IBM Tivoli Identity Manager Version 4.
Copyright Notice Copyright IBM Corporation 2007. All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement.
Table of contents 1 2 3 4 5 6 7 8 9 Table of contents ...................................................................................................................................... 1 About this guide ........................................................................................................................................ 2 Who should use this guide ................................................................................................................... 2 Introduction...
About this guide This guide identifies some ways to tune your IBM® Tivoli Identity Manager™ system to improve performance. Who should use this guide Use this guide if you are responsible for installing or maintaining an IBM Tivoli Identity Manager system on z/OS. The following competencies are recommended: • Familiarity with basic database and directory design principles. • General knowledge of the z/OS environment.
1 Introduction The IBM Tivoli Identity Manager product addresses the complex problem of identity management. Due to the complexity of the problem, it can be challenging to optimize the use of resources by IBM Tivoli Identity Manager – that is, to tune. This tuning guide provides a system administrator with the information needed to tune the application for your environment. Other individuals (such as IBM DB2 or the LDAP Server administrators) in your organization might offer differing advice.
1.3.1 Memory All middleware components allow you to adjust how much memory they will use. When calculating how to allocate memory to middleware components, keep these considerations in mind: • Configuring middleware memory settings too high such that the total configured value exceeds available physical memory can result in the operating system swapping memory out to disk. This will result in extremely poor performance and should be avoided.
2 IBM WebSphere Application Server Regardless of the installation type (single server or cluster), the IBM Tivoli Identity Manager server can be thought of as two components: WebSphere Application Server (the J2EE application server running the application) and the IBM Tivoli Identity Manager application itself. Both components need to be tuned. WebSphere Application Server allows you to use a variety of settings to tune your environment.
by other processes. When the WLM timeout is reached the thread is killed resulting in the process being killed. IBM Tivoli Identity Manager can initiate long-running IIOP requests during processes like reconciliations. To allow long-running reconciliations to complete we recommend disabling the WLM timeout. Determining the values wlm_timeout – The time in seconds that IIOP requests wait on the queue before being terminated. Default value: 300. Recommended value: 0 (disabled).
Setting the values 1) Open the Administration Console. 2) Expand the Servers list in the navigation pane. 3) Select Application Servers in the navigation pane. 4) Select the server to manage. 5) Select Container Services. 6) Select Transaction Services. 7) Change Maximum Transaction Timeout to transaction_timeout. 8) Repeat this procedure for each IBM Tivoli Identity Manager server. Stop and restart each Application Server for these changes to take effect.
3 IBM Tivoli Identity Manager application The IBM Tivoli Identity Manager application includes several configuration files that provide an area for tuning various parts of the application’s performance. These are in the data/ directory under the IBM Tivoli Identity Manager product home directory. 3.
Setting the values Edit the enRole.properties file and update the value of enrole.reconciliation.threadcount to num_recon_threads. 3.2.2 Limiting attributes returned from the adapter Some adapters (such as the adapter for Microsoft Active Directory) can limit the attributes that are returned to the IBM Tivoli Identity Manager server during reconciliations.
Determining the values max_duration – The maximum time in minutes that the reconciliation should run. To calculate this value, do an initial run with a very large duration and measure the time required. Consider setting the maximum duration to 10% above this time. Default value: 600. Setting the values 1) Log into IBM Tivoli Identity Manager as a user with sufficient privileges to edit the service. 2) Select the Provisioning tab. 3) Navigate to the service in the organizational tree.
4 IBM Tivoli Identity Manager adapters It is sometimes necessary to tune the IBM Tivoli Identity Manager adapters when doing large provisioning changes or reconciliations. This section should supplement, not supersede, the documentation included with the adapter. 4.1 Microsoft Active Directory The Microsoft Active Directory adapter returns attributes to IBM Tivoli Identity Manager that are not directly retrieved from Active Directory, but rather calculated from other Windows sources.
5 IBM DB2 Tuning IBM DB2 to run with the IBM Tivoli Identity Manager product involves adjusting the buffer pools, modifying the number of connections, modifying internal database values, adding table space, adjusting logs, indexing, and running runstats. The tuning JCL provided applies to the z/OS 1.6 LDAP server. The z/OS 1.8 LDAP server was not available at the time this document was prepared. 5.1 APARs Two ODBC APARs have been linked to poor LDAP performance on z/OS.
Setting the values 1) Copy DSN.V8R1M0.NEW.SDSNSAMP(#02TIJUZ) to another dataset and/or member for updating. 2) Locate the line containing DSNTIZP and delete everything to the end of the file, including this line. 3) Locate the IDTHTOIN operand for the DSN6FAC macro. 4) Change the value to idle_thread_timeout as determined above, with care not to delete the continuations in column 72. 5) Locate the line containing SYSLMOD.
5.6 Reorg and Runstats Statistics on the number of rows in the tables and what indexes are available are required for IBM DB2 to efficiently fulfill queries. It is important to update these table and index statistics after large Directory Server Markup Language (DSML) loads, HR feeds, and reconciliations. IBM Tivoli Identity manager ships with five JCL to execute reorg and runstats against the IBM DB2 databases.
5.7 Additional ZPARMS The WebSphere Application Server 6.0 Developer’s Guide recommends updating the following ZPARMS in addition to the ones mentioned elsewhere in this document. For more information on these changes, please see the WebSphere Application Server 6.0 Developer’s Guide.
6 IBM LDAP Server The IBM LDAP Server is a component of the Integrated Security Services base element in z/OS R 1.6 and 1.7, not to be confused with the IBM Tivoli Directory Server released with z/OS 1.8. 6.1 APARs The following APARs are recommended to fix insert and update failures when using IBM Tivoli Identity Manager: • OA14765 – Addresses LDAP deadlocks • OA17432 – Moves DIR_MISC table to MISCTS tables pace 6.
Determining the values max_connections – The maximum number of connections that the LDAP server will accept. Set this value to 20 more than the enrole.connectionpool.maxpoolsize specified in the enRole.properties file. Setting the values 1) Edit GLD.CNFOUT(SLAPDCNF) 2) Modify the maxConnections value to max_connections. 3) Restart LDAPSRV 6.4 Changelog limits The LDAP Server changelog can be limited either by the number of entries or the maximum age of an entry.
7 Best practices The IBM Tivoli Identity Manager product can be set up and configured in many ways. The following are some suggested best practices to help guide you in setting up your environment. • Each agent modifies the LDAP schema by adding new attributes to support a new service. These attributes are created without indexes, and for services that service thousand of users, a large benefit can be achieved by adding indexes to attributes with many members.
8 Regular maintenance To maintain optimal performance for your IBM Tivoli Identity Manager environment, regular maintenance is required. • Regularly empty the IBM Tivoli Identity Manager recycle bin. As the number of objects in the recycle bin increase LDAP performance can degrade. The frequency at which the recycle bin is emptied depends on how frequently deletes occur in the system. Ideally, the recycle bin would contain fewer than 100 items.
9 Other resources You will find the following resources useful for further tuning of IBM Tivoli Identity Manager: IBM Tivoli Identity Manager 4.6 Performance Tuning Guide for distributed: http://publib.boulder.ibm.com/tividd/td/ITIM/SC23-5272-02/en_US/PDF/SC23-5272-02.pdf z/OS Integrated Security Services LDAP Server Administration and Use http://publibz.boulder.ibm.com/cgibin/bookmgr_OS390/BOOKS/GLDA2A31/2.
