Sun Identity Manager

This page contains the following information regarding Sun Identity Manager

  • Definition of Severity Levels (when opening Service Requests)
  • Get Session Information
  • General Tracing
  • Difference Between MISSING and DELETED in Account Index
  • Tuning the JVM, Understanding the differences between JVMs, and Identifying Issues
  • IDM Tips

Definition of Severity Levels (when opening Service Requests)

Urgent/Severity-1: System is down with no workaround or critical impairment of customer operations.
Serious/Severity-2: Major issue, workaround available. Customer able to continue business operations.
Non-critical/Severity-3: Response requested, not urgent.
Severity-4: Non-urgent, extended resolution issues.

Get Session Information

There are a few ways to get session, but the following seems to work more efficiently (added to a form or worklfow)

<select>
  <ref>:display.session</ref>
  <ref>context</ref>
   <invoke>
     ---------------
   </invoke>
<select>

This example will search for session until it receives a non-null.

General Tracing

  • Trace Userform
Navigate to http://%idmserver%/idm/debug/Show_WSProp.jsp
Set "form.trace" = true
Set "workflow.trace" = true
Set "xpress.trace" = true
The output should be in your stdout
  • Trace Resource
Navigate to http://%idmserver%/idm/debug/session.jpg
Click the "Type:" drop down menu next to List Objects and choose "Resource"
With "Resource" displayed click List objects
From the "List Objects of type: Resource" page choose "view" next to the correct Resource Adapter
Copy the "com.waveset.adapter.%resourceadapter%" from the 'Resource id' line
Click the back button twice
Click Show Trace List
From the "Lighthouse Trace Configuration" page click on Global
From the "Edit Trace Configuration" page check the Trace Enabled check box
Paste the "com.waveset.adapter.%resourceadapter%" into the space provided for Method/Class and choose level 4
configure the path for the file and the rest and save
  • Trace Gateway
Navigate to http://%idmserver%/idm/debug/Gateway.jsp
Choose the correct "Gateway Resource"
Next to "File:" on the 'Set Trace Parameters' line, type the desired destination for the output file,
   set "Level:" to 4 and set the desired size in kilobytes
  • SPML tracing

private static final String CLASS = "com.waveset.rpc.SpmlHandler"

  • FFAS

You'll want to obtain level 4 Active sync logging on the FF adapter itself.

Also, you'll want to obtain a level 4 class trace on => com.waveset.sync.IAPIProcessImpl and com.waveset.sync.IAPIUserImpl
along with the diffs file for the FFAS.

Difference Between MISSING and DELETED in Account Index

Below is the difference between MISSING and DELETED.

MISSING:

 No account was found on a resource assigned to the user (but
 Lighthouse did not really expect the account to exist).

DELETED:

 Did NOT find an account we expected to find on the resource. (and
 Lighthouse was sure that the account existed).

The key to determine if its DELETED or MISSING depending on the 'created' attribute in the user object.

The below is our code to determine the situation of the user:

situation= expectAccount ? Situation.DELETED : Situation.MISSING;

If expectAccount = true, and user not found in resource, then situation = DELETED.

If expectAccount = false, and user not found in resource, then situation = MISSING.

So, we derive the expectAccount value from 'created' attribute in the user object.
I extracted the following user object.

  <ResourceInfoList>
    <ResourceInfo accountId='aauser' tempId='xxxxx' created='true' lastPasswordUpdate='1213861918390'>
      <ObjectRef type='Resource' id='xxxxxx' name='Domino RA'/>
    </ResourceInfo>
  </ResourceInfoList>

In the above, the created=true which resulted in expectAccount=true.
If the account is not found in the resource, the situation will be set to DELETED.

It would be suggested that before performing full recon, one should advise CU to observe the user object, specifically under ResourceInfo tag to monitor how the situation change between MISSING and DELETED.

Tuning the JVM, Understanding the differences between JVMs, and Identifying Issues

When to suspect the JVM might be the problem

1. When receiving OutOfMemory exceptions
2. If recons or other workflows terminate prematurely with little or no explanation
3. Anytime you see the product performing poorly, sluggish, freezing, app server hanging, etc.
4. If the app server is core dumping and crashing
5. If the IDM UI is slow or freezing up when trying to run reports or workflows.
6. Anytime there is even a remote possibility the issue is a performance issue.

