How to enable LDAP connection pooling over SSL to gain increased performance for Identity Manager.

Document ID : KB000050350
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When Identity Manager is connecting to its corporate store (user store) over SSL it might have slower performance than if otherwise connecting over plain LDAP. This is because LDAP connection pools aren't activated by the Java Virtual Machine by default to handle the SSL protocol. This needs to be enabled as explained in this document to gain a major performance increase to some Identity Manager tasks.

Solution:

The Java Virtual Machine does not enable LDAP connection pools by default. The JVM property: "com.sun.jndi.ldap.connect.pool.protocol" allows to specify the protocols for which LDAP connection pools will be enabled. By default it is set to "plain". This means that if the JVM connects to a directory over SSL (LDAPS) then the connection pools are disabled. This will result in slow and not optimal performance and connection handle by the JVM. To enable the connection pools for an LDAP SSL protocol you should set: com.sun.jndi.ldap.connect.pool.protocol = "plain ssl" . This will enable the pool for both plain as well as SSL protocols.

CA Identity Manager is connecting to its corporate directory (user store) through the JVM and under its options and settings. Starting in version 12.5 sp7 Identity Manager will enable the JVM LDAP connection pools to "plain ssl" to optimize the connections for both protocols. However, in its previous versions Identity Manager is not explicitly specifying this parameter which means that the only protocol that's enabled for ldap connection pools is 'plain' . In previous versions we have noticed slow performance and at times major delays when Identity Manager is using a secure corporate directory and is connecting over SSL. This specifically happens when using ADAM or Active Directory which mandate Identity Manager to connect over SSL in order to allow proper user management and password changes. This is also relevant to other directory servers where Identity Manager is connecting securely over SSL.

There are different areas in Identity Manager where slowness was experienced, specifically we noticed that group management appears to function very slow. Tasks such as: Modify Group -> Membership Tab or View Group -> Membership Tab or Modify User -> Groups Tab and other such tasks that query user memberships or group memberships tend to function too slow when the corporate store is connected over SSL. Group Management could be very costly where a connection can be used for minutes to query thousands of memberships of a certain group. Without connection pools enabled the connection will remain busy and no other connections from the pool will be invoked to assist. We also noticed that without enabling a connection pool the directory connection seems to be released then reconstructed over and over again. In a case where this option is used then the connection pool will allow more connection objects to start and assist in this costly query. We have experienced major performance increases for Group Management in Identity Manager when this option is used and the JVM enables the LDAP connection pool when using SSL.

Enabling the connection pool isn't the only thing that should be done. You also might want to adjust some of the parameters to optimize the pool. These parameters are:

com.sun.jndi.ldap.connect.pool.maxsize = <Your Max Size Value>
com.sun.jndi.ldap.connect.pool.prefsize = <Your Preferred Size Value>
com.sun.jndi.ldap.connect.timeout = < Your Timeout Value>

The three values above depend on your needs, load and other parameters and you might want to read more to best know how to set them. You can follow our implementation guide to learn more about that. We have witnessed very good results where these values were set as follows:

<Your Max Size Value> = 200
<Your Preferred Size Value> = 10
<Your Timeout Value> = 5000

You can use these values as basis but a final and best fine tuning will depend on your conditions as explained.

How to enable this option?

Enabling this option basically depends on how the JVM is executed by the application server.

For JBoss

CA Identity Manager is using a batch file: run_idm.bat . This file is located in <Jboss installation folder>\Bin . The JVM options are specified by the variable: "JAVA_OPTS". Below you can see an example of how to set this variable and include the option for the LDAP connection pool for SSL as well as Plain protocols as explained. You can use this example to enable your Identity Manager for this option in a similar way:

set JAVA_OPTS="-Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl" -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre1.5.0_17\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS -Djava.security.policy=.\workpoint_client.policy -Xms256m -Xmx512m -XX:MaxPermSize=128m %JAVA_OPTS%

The three tuning variables that are explained above can either be specified similarly in the JAVA_OPTS variable or they can be specified in the xml files inside the jboss folders as you can see in our Implementation Guide.

For WebLogic

Add the same java options as above to the startup scripts, e.g. startWebLogic.cmd[sh], startManagedWebLogic.cmd[sh], or equivalent.

For Web Sphere

You should use the IBM Web Sphere Management Console to set the JVM options. For WAS 6.1 In the Management Console go to:

Application Servers -> <Select a server> -> Server Infrastructure -> Java and Process Management -> Process Definition -> Java Virtual Machine.

Add:

"-Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl" ( note the double quotes are required ).
-Dcom.sun.jndi.ldap.connect.pool.maxsize = <Your Max Size Value>
-Dcom.sun.jndi.ldap.connect.pool.prefsize = <Your Preferred Size Value>
-Dcom.sun.jndi.ldap.connect.timeout = <Your Timeout Value>

These steps are explained in more details in IBM's article:
https://www-304.ibm.com/support/docview.wss?uid=swg21358588.

We do recommend that you read more on this option. You can find more information in the following URL:
http://download.oracle.com/javase/jndi/tutorial/ldap/connect/config.html.