Portal administration and performance

Matching: performance

Using the PAC (Portal Access Control) Optimizer Task

AlexLang Tags: pac performance accesscontrol xmlaccess ‎ 3,081 Views

In Portal, all artifacts have access control on them. Access control is a long subject, but in short there are several roles (i.e. User, Privileged User, Editor, Manager, etc). For each of these roles, there can be either Portal defined groups (e.g. Anonymous Users or All Authenticated Users) as well as Users and Groups from the Identity Store (LDAP or File Repository). Having your User or Group in a particular role allows you the ability to do certain prescribed operations on that artifact. The exact operations are lengthy and beyond the scope of this article. However, the Portal InfoCenter has details regarding this. One can start with this page to see the details of the access control rights on resources.

Access Control Lists are maintained in the database (e.g. DB2, Oracle). When creating these ACLs, one or more table rows need to be created. However, if one does not carefully take into account inheritance and propagation of ACLs from the parents, it is possible to create significantly more rows in the access control table than are needed. For that reason, Portal has created an "Optimizer" task which will "clean up" the PAC tables depending on the ACL hierarchies. Optimizing the roles of the PAC tables in Portal can potentially improve the performance of the Portal a great deal.

Unfortunately, this optimization task is undocumented in the Portal InfoCenter. Here are the relevant details.

Running the PAC Optimizer is done via an xmlaccess task. Below is an example of the input required to run the optimizer:

<?xml version="1.0" encoding="UTF-8"?>
<request
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="PacOptimization.xsd"
   report-only="false"
   rootResource="5712a967-973d-4654-a7fd-f38d3887b052">
</request>

There are two parameters of note in this xmlaccess input deck. The first is "report-only". Set to "true" if you want no changes actually made but want to see the number of changes required to the PAC tables. Set this to "false" if you want the optimizer to actually make the changes to the database when it finds optimizations to be done.

The "rootResource" parameter controls the root element of the tree of resources to consider. This parameter can be a UUID ID as shown in the example. This example happens to be a WCM SIteArea. Thus, only ACLs related to WCM documents in this site area will be optimized with respect to their ACLs.

This parameter could also be a custom unique name like "wps.content.root" which is the highest page in the Portal page hierarchy. The highest level in the total Portal hierarchy is "wps.PORTAL". This virtual resource is the root of all Portal elements. Having no root resource is the same as specifying "wps.PORTAL" as the root resource. Not that doing this could take a significant amount of time. It is advised to start small and specify only a subtree of resources to begin with.

In addition to the xmlaccess input deck, there are some parameters which control the PAC Optimizer. These are located in the WebSphere Application Server Resource Environment Provider named "WP AccessControlService" In the "Custom properties" one can set the following:

accessControlConfig.enablePropagationBlockDeletion, boolean, default "false": If "true", allows the Optimizer to remove propagation blocks for a resource if all the children have the same Principals (Users and Groups) in a role as the parent but the parent has blocked propagation

accessControlConfig.enablePrivatePageOptimization, boolean, default "true": If "true", allows the Optimizer to optimize ACLs for private pages that users might have created.

At this point, the main question to ask is when does running the PAC Optimizer make sense. While there are no hard and fast rules, the obvious answer is that it makes sense when excessive access control has been placed on individual objects and NOT enough use of inheritance and propagation is used. And, in general, roles should be given to groups of users (e.g. LDAP groups and NOT individuals). The key to all of this lies in the count of rows in selected PAC tables in the RELEASE and JCR Portal databases. Note that actual database and schema names are customer implementation dependent. I'll use the generic names here.

For example, if running "SELECT COUNT(*) FROM JCR.LNK_USER_ROLE" exceeds some moderately high threshold like 1000, then running the optimizer makes sense. This count identifies users and/or groups who have individual roles on JCR (e.g. WCM) content. Likewise, running "SELECT COUNT(*) FROM RELEASE.LNK_USER_ROLE" gives one a sense of how many users and groups have roles on RELEASE objects (like page, labels and just about any non-WCM resource in Portal that has ACLs). Again, if that number is "high", then perhaps one is not taking sufficient use of inheritance and propagation in the RELEASE hierarchy.

