clean the LDAP recycle bin
- If enrole.recyclebin.enable in from enRole.properties is set to false, the LDAP recycle bin might contain deleted entries after the upgrade. These entries were deleted from a previous version of Tivoli Identity Manager. They might be returned by IBM Security Identity Manager user interface when searching for entries. If this problem exists then you must delete all the entries from the recycle bin in LDAP server or set this property to true.
