Use the following information to improve the performance of your Access Gateway cluster.
The following Access Manager components and features can affect the performance of the Access Gateway cluster.
Maximum Number of User Sessions: Currently, we recommend that you keep the maximum number of user sessions per Access Gateway to 5000 sessions. If your Access Gateways are exceeding this number or getting close to it, we recommend that you add another Access Gateway to the cluster.
If you want to support more than 5000 sessions per Access Gateway, you need to modify the Java memory parameters. For configuration information, see Section 4.10.2, Java Memory Allocations.
LDAP Attributes:
If you have policies that use LDAP attributes, configure the Embedded Service Provider to obtain these attribute values at authentication. When a policy needs to be evaluated for a user, the values are then available in cache. If the values are not in cache, an LDAP query must be sent to retrieve them. If the user then accesses another resource that requires different LDAP attributes, another query must be sent. For configuration information, see Sending Attributes to the Embedded Service Provider
in the NetIQ Access Manager Appliance 3.2 SP3 Identity Server Guide.
Identity Server Configuration:
A number of the configuration options for the Identity Server add authentication overhead. You need to balance possible performance enhancements with your needs to enable these options. For example, limiting user sessions adds another check to the authentication process. If your security model does not require limiting user sessions, you should not enable this feature. For other configuration options that affect the performance of the Identity Server, see Tuning the Identity Server for Performance
in the NetIQ Access Manager Appliance 3.2 SP3 Identity Server Guide.
Web Servers: Web servers or services can be a major cause of slowness because they are processing the most information. You need to examine the content on the Web servers. If users are requesting static pages with multiple images, performance should be improved by having the Access Gateway cache these pages. For information about cache configuration options, see Section 6.1, Configuring Caching Options.
If your Web servers are serving dynamic content, you can upgrade your Web servers to faster hardware, or you can add another server to the group of Web servers serving the dynamic content.
L4 Switches:
If the switch is slow or misconfigured, it can severely impact performance. You need to make sure the switch has ample capacity to handle the traffic. If possible, clustered Access Gateways should be plugged directly into the switch or segmented accordingly. It is also critical that you enable sticky bit/persistence on the L4 switch. When this feature is not enabled, the product handles the traffic correctly, but the system can run up to 50% slower than when persistence is enabled. For tips on how to set up the L4 switch, see Configuration Tips for the L4 Switch
in the NetIQ Access Manager Appliance 3.2 SP3 Setup Guide.
Policies: Authorization, Identity Injection, and Form Fill policies need to be implemented so that they execute as quickly as possible. For example, a Form Fill policy impacts performance when the form matching criteria are set up so that an entire directory of files must be searched before the form is found. Also when policies are assigned to a protected resource, one policy with ten actions executes faster than ten policies with one action in each policy.
Logging: You need to manage the size and number of log files as well as the logging level. You should increase the log level to Debug only when you are troubleshooting a problem. As soon as the problem is resolved, you should reduce the log level. You should also have a schedule for checking the number and size of the log files and for removing the older log files.
Auditing: You need to carefully select the events that you audit. Selecting all events that are available for the Access Manager components can impact performance. For example, the URL Accessed event of the Access Gateway generates an event every time a user accesses a resource. If you have many users and many resources that these users are accessing, selecting this event could impact performance. You need to analyze your needs to see if you need to audit all URLs accessed. If you need to audit only a few URLs, you can use proxy service logging to gather the information. See Section 4.2, Configuring Logging for a Proxy Service.
Access Gateway Service: For some tuning options that apply only to the Access Gateway Service, see Section 8.6, A Few Performance Tips.
The Tomcat configuration file controls the amount of memory that Tomcat can allocate for Java. If you have installed your Access Gateway on a machine with the recommended 4 GB of memory, you can modify two parameters in this file to improve performance under heavy load:
On the Access Gateway Service, you need to modify the free memory threshold and the amount of memory that Java can use.
Log in to the Access Gateway as the root user.
Open the Tomcat configuration file for editing.
/opt/novell/nam/mag/conf/tomcat7.conf
For an Access Gateway Service, find the following line in the file:
JAVA_OPTS="-server -Xmx1024m -Xms512m -Xss128k -XX:+UseConcMarkSweepGC"
Replace the -Xmx value (default is 1024) with 2048.
This allows Java on the Access Gateway Service to use 2 GB of memory.
Find the following line in the file:
JAVA_OPTS="${JAVA_OPTS} -Dnids.freemem.threshold=10"
If required you can change the -Dnids.freemem.threshold value to a value between 5 and 15. The default value is 10.
This prevents user sessions from using up all the memory and ensures that there is free memory available so that the other internal Java processes can continue to function. When this threshold is reached, the user receives a 503 server busy message and a threshold error message is logged to the catalina.out file.
Save your changes, then restart Tomcat.
Copy the modified file to each Access Gateway in the cluster, then restart Tomcat on each machine.