Modified on by AlexLang

Efficient Use of Dynacache to Store Database Results

AlexLang Tags: dynacache performance database ‎ 5,988 Views

Introduction

Database access is usually costly. There is the cost of driving the Database engine. There is the cost of response time in the application waiting for database results. If a particular database result is used often, then caching the results of that SQL call in the application server is a natural requirement to reduce the effect of these costs.

Because the use of database calls is quite common in WebSphere Portal as well as WebSphere Application server, care must be taken to optimize all facets of these SQL calls. In Portal, it is common for the theme as well as Portlets to use database calls therefore caching is imperative here. The most common caching mechanism used in WebSphere is the Dynacache.

A Dynacache is simply a cluster aware Java Hashmap. This Hashmap is cluster aware in the sense that if a “key” is invalidated or updated on one cluster member, appropriate measures are taken on all cluster members to insure that the “value” in the Dynacache Hashmap is either updated or removed as well. The key/value pair can also be inserted into the Dynacache with a time-out value to insure freshness.

So, what are the best practice patterns for the use of a database backed Dynacache instance? This article will attempt to highlight those best practices.

Initial Code

Initially, one can use a simple “dao” (data access object) to fetch the database contents based on some key value. In this example, the key is the “uniqueID”.

DBResults results = dao.getRow(uniqueID);

Obviously, a call to “dao.getRow() “ results in a database access every call. If this call is frequent and uses the same parameter(s), consider caching the result in a Dynacache.

Initial Dynacache Implementation

First, we must create the Dynacache instance along with a JNDI name which applications will use to reference this instance. This is done on the Deployment Manager GUI under "object instances".

To use the new Dynacache instance, the simplest thing to do is to create a Dynacache "impl" class with a "get" method that looks exactly like the call to the database “dao” class' "get" method. It could use exactly the same parameters in most cases.

DBResults results = daoHelperImpl.getRow(uniqueID);

In the new Impl class, check first if the value is in the Dynacache. If not, fetch it. If so, return it:

public DBResults getRow(String uid) {
   if (aDynacache.keySet().contains(uid)) {
      System.out.println("UID was in the cache");
      }
   else {
      aDynacache.put(uid, dao.getRow(uid));
      }
    return (DBResults) aDynacache.get(uid); }

Performance Improvements

This is perhaps the most important section of this paper. In a web based application, performance is very important. So, having a version of the Dynacache based database access that avoids repeated accesses to the database is important.

The “impl” class above is a good first pass. However, there is a problem that manifests under load. When there are multiple threads all using the same “uniqueID” and the Dynacache is not yet loaded, you could have lots of thread all trying to write the dao results into the cache if the cache was previously empty.

This problem is resolved by “synchronizing” on the moethod that is used for updating. Kudos to Antonio Fiol Bonnin for finding the error in my original pseudo code.

    public DBResults getRow(String uid) {

       if (aDynacache.keySet().contains(uid)) {
           System.out.println("UID was in the cache");
           return (DBResults) aDynacache.get(uid);
           }
       else {
           return checkAndSet(uid);
           }
       }

   private synchronized DBResults checkAndSet(String uid) {
       // Handle the case where another thread updated the value while you were waiting
       System.out.println("UID was NOT in the cache. Wait for other threads, check to see if then added, otherwise must add");
       if (!(aDynacache.keySet().contains(uid)))
           aDynacache.put(uid, dao.getRow(uid));
       return (DBResults) aDynacache.get(uid);
   }

One might see that there is a redundancy here in that the “distributedMap.keySet().contains(uniqueID)” test is duplicated. The reason is simple. Running the test first without the “synchronized” block is much faster and should result in significant time savings if the cache is already loaded. If, however, the cache were empty and this thread was blocked waiting on another thread similarly blocked, it is not clear who wins the race and is first to access the database. You do not want both threads then hitting the database for the same key. It is sufficient for only one thread to actually read the key/value pair from the database and then to update the Dynacache instance.

This implementation insures that only one database access is used to update the key and provides the best performance for all threads as well as the database.