What data to collect

1. Manufacturer and EXACT version information about the JDK in use.  eg.

   # java --version
   java version "1.4.2"
   gij (GNU libgcj) version 4.1.0 (Ubuntu 4.1.0-1ubuntu8)

2. The bit mode of the operating system, JDK, and app server software (eg. have them verify with no uncertainty
   whether they are running in 32-bit or 64-bit mode for each piece of the puzzle).

3. OS Platform (eg. Windows 2003, AIX, Linux, Solaris, etc.)

4. JVM Environmental settings: Xms (minimum java heap), Xmx (max heap), gc (garbage collection method/mode and
   intervals - different JDKs have different command-line options for configuring the garbage collector and different
   options as to how and when the GC operates, it is critical to understand how they have configured this...their app
   server team should know)

5. Heap dumps and thread dumps of the running IDM jvm while an issue is being encountered:
    - You can have the customer execute a "kill -3" on the running java process to capture a thread dump.
    - Websphere has settings where you can configure the JVM to dump a copy of the java heap whenever an OOM condition
      is encountered, have them turn this on.  You will need to download the HP HeapAnalyzer tool to view the PHD
      (portable heap dump) files, but they can be helpful in certain OOM conditions.
    - Some JDKs have options to grab memory histograms/heap dumps from the running process while it remains alive.
      Check to see if you can gather one of those.

6. All the usual IDM tracing and logs.

What to do with the data

1. Find the JDK's diagnostic guide on the internet so that you can read up on the memory management model used by
   that JDK version on that platform.  IBM's Diagnostic Guides for all versions can be found here:

   http://www.ibm.com/developerworks/java/jdk/diagnosis

   If you are looking for Jrockit's guides, look here:

   http://edocs.bea.com/jrockit/geninfo/diagnos/index.html

2. Use those guides to recommend some debugging steps to the customer so they can turn on extra tracing or logging
   from the JVM side, or if there is an actual error being thrown, you might find an explanation of the error in
   those guides.

3. See if their max heap is set high enough to handle the job, a decent minimum for our product is 1Gig.  Also, some
   customers like to set the minimum heap to the same size as the max....be careful in doing this.  This can negatively
   impact garbage collection in some JDKs.  I have particularly seen Jrockit do weird things if the max and min heap
   are set to the same number.  A safe minimum heap is 512M.

4. Don't be afraid to ask them to bump their max heap up to 2Gigs if you are seeing OOMs (Unless you are on the
   IBM 32-bit 1.4.2 JDK for AIX, see below).

5. Look through the logs and traces for app server/JDK error codes that might be getting thrown. Each JDK has it's
   own unique set of error codes that it will throw upon certain conditions and the diagnostic guides and/or Google
   searches will reveal lots of good information about the root cause if you can find these error codes.  Several
   performance related issues I've debugged have come down to IBM or BEA patches that needed to be installed.
   Don't be afraid to direct the customer to their other software vendors if the issue resides in that 3rd party product.

Things to remember

1. Every JDK handles memory allocation and processes differently.

2. Most JDKs (besides the Sun JDK) require contiguous memory space to be available before they will store objects
   in memory.

3. If a JDK that requires contiguous memory space encounters a situation where it needs to store a java object of
   the size 50M, but it can only find a slot that is 45M in size, it will throw an OOM exception and IDM will
   crash regardless of the fact that only 80 or 90% of the total heap space is in use.

4. Garbage collection is critical for these kinds of JDKs because space needs to be reclaimed and consolidated so
   that new objects have sufficient contiguous blocks of memory to operate in.

5. Each version of JDK, on each platform, in each bit mode has different nuances to be aware of, so no blanket memory
   advice is ever accurate.  Be aware of the specific details of the JDK you are dealing with (as found in the diagnostic
   guides) before you make recommendations.  For example, the IBM JDK on AIX in 32-bit mode and version 1.4.2 can only
   address 2 Gigs of memory and separates that memory into java and native spaces.  If you set the max heap (-Xmx)
   setting to 1024M, then native operations (threads, sockets, etc) only have 1 gig to operate in.  If you bump up the
   max heap to 2 Gig, then native heap has zero space to work with and has to contend with other applications to get
   space in the 500 meg shared memory pool. The IBM 1.4.2 32-bit JDK on the Windows platform has no such limitations.
   Neither does the 64-bit AIX version.  Each JDK is different....know the differences.

6. Educate yourself about the way our product uses memory (and understand that it was written for and optimized in the
   Sun JDK environment), and don't be afraid to insist that the customer try different settings until the performance
   issue is tweaked away or there is at least a satisfactory workaround found.

