/db/oim-config.xml
configuration file, which is located in MDS where Oracle Identity Manager stores the configuration. You can use Oracle Enterprise Manager (EM) to turn on caching, or export the oim-config.xml
to make changes and then import it back to turn on caching.System Mbean
> Application Defined Mbeans
> oracle.iam
> server:oim_server1
> Application: oim
> XMLConfig
> Config
> XMLConfig.CacheConfig
> Cache
> XMLConfig.CacheConfig.CacheCategoryConfig
, and do the following:true
for all the components except the following two sections:clustered='false'
. For clustered installation, set clustered='true'
.Cache Category Name | Applicable Release | Instructions |
---|---|---|
User_Org_Membership_And_Chain | Oracle Identity Manager 11g Release 2 (11.1.2.1.0) | You can enable this cache category using Oracle Enterprise Manager (EM) or by editing the oim-config.xml configuration file. To do this, complete the following steps:Using EM
Using oim-config.xml File
|
ObjectDefinition | Oracle Identity Manager 11g Release 2 (11.1.2.0.0) | You can enable this cache category using Oracle Enterprise Manager (EM). To do so, complete the following steps:
|
OIM_HOME
/server/bin/
directory.DOMAIN_HOME
/bin/setDomainEnv.sh
script.PurgeCache.bat
CATEGORY_NAME
on Microsoft Windows or PurgeCache.sh
CATEGORY_NAME
on UNIX. The CATEGORY_NAME
argument represents the name of the category that must be purged. For example, the following commands purge all FormDefinition entries from a system and its clusters:JVM Parameter | HotSpot JVM | JRockit JVM |
---|---|---|
Min. Heap Size (Xms) | 4GB | 4GB |
Max Heap Size (Xmx) | 8GB | 8GB |
PermSize (-XX:PermSize | 500m | N/A |
PermGen size (-XX:MaxPermSize) | 1GB | N/A |
DOMAIN_HOME/bin/setOIMDomainEnv.sh
(Unix) or set OIMDomainEnv.cmd
(Windows). If not, continue to use DOMAIN_HOME/bin/setSOADomainEnv.sh
(Unix) or setSOADomainEnv.cmd
(Windows) to change the heap size settings.DEFAULT_MEM_ARGS
and PORT_MEM_ARGS
from the default value and save.ApplicationDBDS
, oimOperationsDB
and oimJMSStoreDS
data sources deployed on the Oracle WebLogic Server. You may have to increase the connection pool size for each data source, based on your requirementsInactive Connection Timeout
parameter to 300.Seconds to Trust an Idle Pool Connection
to 30.MaxThreadsConstraint
values, as shown in Table 26-3, you can determine the optimal value for your system configurations using calculations also given in Table 26-3.Maximum Threads Constraint
for each Work Manager in your particular installation, you should first consult your DBA and ascertain the following values:Work Managers | Role | Recommended Value for Max Thread Constraint |
---|---|---|
OIMMDBWorkManager | This Work Manager applies to most OIM Message Driven Beans (MDB) and limits the number of concurrent threads/MDB-processing JMS messages for all offline activities except audit. | Round(1/3[([d-t]/n)-10]) |
Shop system minecraft. OIMAuditWorkManager | This Work Manager applies to audit MDBs. It limits the number of concurrent threads/MDB processing audit-related JMS messages. | 5 |
OIMWorkManager | This Work Manager applies to all OIM Enterprise JavaBeans (EJB), which implement underlying APIs. It also limits the number of concurrent threads processing incoming API calls. | Round(2/3[([d-t]/n)-10]) |
OIMUIWorkManager | This Work Manager limits the number of threads serving requests to and from the user interface. | 10 (based on UI Concurrency) |
MaxThreadsConstraint
value, do the following:Parameter | Recommended Initial Settings for Oracle Database 11g |
---|---|
memory_target | Using Automatic Memory Management feature in Oracle Database 11g, the MEMORY_TARGET and MEMORY_MAX_TARGET parameters can be used to manage the SGA and PGA together.Following are the memory settings for all the releases of IDM: You can unset the MEMORY_TARGET and MEMORY_MAX_TARGET from 11g onwards.When considering MEMORY_TARGET for managing the database memory components, SGA_TARGET and PGA_AGGREGATE_TARGET can be left unallocated, which is 0. |
db_keep_cache_size | 800M |
cursor_sharing | FORCE |
open_cursors | 800 |
session_cached_cursors | 800 |
query_rewrite_integrity | TRUSTED |
query_rewrite_enabled | TRUE |
processes | Based on connection pool settings |
MAX_DISPATCHERS | 0 |
MAX_SHARED_SERVERS | 0 |
DISK_ASYNCH_IO | True |
setDomainEnv.sh
file. These settings are already set out-of-box (OOB) in later releases of Oracle Identity Manager 11g Release 2 (11.1.2). To add the recommended application module settings for Oracle Identity Manager, do the following:$DOMAIN_HOME
/bin/setDomainEnv.sh
in a text editor.setDomainEnv.sh
file, find the following lines:Djbo.ampool.maxavailablesize
:Djbo.ampool.maxavailablesize =
# of concurrent users + 20%
setDomainEnv.sh
file.PageSize
attribute of the user reconciliation scheduled task. The default value of 100