Modified on by AlexLang

Accessing WebSphere Portal From Remote Geographies

AlexLang Tags: geograohies performance caching akamai ‎ 5,558 Views

A common problem that customer's often face is having a large Portal cluster in one part of the world, but having to access it from another. Because of the large number of "GET" requests needed to render a Portal page along with the latency of transcontenental access, performance typically suffers.

One way to alleviate this latency issue is by caching the "statics" required to render a Portal page. Generally, only one of these 1 GET requests is required to render a Portal page needs to be calculated dynamically by the Portal server. The rest are typically CSS, Javascript and images that are invarient. These invarient statics could be rendered from a cache if available. By caching these statics locally (e.g. with low latency), one can greatly reduce Portal render times on average.

A typicaly Portal topology might look like this:

Client browser <-> WebServer <-> Portal Server

To improve the performance, a user can change the topology to this:

Client browser (in EMEA, for example) <-> WebServer (in EMEA) <-> Web Server (in USA) <-> Portal Cluster (co-located in USA)

In addition, the WebServer in EMEA would impliment a caching proxy as a part of the reverse proxy cache. So, the client brower would access the site via the EMEA WebServer. That EMEA webserver would serve content from it's local cache as able. If the content is not in the local cache, it would forward the request to the USA WebServer. Note that this would always happen for the base Portal page as well as any statics not already in the EMEA cache.

Instead of using the address of the server(s) in the USA, the EMEA customer would now request the page via the hostname of the EMEA WebServer. Something like this:

http://host.usa.com/wps/portal becomes http://host.emea.com/wps/portal

Users could either use the new hostname (as immediately above), or the DNS server in their geography could return the EMEA webserver instead of the USA version of it. The later would make this local proxy server strategy transparent to the user.

The EMEA Apache web server would use this in it's httpd.conf to proxy the request to the USA webserver:

ProxyRequests off
ProxyPass /wps/ http://host.usa.com/wps/
<location /wps>
ProxyPassReverse /
RequestHeader unset Accept-Encoding
</location>

Note also that the EMEA web server would also use mod_disk_cache for the local caching of static content.

Modified on by AlexLang

Automatic Application of Portal Tuning Parameters

AlexLang Tags: tuning performance portal ‎ 2 Comments ‎ 12,488 Views

Whenever you deploy a new WebSphere Portal instance you must tune the Portal in a manner appropriate to the environment. For example, out of the box, Portal is NOT tuned for production.

The IBM Portal Performance team has produced several documents that contain the tuning that should be done after installation and before deploying a Portal to production. This is the document for V7, the one for V8 and this one for V8.5. This document should be considered a prerequisite for the beginning of performance testing and certainly a prerequiste for production.

There are several components that should be tuned. These include the Portal itself, the LDAP, the database, the OS and the web server.

Mike White and I have written a ConfigEngine script that will apply the tunings for the Portal automatically. The script is included in Portal V7.0.0.2 CF22+, Portal V8 CF05+ and all levels of 8.5. Use of this script will improve the accuracy of applying the tuning changes as well as reduce the time needed to do the task.

The changes are driven by a properties file (tuning.properties) along with several resource environment providers files. Since the tuning.properties file assume you are a WCM rendering server that is only a subscriber (and NOT a syndicator), you may need to adjust some of the setting to match your environment. You can easily do this by copying the read-only tuning.properties to a local directory, updating the name/value pairs that need updating and point to the new copy when you run the task.

Note for zOS users: This task does run on zOS. Note however, that there were significant fixes put into the code to resolve zOS issues in March, 2014. These fixes wil be included in 8001, CF10 as well as the initial release of V8.5. If you are on zOS and not running at least 8001 CF10 level, please download the linked code immediately following.

The latest README file is linked here. It provides the details on using this new task. I have also included the (current) latest version of the code here. The latest version can be untarred in the PortalServer/installer/wp.config/config subdirectory as is. Note that the default the subdirectory just mentioned does NOT have write permission. The permission must be changed before trying to untar this file. As a best practice, download the latest from the provided link regardless of your level of Portal. The latest version works on all levels.

Please Note: These defaults in the tuning.properties file assume the server being tuned is a WCM rendering server that is NOT subscriber only. It will also set the WCM advanced cache. If you are running this on an authoring server, you should consider turning off WCM advanced caching.

