IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.2

Improving the performance

Configure the AccessAgent and IMS Server settings to improve data synchronization, to improve the AccessAgent startup time, and to prevent memory errors.

Install AccessAgent with a prepackaged Wallet

Using a prepackaged machine Wallet during AccessAgent installation minimizes the overhead on the IMS Server during the initial download of system data during AccessAgent installation. AccessAgent downloads only incremental updates from the IMS Server.

This approach is for deployments where AccessAgent is deployed to several machines concurrently.

A prepackaged Wallet consists of system-scope policies, AccessProfiles, and the IMS Server certificate. The AccessAgent installer loads this prepackaged Wallet onto the machine before connecting to the IMS Server to download updates.

When you install AccessAgent, you can load the prepackaged Wallet. AccessAgent populates the machine Wallet before connecting to the IMS Server to download updates.

To install AccessAgent with a prepackaged Wallet, see the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide.

Set the MaxSyncTimes

An option of "MaxSyncTimes" is added in Setuphlp.ini, to specify the maximum number of times to synchronize with the IMS Server during installation.

This option is useful for AccessAgent installation on several hundreds of machines and when the installer does not include a prepackaged Wallet.

With this option, AccessAgent downloads the system data from the IMS Server in case the initial attempts are rejected because of too many AccessAgent doing the same thing at the same time.

Enable the IBM HTTP Server compression

AccessAgent performance is affected by the large amount of data that is downloaded. IBM® HTTP Server can compress and send data in gzip format to AccessAgent. By compressing pages and packets on the web-tier, you can reduce the time taken to transmit each response to a client request over the network. IBM HTTP Server compression is helpful when there is limited network bandwidth between the AccessAgent and the IMS Server.

IBM HTTP Server compression is disabled by default. To enable this feature, see the IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide.

Increase the Java heap size

Increase the minimum and maximum Java™ Virtual Machine (JVM) heap size limit in WebSphere® Application Server. Increasing the heap size can improve startup, prevent out of memory errors, and reduce disk swapping.

See the IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide for the procedures.

Enable fast unlock

Enable and set the fast unlock grace period (pid_fast_unlock_grace_period_mins). This machine policy is applicable for all strong authentication factors, including smart card. With the fast unlock feature, users can unlock their workstations without contacting the IMS Server, and within a specific time period.

AccessAgent retrieves the last unlock time of the workstation and checks if it is within the configured time period.
  • If the last unlock time is within the time period, AccessAgent determines whether the unlocking user is the currently logged in ESSO user or the Windows user owning the current session.
  • If it is the same user, AccessAgent unlocks the workstation without performing any check to IMS Server.
  • Upon unlock, AccessAgent performs full authentication with IMS Server. AccessAgent uses the authentication factor that is used to unlock the workstation in the background.

See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the policy details.

Configure the IMS Server throttling policy

Set Maximum thread size in download service to 10 or less. Configure this setting in the IMS Configuration Utility, under Advanced settings > IMS Server > Miscellaneous.

The IMS Server throttling policy sets the limit of concurrent threads in the IMS DownloadService. When many users download large sizes of AccessProfiles concurrently, it can cause IMS Server to go out of memory. Setting this policy to the correct number prevents the IMS Server from going out of memory.

Other options

There are other ways that you can improve the IMS Server and AccessAgent performance:

  • Remove unnecessary or unused AccessProfiles. Right-click each unused AccessProfile and click Delete.
  • Exclude the AccessStudio installation folder from certain runtime scans. For example: antivirus scans.
  • Roll out additional IMS Servers to handle the load from AccessAgent. Use a load balancer to distribute the incoming traffic from various AccessAgent installations into multiple IMS Servers.
  • Enhance the processor and memory of the IMS Server and the processor memory and disk storage of the database server.
  • Ensure that the IBM HTTP Server tier is configured to accept the peak number of HTTP connections from various clients.
  • For shared workstation deployments, ensure that the cached Wallet expiry period (if enabled) is set to a duration that ensures a good probability that each cached Wallet does not expire in between visits by user to the same workstation.
  • Ensure the transaction isolation level for the IMS Server data source at the WebSphere Application Server, is set to Read-Committed (SQL, Oracle) and Cursor Stability (DB2®).
  • Periodically run the IMS Server database pruning scripts downloadable from support site.
  • Ensure that the IMS Server database is maintained regularly as per database best practices. Enable the "automatic maintenance" feature of the database if manual database maintenance practices are not in place.
  • Apply the latest IMS Server fix pack.
Parent topic: Planning for performance

Feedback