Runtime database tuning parameters
To improve performance, you can configure the database tuning parameters for Advanced Access Control.
From the top menu, select AAC > Global Settings > Advanced Configuration to access these configuration parameters. Table 1 contains the key parameters that you can use to tune the runtime database.
For a full list of the available parameters, see Managing advanced configuration.
| Parameter | Description |
|---|---|
| attributeCollection.sessionTimeout | The appliance keeps the collected session data for context-based access in the runtime database tables. In an environment with a high volume of transactions, the tables build quickly.
Consider the rate of transactions in your runtime environment to determine an appropriate timeout value. The default value of the attributeCollection.sessionTimeout parameter is |
| deviceRegistration.maxRegisteredDevices | The device registration process creates entries across numerous tables in the runtime database. This value limits the maximum number of devices that each user can register. A user can continue to register new devices until this maximum is reached.
In a dynamic environment where every user has multiple devices, set this value to a number that represents a reasonable number of devices per user. To limit the volume of data in the database, do not use an excessive number. The default value of the deviceRegistration.maxRegisteredDevices parameter is |
| deviceRegistration.maxUsageDataPerUser | The number of records each user can have in the runtime database table that holds usage data. If a new usage transaction is received after a user reaches this limit, the oldest record for the user is removed to accommodate the new data. That is, the system retains the most recent usage records for each user.
In a large deployment, set this value to a number that retains the necessary usage records without overloading the table with unnecessary data. The default value of the deviceRegistration.maxUsageDataPerUser parameter is |
| distributedMap.getRetryDelay |
The amount of time, in milliseconds, to wait before the appliance does another retrieval against the distributed map. In a cluster environment with failover support, you can use this value to cater for failover time. For example, distributedMap.getRetryDelay = 500. Note: Increasing this value might result in longer response times.
The default value of the distributedMap.getRetryDelay parameter is 0. |
| distributedMap.getRetryLimit |
The number of retrievals that are done against the distributed map before the appliance returns that the retrieved data is not in the distributed map. The default value is zero, which means that the retry is disabled. You can use this value with the distributedMap.getRetryDelay value to control the behavior of the appliance when it tries to retrieve data from the distributed map. In a cluster environment with failover support, you might want to permit multiple retrievals by setting a value such as 5. If there is network latency in the environment between cluster members, you can increase this number of retries along with the retry delay. Note: Increasing this value might result in longer response times.
The default value of the distributedMap.getRetryLimit parameter is 0. |
| distributedMap.cleanupWait | Specifies the interval, in milliseconds, that the Distributed Map clean-up thread runs to remove expired entries. If this thread is disabled there can be a delay of up to 30 seconds before it resumes.
The database clean-up thread removes the following types of data:
The default value is 60000. A value of -1 disables this clean-up thread.
Note: This parameter does not require a restart of the runtime server before it is applied.
|
| session.dbCleanupInterval | Specifies the interval, in seconds, that the database cleanup thread runs to remove expired data in the runtime database.If this thread is disabled, there can be a delay of up to 30 seconds before it resumes.
The database cleanup thread removes the following types of expired data:
The default value of the session.dbCleanupInterval parameter is 86400. A value of -1 disables this clean-up thread.
Note: This parameter does not require a restart of the runtime server before it is applied.
|
| authsvc.stateMgmt.memory.cleanupThread.batchSize | The number of delete statements to execute in a single SQL commit of theAUTH_SVC_SESSION_CACHE table. Decreasing this value can increase the number of database calls required to remove expired sessions but reduces the time taken to execute each statement.
The default value 0. A value of zero disables batching (removes all sessions in a single commit).
Note: This parameter does not require a restart of the runtime server before it is applied.
|
| authsvc.stateMgmt.memory.cleanupWait | Specifies the interval, in seconds, that the AuthSvc database clean-up thread runs to remove expired sessions in the runtime database. If this thread has been disabled, there can be a delay of up to 30 seconds before it resumes.
The clean-up thread removes the following expired data for the authentication service:
The default value is 120. This thread can be disabled by setting a value of -1.
Note: This parameter is only valid if authsvc.stateMgmt.cookieless is true.
This parameter does not require a restart of the runtime server before it is applied. |
| authsvc.stateMgmt.lifetime | The length of time, in seconds, that authentication sessions will be cached when stateless operation (cookieless) is enabled. A larger value will cache sessions for longer, allowing users more time to complete an authentication challenge; at the cost of increasing database usage.
The default value is 3600 seconds.
Note: This parameter is only valid if authsvc.stateMgmt.cookieless is true.
This parameter does not require a restart of the runtime server before it is applied. |
| authsvc.stateMgmt.memory.maxSessions | Control the maximum number of authentication service sessions which are cached in the Runtime Database. If the number of sessions exceeds this value, the oldest session in the cache is removed.
The default value is 1000. This value should be significantly increased for production environments.
Note: This parameter is only valid if authsvc.stateMgmt.cookieless is true.
This parameter does not require a restart of the runtime server before it is applied. |
| mmfa.authenticator.cleanupWait | Specifies the interval, in seconds, that the MMFA Authenticator clean-up thread runs. The clean-up thread removes MMFA Authenticators if the OAuth grant no longer exists, because it expired and was cleaned up, or was manually deleted. If this thread has been disabled, there can be a delay of up to 30 seconds before it resumes.
The clean-up thread removes the following expired data:
The default value is 3600. This thread can be disabled by setting a value of -1.
Note: This parameter does not require a restart of the runtime server before it is applied.
|
| oauth20.tokenCache.cleanupWait | Specifies the interval, in seconds, that the OAuth Token clean-up thread should run. If this thread has been disabled, there can be a delay of up to 30 seconds before it resumes.
The clean-up thread removes the following expired data:
The default value is 120. This thread can be disabled by setting a value of -1.
Note: This parameter does not require a restart of the runtime server before it is applied.
|
| oauth20.cleanupThread.batchSize | The number of SQL delete statements to execute in a single commit of theOAUTH20_TOKEN_CACHE table. Decreasing this value can increase the number of database calls required to remove expired tokens, but reduces the time taken to execute each statement.
The default value is 0. A value of 0 disables batching (removes all expired tokens in a single commit).
Note: This parameter does not require a restart of the runtime server before it is applied.
|