Modified on by AlexLang

How to address slow People Picker Searches

Thomas_Hurek Tags: picker performance people ‎ 5,585 Views

When assigning permissions for WCM resources for selecting the groups or users to assign to a role the People Picker portlet is used.

If you notice the selection of the groups or users taking a long time here is a way on how to improve it:

By default the People Picker executes a search for the following attributes:

Person: cn, givenName, sn, displayName
Group: cn

Typically this search is too excessive. You might want to add custom attributes to the search or limit it to a certain attribute.

You can turn on the following trace to see the search and what is taking long:

com.ibm.wps.um.PumaLocatorImpl=all

You will see the following trace entry in the log file:

[6/14/12 14:26:23:810 EDT] 00000043 PumaLocatorIm > com.ibm.wps.um.PumaLocatorImpl PUMA_API ENTRY findUsersByQuery ENTRY ((cn="def*") or (givenName="def*") or (sn="def*") or (displayName="def*"))

To limit the search attributes follow this document:
http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Configuring_search_attributes_in_the_directory_search_portlet_wp8

Note that People Picker expects 4 attributes - to improve search performance I configured the same attribute 4 times since only one was needed for the requirement of the customer:

Attribute: pickerPeopleSearchAttribute
Value: cn,cn,cn,cn

On Portal 7 to get this working you need to install APAR PM57232 on 7.0.0.2 and 7.0.0.1.

WCM Menus: Designing for Performance

AlexLang Tags: wcm component performance menu ‎ 11,148 Views

Rules for WCM Menus:

0. Look at the WCM Wikis for tuning advice.

1. Keep WCM menus small (10 items or less)
2. Use WCM pagination if you must do pagination (as opposed to rendering a large menus and paging the results via JQuery on the browser)
3. Don't use an excessive number of menus (3 or more) per Portal page

In terms of CPU path length, perhaps the most expensive WCM component that you can use is the menu. However, the menu component is often the best component to use in WCM since it allows you to select and render the WCM content best suited for this user.

WCM designers love the menu! And they should. The menu is an elegant and flexible tool which allows the designer to pick WCM content that matches several criteria. A menu is ultimately a search mechanism that groups together related documents based on specific criteria such as categories, keywords, authoring templates, site areas, and so forth. It then allows that content to be displayed to the user in what ever fashion HTML allows. Menus will be used!

This blog entry discusses WCM menu and designing for performance. The dark truth is that menus are expensive. The rendering of a menu, especially with empty WCM caches, taxes the JCR database domain because WCM needs information about:

1. The menu itself
2. The meta-data associated with the content items in the menu
3. Permission information (Portal Access Control, a.k.a. PAC) associated with each content item.

All this information is persisted in the database. In many cases, WCM makes queries to the database in the form of XPATH (XML query language) transformed into SQL. If you've ever looked at the XPATH based SQL that WCM generates, it is quite long (100-200 characters is not uncommon). It also has join statements that work the database engine hard. The generated dynamic SQL is difficult to cache on on the DB server. If a menu is large, it is easy to see how how the SQL can tax the database engine. The query optimizer can make poor choices as to the best execution plan for WCM (JCR) XPATH.

The bottom line, especially for the initial render of a menu item (e.g. caches are empty) is that it can take a long time to render a WCM menu. So, how do we make WCM menu renders fast given that we need them??

0. Start with the WCM Tuning Wiki

The WCM Wiki's contain useful information about designing WCM components for performance. For menus, take a look at: http://www-10.lotus.com/ldd/portalwiki.nsf/dx/tuning-for-web-content-management#Optimising+Menu+Components.

1. Make the menus small.

If the menu component only retrieves a few content items, it doesn't have to hit the database much. This means that the time spent to render the menu is small if the caches are empty and the database must be hit.

As an aside, you find that even large menus are pretty fast if the caches are already loaded. So, one option if the menu must be large is to keep the meta-data caches primed by hitting the page(s) in question with a tool like JMeter.

