Issue: When a user creates a new role in Identity Manager, the User Application driver sends a REST API request to the /IDMProv/rest/access/index/permissions endpoint. A new session between the driver and User Application is created for each request, and the role is added to User Application’s permission index. Because the User Application maintains a dedicated LDAP connection to Identity Vault for each session, bulk role or resource operations (for example, creating 10,000 roles in batch) generate a large number of LDAP connections from the User Application to Identity Vault. As a result, the server hosting the Identity Applications runs out of file handles.
The same issue occurs when adding and deleting resources that use the same REST endpoint. (Bug 485070)
Workaround: The number of handles on Linux systems is limited to a soft and hard limit of 4096 and 8192, respectively. A system administrator can resolve this issue by increasing the number of file handles above the default setting of 1024 handles.
IMPORTANT:Increasing the number of handles can have a negative impact on system performance. Your system may not boot the next time you turn it on or restart it. Exercise caution and do not set the number of handles too high.
In addition to increasing the number of file handles, you can manually decrease the LDAP socket cleanup interval. Too many open sessions occupy the LDAP socket objects, resulting in out-of-memory issues. A short interval cleans the memory regularly, reducing the memory footprint of the process.
To decrease the LDAP socket cleanup interval:
Open the ism-configuration.properties file that is located at:
Linux: /opt/netiq/idm/apps/tomcat/conf/
Windows: C:\NetIQ\idm\apps\tomcat\conf
Set the com.novell.idm.ldap.socket.cleanup.interval property to 10 minutes. Default value is 60 minutes.
For example:
com.novell.idm.ldap.socket.cleanup.interval=10
Restart the Identity Applications service.
Linux: systemctl restart netiq-tomcat.service