Upload
carmel-morgan
View
258
Download
5
Embed Size (px)
Citation preview
Identify Bottlenecks and Tune Oracle Identity Management to Maximize Performance
Session ID CON8383
Selva Neelamegam Pritpal SinghOracle ndash Team PSR IDM Performance29 September 2014
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 3
Safe Harbor StatementThe following is intended to outline our general product direction It is intended for information purposes only and may not be incorporated into any contract It is not a commitment to deliver any material code or functionality and should not be relied upon in making purchasing decisions The development release and timing of any features or functionality described for Oraclersquos products remains at the sole discretion of Oracle
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 4
Presentation Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 5
Introductionbull Oracle Identity Management Suite is a complete and integrated next-generation identity management platform that provides extreme scalability with rich user experience that allow organizations to simplify identity lifecycle management and secure access from any device for all enterprise resources regardless of whether they are hosted on-premises or in a cloud
bull With ever increasing security requirements highly secure and faster access to the resources is critical for enterprises
bull Our goal today is to provide you with tools and information to achieve maximum performance from your IDM deployment
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 6
Program Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 3
Safe Harbor StatementThe following is intended to outline our general product direction It is intended for information purposes only and may not be incorporated into any contract It is not a commitment to deliver any material code or functionality and should not be relied upon in making purchasing decisions The development release and timing of any features or functionality described for Oraclersquos products remains at the sole discretion of Oracle
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 4
Presentation Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 5
Introductionbull Oracle Identity Management Suite is a complete and integrated next-generation identity management platform that provides extreme scalability with rich user experience that allow organizations to simplify identity lifecycle management and secure access from any device for all enterprise resources regardless of whether they are hosted on-premises or in a cloud
bull With ever increasing security requirements highly secure and faster access to the resources is critical for enterprises
bull Our goal today is to provide you with tools and information to achieve maximum performance from your IDM deployment
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 6
Program Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 4
Presentation Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 5
Introductionbull Oracle Identity Management Suite is a complete and integrated next-generation identity management platform that provides extreme scalability with rich user experience that allow organizations to simplify identity lifecycle management and secure access from any device for all enterprise resources regardless of whether they are hosted on-premises or in a cloud
bull With ever increasing security requirements highly secure and faster access to the resources is critical for enterprises
bull Our goal today is to provide you with tools and information to achieve maximum performance from your IDM deployment
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 6
Program Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 5
Introductionbull Oracle Identity Management Suite is a complete and integrated next-generation identity management platform that provides extreme scalability with rich user experience that allow organizations to simplify identity lifecycle management and secure access from any device for all enterprise resources regardless of whether they are hosted on-premises or in a cloud
bull With ever increasing security requirements highly secure and faster access to the resources is critical for enterprises
bull Our goal today is to provide you with tools and information to achieve maximum performance from your IDM deployment
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 6
Program Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 6
Program Agenda
Introduction
Performance Methodology and Tools
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 7
Typically performance analysis would be executed on a
1 Isolate
2 Identify
3 Tune
Performance Analysis Methodology
bull Test environment with a simulated production loadbull Production environment when a performance or a stability issue is reported
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 8
Performance Analysis Tools
bull Access logs in OHSOAMOMSOAAMOID and Client Browserbull Java Flight Recorderbull JDK Unix
bull Enterprise Managerbull DMSbull DB AWRADDM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 9
Performance Analysis Tools - Access Logs
bull Default setting does not print response times Add configuration to OHSWLSOID to print response times
bull Response times with the timestamp in access logs are very useful in isolating and identifying single slow request
bull Time stamps help with correlating the slowness to any events in the server logs with any incident reports