2. Paginate the menus using WCM if they must be large.

If WCM pagination is used, and the actual page render size per trip is small (let's say 100 total items in the menu with only 10 items rendered per trip to the server), the WCM designer still benefits from better performance of the menu being small. Hopefully, the probability is high that what the user actually needs exists on the first render. If not, perhaps the Information Architecture of the page is in question and should be revisited. Either way, WCM pagination should be used if the menu results are large if left unbounded.

What should NOT be done is to render the menu with 100 items and then use a Javascript tool like JQuery to parse and paginate the menu on the browser. This incurs a large amount of server time to render the large menu and a large amount of bandwidth to download the menu items that might likely never be rendered on the browser. In general, if you use JQuery to parse WCM menu results, stop and think about performance because it's probably bad on the server.

3. Make the Access Control as liberal as possible.

When a menu is rendered by WCM, it is actually a two step process. First the menu is calculated without respect to the access control constraints of the user or the content. This is so that the "menu cache" can be calculated and stored. Then these results in the menu cache are compared to the access control constraints of the content returned by the menu to the allowance of the user. From this, the final menu results can be returned to the user's browser. So, the initial menu calculation (stored in the "menu" cache) are done without regard to any one user's access control constraints.

Therefore, it seems obvious that the speed with which a persons access control can be calculated is important.

Access Control in Portal comes from the groups with which person belongs. Content is stored with the groups, taxonomies and categories with which a person is allowed. With respect to WCM performance, there is a hierarchy of least expensive to most expensive. The most efficient form of access control is "none". The most expensive form is to places access control on each piece of content with lots of groups and have users that belong to lots of unique groups. There is usually a middle ground for both users and content that can help. The person responsible for the WCM Information Architecture should be familiar with "design for performance" of WCM and able to guide the client in picking the best access control

Also, it is more efficient for content (menu or not) to inherit access control as opposed to each content item having unique access control. If at all possible in your Information Architecture, use WCM access control inheritance.

General Menu Considerations:

This comes from the WCM Wiki (http://www-10.lotus.com/ldd/portalwiki.nsf/dx/tuning-for-web-content-management#Optimising+Menu+Components)

Avoid too many search criteria (in 'Menu Element Query' section)
Avoid utilising the options in the 'Further options' section for each criteria unless really necessary, as this stops the menu from being internally cached
For Category and/or Site Area restricted menus, only select both 'Ancestors' and 'Descendants' if really necessary and limit the number of categories and site areas specified
Disable sorting by 'Description' unless really required (set the value to one of the other sort fields to disable)
For unsecured sites (where content is accessed anonymously or always accessed by the same user, eg. Administrator), set 'Maximum pages to include' and 'Pages to read ahead' to 1
If using multiple libraries, ensure that at least 1 site area is selected in each menu otherwise the menu will search against all libraries
Menus should not be used to return a flat list of all content in the system for providing to a search engine, this is what the search seed is for. Where this is unavoidable, a paging component must be used to ensure that the menu does not consume too much memory and thus cause memory errors.

Virtual Portals: usage and capacity

mlamb Tags: portal virtual performance ‎ 6,239 Views

Virtual portals are ideal for setting up many micro sites that all have the same sets of applications in common. The most common usecases involve central service providers hosting a specific application suite for a series of independent yet similar tenants (departments, sales teams, vendors, etc) that all need access to that same application but want a differently branded experience. This is the usecase for which virtual portal was designed. This allows the maximized use of costly infrastructure and allows more users through the system without impacting the system with too many disparate applications.

That being said, virtual portals can also be used to host totally different user communities with different application needs. However, you do have to be more careful with how having many different applications will impact JVM heap utilization. Applications are shared resources across all virtual portals, regardless of whether the VP is actually using a particular application or not. Therefore, users in VP A can experience the effects of applications running for users in VP B. You can isolate the application environment from the virtual portals using WSRP, running those applications in their own JVM, but otherwise there is no application isolation inherent in virtual portals, nor will there ever be (hence the term "virtual").

If all the tenants use a common set of applications, you can likely scale to a very large number of tenants and virtual portals. If there is very little in common between the virtual portals, then you can expect to only scale so far, how far will depend on the relative expense of the applications in terms of memory consumption.