for PageSize
suits for most of the scenarios.100
.ReconAttributeMap.xml
that is provided as part of the patch, using the deployment manager. You can ignore ActiveDirectory.Connector.dll
provided in the patch, as it is updated in the 11.1.1.6.0 version itself. For patching instructions, refer to the Readme that is available with the patch.Lookup.Configuration.ActiveDirectory
and add below entry.Code Key: Ignore Event Disabled
Decode: true
10000
. The recommended batch size is 500
.10000
, use the Page Size Configuration
property present in Lookup.Configuration.ActiveDirectory
and Lookup.Configuration.ActiveDirectory.Trusted
.Batch Size
, Batch Start
, Number of Batches
, Sort By
, and Sort Direction
.PageSize
greater than the MaxPageSize
of the target system, the Active Directory server ignores it and uses the MaxPageSize
instead. No exception is generated in this case. In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server. Some queries are especially expensive. Therefore, limiting the number of results in a single page can help avoid this. For the Active Directory Connector, use the default value 1000
for the best performance.Filters
and provide the value for the Search Base
, if a specific set of records is to be retrieved from the target. Filter provided in the scheduled task is converted into LDAP query. The filters help narrow down the search, making the searching and processing of the data quicker. For more information about the filters, refer to the Active Directory Connector Documentation.Validate Recon Profile
test present in the diagnostic dashboard, or by using Validate Recon Profile
MBean present in EM.ownerMatchingRuleWhereClause
or matchingRule for all entities:ownerMatchingRuleWhereClause = (((UPPER(USR.USR_LOGIN)=UPPER(RA_ADUSER7.RECON_USERID5A729570)) OR (UPPER(USR.USR_UDF_OBGUID)=UPPER(RA_ADUSER7.RECON_OBJECTGUID))))
Table Name | Column to be Indexed |
---|---|
USR | UPPER(USR_LOGIN) |
USR | UPPER(USR.USR_UDF_OBGUID) |
RA_ADUSER7 | UPPER(RECON_USERID5A729570) |
RA_ADUSER7 | UPPER(RA_ADUSER7.RECON_OBJECTGUID) |
UPPER
, SUBSTR
in the matching rule. In Table 26-5, UPPER
is the function used on all columns.USR
table should already have function-based index on UPPER(USR_LOGIN)
.Validate Recon Profile
test present in the diagnostic dashboard, or by using Validate Recon profile
MBean present in EM.<matchingruleWhereClause>
:<matchingruleWhereClause>((UD_ADUSER.UD_ADUSER_OBJECTGUID=RA_ADUSER7.RECON_OBJECTGUID))</matchingruleWhereClause>
Table Name | Column to be Indexed |
---|---|
UD_ADUSER | UD_ADUSER_OBJECTGUID |
RA_ADUSER7 | RECON_OBJECTGUID |
UPPER
, SUBSTR
in the matching rule.Validate Recon Profile
test present in the diagnostic dashboard, or by using Validate Recon profile
MBean present in EM.<matchingruleWhereClause>
tag under <childreconeventdata>
:<matchingruleWhereClause>((UD_ADUSRC.UD_ADUSRC_GROUPNAME=RA_UD_ADUSRC.RECON_MEMBEROF))</matchingruleWhereClause>
Table Name | Column to be Indexed |
---|---|
UD_ADUSRC | UD_ADUSRC_GROUPNAME |
RA_UD_ADUSRC | RECON_MEMBEROF |
UPPER
, SUBSTR
in the matching rule.Event Handler | Description |
---|---|
AccountReconAuditHandler | Responsible for Auditing account/target reconciliation changes |
ReconScheduledTaskAccountHandler | Trigger workflows associated with account/target reconciliation |
ReconScheduledTaskUserHandler | Trigger workflows associated with trusted reconciliation |
ReconUserDisplayNameHandler | Generates custom display name for trusted reconciliation |
ReconUserLoginHandler | Generates custom login during for reconciliation |
ReconUserPasswordHandler | Generates custom passwords for trusted reconciliation |
UserCreateLdapPostProcessHandler | Creates user in LDAP if LDAP synchronization is enabled |
UserUpdateLdapPostProcessHandler | Updates user in LDAP if LDAP synchronization is enabled |
http://<servername>:<port>/dms
port
refers to the WebLogic Administration Server port. To log in, you must use the WebLogic admin credentials.Name | Parameter | Value |
---|---|---|
OVD general | Listeners - LDAP Endpoint | 50 |
Listeners - LDAP SSL Endpoint | 50 | |
User Adapter | Max Pool Size | 500 |
Operation Timeout | 1500000 | |
Max Pool Wait | 1000 | |
Changelog adapter | Max Pool Size | 500 |
Operation Timeout | 1500000 |
Name | Parameter | Value |
---|---|---|
Max Number of DB Connections | orclmaxcc | 10 |
Number of Processes | orclserverprocs | 2 - 4 |
Skip Referral Process | orclskiprefinsql | 1 |
LDAP Connection Timeout | orclldapconntimeout | 60 |
Enable MatchDN Processing | orclmatchdnenabled | 0 |
Enable Entry Cache | orclcacheenabled | 0 |
Name | Parameter | Value |
---|---|---|
User Adapter | Max Pool Size | 500 |
Operation Timeout | 1500000 | |
Max Pool Wait | 1000 | |
Changelog adapter | Max Pool Size | 500 |
Operation Timeout | 1500000 |