Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Tune
Tune the access to the LDAP server
Configure the pooling parameters to improve the performance of concurrent access to an LDAP server.
Virtual member manager supports two pooling mechanisms for LDAP repositories:
- Connection pooling
- Context pooling
Connection pooling
The connection pooling mechanism is provided by the Java Runtime Environment (JRE) at the JNDI layer.
We can enable or disable connection pooling for each LDAP repository configured in virtual member manager. In the console, on the Global security > Federated repositories > Manage repositories > repository_name page, select the Use connection pooling option to enable the connection pooling mechanism. For information about accessing this page, read about Increasing the performance of the federated repository in the WAS information center.
After you enable connection pooling, use the connection pooling settings to specify how the JNDI layer handles pooling. In the administrative console, use the Application servers > server_name
> Process definition > Java Virtual Machine page to configure JVM (JVM) settings and specify the Generic JVM arguments. For information about accessing this page, read about Configuring the JVM in the WAS information center.
These settings affect all applications running on the server, not just virtual member manager. For more information about the properties used by the JNDI layer to configure the pool settings, read about Connect Pooling Configuration (//publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/ ://java.sun.com/products/jndi/tutorial/ldap/connect/config.html) on the Sun website.
Context pooling
Virtual member manager uses the context pooling mechanism to improve the performance of concurrent access to an LDAP server.
Context pooling works at a higher level than connection pooling. Each context entry in the context pool corresponds to a socket connection to the LDAP server. The bind credentials used by this pool are specified when configuring the LDAP repository.
In the administrative console, on the Global security > Federated repositories > Manage repositories > repository_name page, select the Enable context pool option to enable the context pooling mechanism and specify values for the context pool parameters. For more information on configuring context pooling through the administrative console, read about LDAP performance settings in the WAS information center.
We can also use the setIdMgrLDAPContextPool command to set the values for the context pool parameters. For more information about setting the context pooling parameters, read about the setIdMgrLDAPContextPool command of the IdMgrRepositoryConfig command group in the WAS information center.
Performance tuning
As context pooling has the same benefit as connection pooling, it is not necessary to enable connection pooling. By default, connection pooling is disabled in virtual member manager.
Enable both context and connection pools may not provide any added performance benefit, and may produce adverse effects when performing concurrent authentications.
Most operations, such as create, search, update, or delete, are performed using an available context (DirContext) from the context pool. Each context is associated with one socket connection (when connection pooling is disabled). For these operations, the maximum number of sockets that virtual member manager opens against the LDAP server does not exceed the value specified for the maximum pool size parameter.
Concurrent authentications
Virtual member manager does not use the context pool to authenticate a user. Instead, it binds with the distinguished name and password of the authenticating user. When authenticating different users, this forces the JNDI layer to create a new socket connection for each authentication. If connection pooling is disabled, the socket is closed immediately after the authentication is completed. However, if connection pooling is enabled, the socket remains open until it times out. Therefore, if the application performs concurrent authentication, disable connection pooling to avoid the number of sockets that virtual member manager opens against the LDAP server from exceeding the capability of the server.
The maximum socket connections that virtual member manager opens for all operations (including authentications) is the value specified in maximum pool size plus the number of concurrent authentications. For example, if 250 clients log in and perform a search simultaneously, then 250 new sockets are opened to perform the authentication, in addition to the 250 sockets that are taken from the context pool to perform the search. The total number of sockets at this time may reach 500, but after the authentications are completed, the 250 new sockets that were opened for the authentication are closed, if connection pooling is disabled. If connection pooling is enabled, the 250 new sockets remain open until they time out.
The default values for context pooling are suitable for most environments. Use the following context pool settings for performance tuning, assuming that connection pooling is disabled:
- Initial pool size (initPoolSize): Specify a value that is less than 10.
- Preferred pool size (prefPoolSize): Specify the number of open connections to the LDAP server that the context pool should maintain.
- Maximum pool size (maxPoolSize): Specifying a value of 0 allows the pool to grow as needed, which is suitable for most environments. If the number of connections to the LDAP server needs to be constrained, then set Maximum pool size to less than half of the maximum number of connections that the LDAP server can handle.
- Context pool times out (poolTimeOut): Specify the lesser ofthe LDAP server or firewall connection time out, if applicable.
Parent topic: Tune