We have documented in the past that we only support 1000 virtual portals. That isn't actually true. We have only tested (back in WP 5.1) up to 1000 virtual portals. There are no physical limits to the number of VPs we can support. The number of virtual portals a system can support is highly dependent on the size of the VP in terms of pages, the number of users having access to that VP, and the inherent overhead of the applications in the system. There is very little to no overhead in the usage of virtual portal by itself.

For a system with a large number of virtual portals, performance is optimized when:

Most users have access to a small number of pages relative to the whole portal (e.g. access to only one VP)
Multiple users have the same roles on the same sets of pages (optimizes the caching of common content)

Otherwise, a large amount of resource (memory and CPU) is consumed keeping up with every user's configuration.

Performance will eventually degrade with very large virtual portal deployments with little content commonality between users, as our caching mechanism becomes less efficient and too memory intensive. What "large" means will vary by implementation, but is most likely in the several thousand range. At that point, you should consider adding parallel portal clusters for future VP instances and federate between them using technology like WebSphere Application Server Extended Deployment, which knows how to route users based on virtual portal ID to the correct Portal cluster.

[Read More]

The portal performance and tuning sweet spot

mlamb Tags: tuning performance portal ‎ 2 Comments ‎ 6,390 Views

There are a lot of knobs and switches in the WebSphere Portal and Application Server software stack that you can play with in the process of tuning the environment. We provide guidance and recommendations of what to pay attention to through our Performance and Tuning Guide, but the fact is that what actual values work best for you depends highly on what type of applications you run in Portal and the size and activity of your user population. The only way I know of to accurately arrive at the correct set of tuning values is to follow this basic testing methodology:

Install and configure WebSphere Portal on a single system with some simple default content and perform the requisite tuning as perscribed by the Performance and Tuning guide.
Take a baseline performance measurement of this simple site, making adjustments to the infrastructure and software tuning until desirable results are obtained. Also get an idea for how many users the baseline system can sustain before the system runs out of resources (more on this later).
Start adding content and repeat the analysis. Adjust the tuning as necessary. At least now you know, based on the baseline, that as changes are made, if things go wrong, you have an idea of what change may have instigated it.

Performance and capacity testing is a long, highly iterative process. It is also resource intensive, as it requires dedicated systems for days on end, as well as enough people to manage the test environment, observe test results, and tune the system. Often times, this important process is the first thing cut from a deployment plan in jeapordy. In my experience, you either pay for this time up front, before you go live, or you pay for it after you go live. It must be done, and is a lot more expensive the later you do it.

But all this being said, what should your goal be? Obviously, you go into this process with certain metrics in mind. For instance, I want to be able to handle 400 concurrent users with no worse than a 5 second response time, and maybe that is only during login. That's fine, and simple to measure, but there will be days where, for some reason, you have a lot more than 400 concurrent users, or you have to take systems down and the remaining systems must take the load. It isn't enough to know if your environment can handle the typically load; you need to know if it can handle the atypical, or worst case, scenario as well. You may not know what the worst case scenario is up front. But what you do need to know is what the maximum capacity of your portal environment is, so as the usage approaches that number, you will know you are in trouble and need to add capacity.

To understand what your environment's capacity is, you need to drive utilization of your portal environment to the point of CPU exhaustion. Not memory exhaustion, or DB connection exhaustion - CPU exhaustion. The reason for that is that as CPU utilization approaches 100%, the system slows down to the point of nearly being unresponsive, but it doesn't fail. Under this condition, the Web servers managing the load across a portal cluster will mark such a system as down and route traffic elsewhere, giving the server a chance to recover, which it should once the requests have been processed. If you run out of some other resource, like memory or DB connections, before running out of CPU, then things really start to fail and you won't recover from that.

So, as you perform your maximum capacity tests, give the server instances a large enough Java heap size and request and DB connection pool sizes to allow for enough traffic through driving CPU to 100%. If you can't before running out of resources other than CPU, then it is time to scale vertically (creating vertical cluster members on the same physical system) or reallocate processors to other systems. If you can configure the system to meet this goal, then you have your "sweet spot".

[Read More]

Feed for Blog Entries

Blogs