bull Use http trace from the client browser to correlate
bull WLS Extended log formatbull date time time-taken cs-method cs-uri sc-status
bull OHS bull LogFormat h l u t r gts b D X-ORACLE-
DMS-ECIDo common
bull OID debug flagbull orcldebugflag=1
dncn=oid1cn=osdldapdcn=subconfigsubentry
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Tools Access Logs - Checking Response Times
bull Access log captures key metrics for each requestbull The OHS log file can be found at
ltOHS_Instance_HomegtdiagnosticslogOHSltinstance_namegtaccess_log
bull WLS log files could be found at ltDOMAIN_HOMEgtserversltserver_namegtlogsaccesslog
bull The OID log file can be found at ltOID_Instance_HomegtdiagnosticslogOIDltinstance_namegtoidldapd01sltpidgtlog
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response TimesOracle HTTP Server (OHS) Access Log
101287041 - - [15Aug2014145524 -0700] GET preferencepaymentbill-payees HTTP11 200 591 148421 009dQQRTDVEFw0HpIsO5yf0006Bc001LS9101287041 - - [15Aug2014145524 -0700] GET accountsbanking HTTP11 200 2090 1001892 009dQQRTDVEFw0HpIsO5yf0006Bc001G83
Client IP URL
Response Status
Response Size (bytes)
Response Time (micros)
Request Time Method
2014-03-25 185318 4604 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 71 POST oic_restrestmobilejwtoamauthenticationauthenticate 2002014-03-25 185318 0007 POST oic_restrestmobilejwtoamauthenticationvalidate 2002014-03-25 185318 0536 POST oic_restrestmobilejwtoamauthenticationaccess 2002014-03-25 185318 1126 POST oic_restrestmobilejwtoamauthenticationaccess 200
URL Method Request Time
Request Time (Seconds)
Response Status
IDM WLS Access Log
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Checking Response Times (Cont)OID Access Log
[2011-09-19T131530-0700] [OID] [TRACE16] [] [OIDLDAPD] [host idmhostpsrcom] [pid 30840] [tid 9] [ecid 004fL41Bzhl66UA5Jbw0yf0007Xs001Jf80] ServerWorker (REG)[[BEGIN ConnID56 mesgID23726 OpID3461 OpNamesearch ConnIP10228141163 ConnDNcn=idrousercn=usersdc=usdc=oracledc=com2011-09-19T131530 INFO gslfseADoSearch BASE = cn=Usersdc=usdc=oracledc=com FILTER = (uid=fast_login_user) REQDATTR = 1 SCOPE = 2 REQDATTRS = uid TIMELIMIT = 3600 SIZELIMIT = 1000 DEREF = 02011-09-19T131530 INFOgsleswrASndResult OPtime=499 micro sec RESULT=0 tag=101 nentries=1 END
Client IP
Response Time (micros)
OID Operation
Entries Returned
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 13
Performance Analysis Tools ndash JavaFlightRecorder (JFR)
bull JFR is a excellent on-demand tool for diagnosing performance issues suitable for use both in development and production environments
bull The recorded data can be analyzed off line using Java Mission Control
bull Key FeaturesMetricsndash Threads Hot threads thread contention thread dumpsndash Memory Heap and Garbage collection statisticsndash IO events line Socket RW File RWndash Latencies for key events like java waitsjava blocks etc
bull Jrockit and JDK 7 u40 and above only (Bundles with hotspot JVM)
bull Optional Weblogic Pack provides additional metrics on ndash Servlets EJBrsquosClient Jdbc calls etc
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 14
Analyzing metrics JDKUnix tools
bull JDK ndash JMAPndash Jconsolendash Threaddumps
bull Eclipse Memory Analyzer
bull Unixbull Netstatbull SARTopbull vmstat
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 15
Dynamic Monitoring Service (DMS)
bull DMS enables IDM applications to collect critical performance metricsbull DMS metrics can be collected for
ndash AccessManagement Events OIM Event handlers adapters or scheduled jobs
bull DMS exposes a servlet to view the DMS enabled metrics ndash httpservernameportdms
bull DMS metrics are cumulative from the server start ndash Reset the metrics before the test or before steady-state
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 16
Oracle FMW Enterprise Manager
bull Access Management Performance ndash Authenticationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authentications ndash Authorizationssec for each OAM Server instance in the clusterndash Success Rate percentage of successful authorizations
bull OIM Performancendash Adapter Executionsndash Event Handler Executionsndash JMS Metrics
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 17
Oracle FMW Enterprise Manager
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 18
DB Tools
bull Use DB tools to collect comprehensive diagnostic data to help analyze the performance issuesndash AWR (Automatic Workload Repository)ndash ADDM (Automatic Database Diagnostic Monitor)ndash Active Session History (ASH)
bull DB tools helps to identify the performance issue at the databasesession level and resource-intensive SQL queriesPLSQL packages related to particular use case
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 19
DB Tools
bull AWR snapshot interval 1 hour or less ndash Frequent snapshots provide higher granularity and help to narrow down the root
cause
bull Generate ASH reports when you suspect resource intensive SQL queriesPL-SQL packages are the bottlenecks
bull Use database EM consolescripts to generate the AWR and ADDM reportsbull OAAM amp OIM are DB intensive applications
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 20
Program Agenda
Introduction
Performance Tools and Methodology
Oracle Access Management Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
4
5
6
2
3
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 21
Oracle Access Management Overview