More information can be found at: http://docs.sun.com/app/docs/doc/820-5823/gifvv?a=view

IDM Tips

Reconciliation Troubleshooting

Starting on page 16 (under Troubleshooting) of "http://dlc.sun.com/pdf/820-0821/820-0821.pdf" it is explained how to turn on tracing.

The following site describes how to trace a resource adapter, "http://docs.sun.com/app/docs/doc/820-5823/ahyfd?a=view" (the typical method to trace is in the form of - com.waveset.adapter.adaptername). Obtain an export of the Cu's Resource Adapter to get the exact name of the RA for which to trace. Trace at Level 4.

Page 15 of "http://support.daou.co.kr/include/download.jsp?d_name=IDM_Troubleshooting_7-0.pdf&b_seq=1952" contains for good information regarding tracing.

To trace reconciliation itself please review the following:

http://docs.sun.com/app/docs/doc/820-5823/ahyft?a=view
(the actual Reconciliation method is referred to by "com.waveset.task.Reconciler").
Trace at Level 4.

It will also prove helpful for the Cu to do the following from these two debug pages:

IDM_INSTALL/idm/debug/Show_Memory.jsp
IDM_INSTALL/idm/debug/Show_Threads.jsp

1. Prior to running the Reconciliation, navigate to "IDM_INSTALL/idm/debug/Show_Memory.jsp"
2. Click on the "Garbage Collect" tab
3. From the browser menu, navigate to:
   a. File\Save Page As
   b. Save the page as "BeforeReconShowMem.htm"
4. Navigate to "IDM_INSTALL/idm/debug/Show_Threads.jsp"
5. Perform the same steps in step 3.), only this time name the saved page as "BeforeReconShowThreads.htm"
6. Initiate the Reconciliation
7. When the Reconciliation "hangs", perform steps 1.) - 5.) only this time name both the files with the prefix 
   "After" in place of the "Before"
8. Obtain the 4 files from the Cu

Active Directory issues

IDM_Release_Notes_5_0.pdf - Page 32

If a user is moved from an Organization (OU) to a sub-organization, the LDAP
ChangeLog adapter will not recognize the change and assumes the user has
been deleted. The user object is then locked in LH (if that is the current setting),
and a "new" account is not created for the moved account (ID-4953).

Obtaining a Default Export

lh console -c "export -v all.xml all"

Please perform the following to produce a default export:

1. From the command line cd to [IDMBASEINSTALL]/
2. Execute the following:

     lh console -c "export -v default.xml default"

Finding the owner of a WorkItem

Search within the WFTrace file to find the "accountId" in a suspended state
Findstr to search for "accountId" among the Task Instances
Search for "WorkItem" string within "TaskInstance"
Findstr to seach for "Workitem" string within WorkItems
Find the "owner=" within the specified WorkItem

JDK Version

"lh assessment -c installed" prints out the JDK

1. From the command line cd to IDMBASEINSTALL
2. Execute the following
lh assessment -c installed
Check what is JAVA_HOME set to

How to determine IDM version

1) cd $WSHOME/bin
lh console -u <user>  
lh console -u <user> -p <password file>

e.g. lh console -u myconfig -p passwd.txt 

myconfig> version
    Sun Java System Identity Manager 7.1 (20080926 Update 1 Patch 7)

2) Login to IDM. Draw mouse pointer on "Help" in the top right corner.

Importing update.xml

If you just want to import the update.xml, try {{lh -Xmx1024m console - c "import -v <WSHOME>/sample/update.xml" }} where WSHOME is the path to the install directory.

Capturing a thread dump

When a "hang" occurs, please do the following:

(a) Navigate to the app server console (JVM term/cmd window used to launch IDM)
(b) If the this is Windows environment, perform a  <ctrl>-<break>; or if it is a linux/UNIX platform perform a 
    "kill -3" to the correct PID (Request assistance from your OS administrator[s] if necessary)
(c) Repeat steps (a) and (b) every 30 seconds to a minute,  for about 5 min straight
(d) Copy the output resulted from the procedure and paste it in a .txt or .doc

Websphere Datasource

When using a data source in WebSphere the database's username and password must be specified in the lh setRepo command. If they are not specified the connection used will be the J2C authentication data from within the application server.

Labels

troubleshooting troubleshooting Delete
software software Delete
identity identity Delete
manager manager Delete
sun sun Delete
support support Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact