Tuning runtime application parameters and tracing specifications

To manually tune selected runtime application parameters and tracing specifications, use the Runtime Parameters management page.

Procedure

  1. From the top menu, select Secure Access Control > Global Settings > Runtime Parameters or Secure Federation > Global Settings > Runtime Parameters.
    This page contains three panels: Runtime Status, Runtime Tuning Parameters, and Runtime Tracing.
  2. Perform one or more of the following actions to tune your runtime.
    Note: Certain changes might require a restart of the runtime before they can take effect.
    Disable automatic restart of the runtime
    By default, the runtime is automatically restarted after certain changes are made. You can disable this automatic restart function if you prefer manual restarts.
    1. On the Runtime Tuning Parameters panel, select Auto Restart.
    2. Click Edit.
    3. In the Auto Restart window, define the value as False.
    4. Click OK.
    View the status of the runtime and restart the runtime
    1. Select the Runtime Status panel. The status of local and clustered runtimes are displayed.
      • Under Local Runtime Status, you can view the runtime operational status, when it was last started, and whether a restart is outstanding. If the value of the Restart Required field is True, it means that the runtime must be restarted for some changes to take effect.
      • Under Clustered Runtime Status, all nodes in the cluster are listed.
        • The Master column indicates whether a node is the cluster master.
        • The Runtime Status column indicates whether a node is running or stopped.
        • The Changes Active column indicates whether changes made to the cluster configuration are active on this node. Having a green indicator in this column means that all changes made are already active. Having a yellow indicator in this column means that this node must be restarted before some changes can take effect.
    2. Depending on which runtime you want to restart, click Restart Local Runtime or Restart All Clustered Runtimes.
    Modify the maximum or initial heap size

    These parameters indicate the maximum and initial heap size in megabytes for the runtime Java virtual machine.

    1. On the Runtime Tuning Parameters panel, select Max Heap Size or Initial Heap Size.
    2. Click Edit.
    3. In the Max Heap Size or Initial Heap Size window, enter the heap size value as needed.
    4. Click OK.
    Modify the minimum or maximum threads
    These parameters indicate the minimum number of core threads that the runtime server starts with and the maximum number of threads that can be associated with the runtime server. 

    If the minimum value is not set or is set as -1, a default value is calculated based on the number of hardware threads on the system.

    If the maximum value is not set or is set as 0 or less, a default value of unbounded is used.

    The minimum cannot be set to a value larger than the maximum.

    1. On the Runtime Tuning Parameters panel, select Min Threads or Max Threads.
    2. Click Edit.
    3. In the Min Threads or Max Threads window, enter the required value.
    4. Click OK.
    Modify whether to suppress sensitive trace

    Enabling this parameter prevents sensitive information from being exposed in log and trace files. Examples of such sensitive information include bytes received over a network connection.

    1. On the Runtime Tuning Parameters panel, select Suppress Sensitive Trace.
    2. Click Edit.
    3. In the Suppress Sensitive Trace window, select or clear the check box as needed.
    4. Click OK.
    Modify console log level

    Console log level controls the granularity of messages that go to the console.log file.

    1. On the Runtime Tuning Parameters panel, select Console Log Level.
    2. Click Edit.
    3. In the Console Log Level window, select the new value from the list.
    4. Click OK.
    Set whether to accept client certificates
    This parameter controls whether the server accepts client certificates as a form of authentication.
    1. On the Runtime Tuning Parameters panel, select Accept Client Certificates.
    2. Click Edit.
    3. In the Accept Client Certificates window, select or clear the check box as needed.
    4. Click OK.
    Maximum Session Count
    This parameter defines the maximum number of sessions that is maintained in memory.
    Note: The default setting is 250000. When this setting is used, the maximum number of sessions is 250000.
    1. On the Runtime Tuning Parameters panel, select Maximum Session Count.
    2. Click Edit.
    3. In the Maximum Session Count window, define the value.
    4. Click OK.
    Set session invalidation timeout

    This parameter defines the amount of time a session can remain unused before it is no longer valid.

    Note: The default setting is 600. When this setting is used, the session invalidation timeout is 600 seconds.
    1. On the Runtime Tuning Parameters panel, select Session Invalidation Timeout.
    2. Click Edit.
    3. In the Session Invalidation Timeout window, define the value in seconds.
    4. Click OK.
    Set session reaper poll interval

    This parameter defines the wake-up interval in seconds for the process that removes invalid sessions. The minimum value is 30 seconds.

    The default setting is Unset. When this setting is used, or if a value less than the minimum is entered, an appropriate value is automatically determined and used. This value overrides the default installation value, which is 30 - 360 seconds, based on the session invalidation timeout value. Because the default session invalidation timeout is 1800 seconds, the reaper interval is usually between 120 and 180 seconds.

    1. On the Runtime Tuning Parameters panel, select Session Reaper Poll Interval.
    2. Click Edit.
    3. In the Session Reaper Poll Interval window, define the value in seconds.
    4. Click OK.
    Set the keystore that is used by the runtime server

    This parameter defines the key database that contains the runtime server's private key.

    1. On the Runtime Tuning Parameters panel, select Keystore.
    2. Click Edit.
    3. In the Keystore window, select the key database from the list.
    4. Click OK.
    Set the truststore that is used by the runtime server

    This parameter defines the key database that contains keys that are trusted by the runtime server

    1. On the Runtime Tuning Parameters panel, select Truststore.
    2. Click Edit.
    3. In the Truststore window, select the key database from the list.
    4. Click OK.
    Configure an outbound HTTP proxy

    You must specify values for the properties for the HTTP proxy. You might also need to import the root CA certificate from the proxy. See the instructions that follow.

    Table 1. HTTP proxy properties
    Name Sample Value Description
    http.proxyHost http.proxy.ibm.com The hostname or IP address of the HTTP proxy
    http.proxyPort 3128 The port of the HTTP proxy
    https.proxyHost https.proxy.ibm.com The hostname or IP address of the HTTPS proxy
    https.proxyPort 3128 The port of the HTTPS proxy
    1. For each property in the table above:
      1. On the Runtime Tuning Parameters panel, select the property.
      2. Click Edit.
      3. In the property window, enter the value. See the sample values in the table.
      4. Click OK.
    2. When all properties are set, follow the prompt to deploy the pending changes.

    Certain functions, such as the OpenID connect single sign-on flow, require the root CA certificate of the outbound HTTP proxy to be imported to the Security Access Manager runtime keystore.

    Complete the following steps:

    1. Go to your HTTP Proxy application and obtain the necessary certificate for exchange. The exact steps to take are specific to the proxy application. Place the certificate on the local file system where it can be accessed by the appliance.
    2. On the Security Access Manager system, log in to the local management interface and select Manage System Settings > Secure Settings > SSL Certificates
    3. Select the rt_profile_keys keystore.
    4. Select Manage > Edit SSL Certificate Database.
    5. Select Manage > Import.
    6. On the Signer Certificate panel, browse to locate the Certificate File. Enter a Certificate Label. Click Import.
    7. Deploy the changes.
    Delete the value of a parameter
    Use this button to delete the existing value of a parameter.
    1. Select the parameter to reset the value for.
    2. Click Delete. The value of the parameter is then changed to Unset.
    Manage the application interface on which the runtime listens
    1. On the Runtime Tuning Parameters panel, under Runtime Listening Interfaces, you can add, edit, or delete a listening interface.
      To add a listening interface
      1. Click Add.
      2. In the Runtime Listening Interfaces window, select the listening interface from the list.
      3. Specify the listening port.
      4. Select the SSL check box if security is required.
      5. Click OK.
      To modify a listening interface
      1. Select the listening interface to edit.
      2. Click Edit.
      3. In the Runtime Listening Interfaces window, edit the values as needed.
      4. Click OK to save the changes.
      To delete a listening interface
      1. Select the listening interface to delete.
      2. Select Delete.
      3. Confirm the deletion.
    Manage tracing specification
    1. Select the Runtime Tracing link from the top of this page. You can also access this panel from the top menu by selecting Monitor Analysis and Diagnostics > Logs > Runtime Tracing.
    2. Use one of the following ways to edit the trace level of a component.
      • Select the component name from the Component list. Select the ideal trace level for this component from the Trace Level list. Then, click Add. Repeat this process to modify trace levels for other components if needed. To clear all of the tracing levels, click Clear.
        To log all events, select ALL as the trace level.
        Note: This setting increases the amount of data in logs, so use this level when necessary.
        com.tivoli.am.fim.authsvc.*
        com.tivoli.am.fim.trustserver.sts.modules.*
        Table 2. Valid trace levels. The following table contains the valid trace levels.
        Level Significance
        ALL All events are logged. If you create custom levels, ALL includes those levels and can provide a more detailed trace than FINEST.
        FINEST Detailed trace information that includes all of the details that are necessary to debug problems.
        FINER Detailed trace information.
        FINE General trace information that includes methods entry, exit, and return values.
        DETAIL General information that details sub task progress.
        CONFIG Configuration change or status.
        INFO General information that outlines the overall task progress.
        AUDIT Significant event that affects the server state or resources.
        WARNING Potential error or impending error. This level can also indicate a progressive failure. For example: the potential leaking of resources
        SEVERE The task cannot continue, but component, application, and server can still function. This level can also indicate an impending unrecoverable error.
        FATAL The task cannot continue, and component, application, and server cannot function.
        OFF Logging is turned off.
      • Enter the name and value of the trace component in the Trace Specification field. To modify multiple components, separate two strings with a colon (:). Here is an example.
        com.x.y.*=WARNING:com.a.b.*=WARNING:com.ibm.isam.*=INFO
    3. Click Save.
  3. When you make changes, the appliance displays a message that there are undeployed changes. If you have finished making changes, deploy them.