bull OAM suite is a Java Platform Enterprise Edition based enterprise-level security applications that includes a full range of services that provide Web-perimeter security functions and Web single sign-on identity context authentication and authorization fraud detection secure mobile access and more
bull Oracle Access Management 11gR2 has been architected to provide internet-level performance scalability and high availability
bull The focus of this presentation would be on three critical products OMSOAMOAAM with references to OIDOracle DB
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 22
Access Management Sample Banking Test Casebull To help with this presentation we will use a sample integrated test case that
would include all the 3 Access components along with OID and DBndash All the 3 Access components are integratedndash Requests could come from a mobile app or a web browser
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved |
Access Management Sample Banking Test Case Overview
`OHS
Webgate
Banking Applications
Mobile and
Social
Access Manager (Core)
Adaptive Access Manager OAM DB
OAAM DB
23
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 24
Access Management Performance Analysis
bull To start with the performance analysis of access management operations we need to define the issueproblem
bull Typically a slow transaction is identified during the testing or in productionndash Ex
bull Login is slowbull Page loading is slow but the application does not appear to be the issuebull Huge spikes in response timesbull Server is not scaling beyond certain concurrent load
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 25
Performance Analysis Isolate
bull Is it a IDM issuebull If itrsquos a browser based authentication flow check the browser http trace
(ex httpfox for firefox)
Isolating the bottleneck
0221 673 GET 302 texthtml httpstestbank-fsusoraclecomprofilePage0568 1587 GET 302 texthtml httpstestbank-ssousoraclecomoamserverobrareqcgi 0174 4139 GET 200 texthtml httpstestbank-ssousoraclecomgloballoginPage0556 5422 POST 302 Redirect httpstestbank-ssousoraclecomoamserverauth_cred_submit0057 3061 GET 302 Redirect httpstestbank-fsusoraclecomobrarcgiencreply=Y8e1m9daYF0076 2283 GET 302 Redirect httpstestbank-fsusoraclecomhomePageadfAuthentication_a0160 2412 GET 200 texthtml httpstestbank-fsusoraclecomprofilePage
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 26
Performance Analysis Isolate (Continue)
bull Load testing identifies slow transactionsbull Analyze the access logs on each component to isolate the slow request(s) to
one of the componentbull OMS and webgate uses oap protocol to communicate with OAM
ndash These are not registered in http access logs separate configuration is available in webgate ndash Netstat monitoring tool would give information about connections ndash These connections should be stable under steady state unstable connections will lead to
spikes in response times
bull By the end of this step we should have isolate the problem to one (or few) of the access components OAMOMSOAAMOHSwebgateOIDDB
Isolating the bottleneck
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 27
Performance Analysis Identify
bull Once the problem is isolated to one of the component we can leverage the tools to identify the problem
bull We will discuss two of the toolsndash DMSndash JFR
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 28
Performance Analysis Identify (DMS metrics ndash OAMSOAM_OAMController)
AuthZ is 0
AuthN RTis high on this server
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 29
Performance analysis Identify (JFR)
Identifying the bottleneck JFR1Weblogic-gtServlet
2 Clearly authentication call is the slowest -gtSelect and add selection to operative set3 Events-gt logs -gt ldquoFilter slow requests ldquo
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 30
Performance analysis Identify (JFR)
bull Select the events you are interested in
bull Socket Read (Blue)from OMS to OAM appears to be the bottleneck for the servlet calls (pink)
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 31
Tunebull OAM
ndash NAP Connectionbull OAM EJB pool
ndash Coherencebull oamcoherencettlbull MaximumQueueSizebull tangosolcoherencedistributedthreadsbull tangosolcoherencedistributedbackupcountbull max-beans-in-free-pool =450bull DistributedCacheMaxSize
ndash OAM Db session growth should be sustainablebull Monitor the expired session in OAM DB
bull OMSndash Modify OMS-OAM connection to point to local server
ndash Connection pooling to OAM
bull OAAMndash OAAM DB Partition tunings on tables like VCRYPT_ALERT
VT_SESSION_ACTION_MAP VCRYPT_TRACKER_USERNODE_LOGS
ndash OAAM Db connection pool
ndash Purge historic data
bull Separate DB for OAM and OAAM
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 32
Tune
bull OHS Tuning is criticalndash KeepAlive On ndash MaxKeepAliveRequestsndash KeepAliveTimeout
bull Webgate tuningsndash Max Connections
ndash Cache PragmaControl headerndash aaaTimeout
bull Goalndash Loadtest Maximum cpu utilizationndash Steady RT
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 33
Access Management ConclusionbullOracle Access Management 11gR2 represents a major milestone in access management technology that is unique in the industry Oraclersquos Access Management platform provides innovative new services that complement traditional access management capabilities
bullThis new platform represents key development goals for complete innovative simplified and scalable access management that is open to third-party customization and integration
bullWhether your need is to provide secure access to browser-based applications secure mobile applications cloud single sign-on secure web services or federated single sign-on to and from your business partners you can be sure that itrsquos a service provided by Oracle Access Management 11gR2 ndash Complete and Scalable Access Management
bull250M Access Management benchmark WhitePaper link
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 34
Agenda
Introduction
Access Manager Performance
Oracle Identity Manager Performance
Conclusion
Q amp A
1
3
4
5
2
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 35
Oracle Identity Governance
bull Oracle Identity Governance Suite enables organizations to simplify access grants and review access through best-in-class provisioning role policy and risk management into a common consistent and unified governance suite
bull Oracle Identity Manager is part of OIG suite
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 36
Oracle Identity Manager
Oracle Identity Manager Performance
Tuning and Managing Application Cache
Tuning Message Driven Beans
Tuning the User Interface
Tuning the JDBC connection pool amp Database
Reconciliation Tuning
1
2
3
4
5
6
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 37
OIM Reconciliation metrics through DMS
bull Schedule Jobndash Time it took to capture the events from the target and time it took to create the
event
bull Action Task ndash Provides information about how much time it took to process the events
bull Event Handlers ndash Reports how much time it took to execute any post process event handlers
bull Audit Handler ndash Reports the time taken to record and process the audit
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 38
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 39
OIM metrics through DMS
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 40
Tuning and Managing Application Cachebull Oracle Identity Manager allows caching of metadata which reduces DB
activities network load and improved performancendash You can use Oracle Enterprise Manager (EM) to turn on cachingndash Export the oim-configxml to make changes and then import it back to turn on
caching In Oracle Enterprise Manager console under Identity Management
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 41
Tuning the JDBC Connection Pool amp Database
bull Oracle Identity Manager uses ApplicationDB oimOperationsDB and oimJMSStoreDS datasourcesndash Maximum connections is set at 50ndash Increase this based on your load requirement
bull Monitor key database performance indicators in your production environment and adjust the configurationndash You can use EM to monitor DB amp generate AWRADDM reports
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 42
Tuning the JDBC Connection Pool amp Database Contdhellip
bull Create separate tablespaces for tables that generally grow bigger and are accessed frequently ndash Oracle Identity Manager stores provisioning and approval task details in OSI OSH amp
SCH tablesndash Recommended to group these in one or more dedicated tablespacesndash Storing audit tables in separate tablespace
bull Using Multiple Redo-Log Filesndash Database transactions and commits during a reconciliation run can be high
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 43
Tuning Message Driven Beans
bull Oracle Identity Manager uses Message Driven Beans (MDBs) for processing all offline activitiesndash Reconciliation auditing requests attestation and for its internal kernel operations
bull Default is 80 MDB instances concurrently serve requests ndash Increase this based on your loadndash You can increase this by modifying the OIMMDBWorkManager configuration
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 44
Tuning the User Interface
bull Oracle Identity Manager by default provides 20 front-end thread configurations ndash These threads are used for serving front-end requests
bull Disabling the Reloading of Adapters and Plug-in Configurationndash Reloading of adapters and plug-in configuration are enabled for ease of
development ndash Should be disabled in the production environment
bull Application Module tuning is a critical for the UI performancebull Djboampoolmaxavailablesize = of concurrent users + 20
ndash
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 45
Reconciliation Tuning
bull Configure paged reconciliation to optimize performancebull Database Indexes for reconciliation matching Rulesbull Reconciliation uses matching algorithm to find if the
useraccountroleorganization for which the change is requested bull Matching algorithm compares the data in set of columns in OIM with the
data in target staging table columns
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 46
Reconciliation Tuning Contdhellip
bull Columns that contain the matching rules are defined in the reconciliation profile
bull Indexes created on the matching rule columns to improve the performance of the matching operation
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 47
Conclusion
bull Use tools and information provided in this presentation to achieve maximum performance from your IDM deployment
bull 250M Access Management benchmark WP linkbull Tuning considerations mentioned in this presentation are available
ndash Oracle Identity and Access Management Performance and Tuning Guide
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 48
QampA
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49
Copyright copy 2014 Oracle andor its affiliates All rights reserved | 49