Tuning runtime application parameters and tracing specifications
To manually tune selected runtime application parameters and tracing specifications, use the Runtime Parameters management page.
Procedure
-
From the top menu, select AAC > Global Settings > Runtime Parameters or Federation > Global Settings > Runtime Parameters.
This page contains three panels: Runtime Status, Runtime Tuning Parameters, and Runtime Tracing.
-
Perform one or more of the following actions to tune your runtime.
Note: Certain changes might require a restart of the runtime before they can take effect.
- Disable automatic restart of the runtime
- By default, the runtime is automatically restarted after certain changes are made. You can
disable this automatic restart function if you prefer manual restarts.
- On the Runtime Tuning Parameters panel, select Auto Restart.
- Click Edit.
- In the Auto Restart window, define the value as False.
- Click OK.
- Enable Mutual TLS protection for the runtime
- By default, the runtime is not protected by Mutual TLS. You can enable Mutual TLS by enabling the flag.
- On the Runtime Tuning Parameters panel, select Require MTLS.
- Click Edit.
- In the Require MTLS window, define the value as True.
- Click OK.
- Depending on the key used for Mutual TLS, add the corresponding certificate to the runtime profile truststore.
- Modify the Web reverse proxy junction to enable mutual authentication to junctioned WebSEAL servers.
- View the status of the runtime, and manage the state of the runtime (stop, start, or restart the runtime)
-
- Select the Runtime Status panel. The status of local and clustered
runtimes are displayed.
- Under Local Runtime Status, you can view the runtime operational status, when it was last started, and whether a restart is outstanding. If the value of the Restart Required field is True, it means that the runtime must be restarted for some changes to take effect.
- Under Clustered Runtime Status, all nodes in the cluster are listed.
- The Master column indicates whether a node is the cluster master.
- The Runtime Status column indicates whether a node is running or stopped.
- The Changes Active column indicates whether changes made to the cluster configuration are active on this node. Having a green indicator in this column means that all changes made are already active. Having a yellow indicator in this column means that this node must be restarted before some changes can take effect.
- Depending on which runtime you want to manage, click the appropriate "local" or "remote" option, for example: Restart Local Runtime or Restart All Clustered Runtimes.
- Depending on what state you want the runtime in, click the appropriate action, for example to stop the local runtime click Stop Local Runtime.
- Select the Runtime Status panel. The status of local and clustered
runtimes are displayed.
- Modify the maximum or initial heap size
-
These parameters indicate the maximum and initial heap size in megabytes for the runtime Java virtual machine.
- On the Runtime Tuning Parameters panel, select Max Heap Size or Initial Heap Size.
- Click Edit.
- In the Max Heap Size or Initial Heap Size window, enter the heap size value as needed.
- Click OK.
- Modify the minimum or maximum threads
- These parameters indicate the minimum number of core threads that the runtime server starts with
and the maximum number of threads that can be associated with the runtime server.
If the minimum value is not set or is set as -1, a default value is calculated based on the number of hardware threads on the system.
If the maximum value is not set or is set as 0 or less, a default value of unbounded is used.
The minimum cannot be set to a value larger than the maximum.
- On the Runtime Tuning Parameters panel, select Min Threads or Max Threads.
- Click Edit.
- In the Min Threads or Max Threads window, enter the required value.
- Click OK.
- Modify whether to suppress sensitive trace
-
Enabling this parameter prevents sensitive information from being exposed in log and trace files. Examples of such sensitive information include bytes received over a network connection.
- On the Runtime Tuning Parameters panel, select Suppress Sensitive Trace.
- Click Edit.
- In the Suppress Sensitive Trace window, select or clear the check box as needed.
- Click OK.
- Modify console log level
-
Console log level controls the granularity of messages that go to the
console.log
file.- On the Runtime Tuning Parameters panel, select Console Log Level.
- Click Edit.
- In the Console Log Level window, select the new value from the list.
- Click OK.
- Set whether to accept client certificates
-
This parameter controls whether the server accepts client certificates as a form of authentication.
- On the Runtime Tuning Parameters panel, select Accept Client Certificates.
- Click Edit.
- In the Accept Client Certificates window, select or clear the check box as needed.
- Click OK.
- Maximum Session Count
- This parameter defines the maximum number of sessions that is maintained in memory.Note: The default setting is 250000. When this setting is used, the maximum number of sessions is 250000.
- On the Runtime Tuning Parameters panel, select Maximum Session Count.
- Click Edit.
- In the Maximum Session Count window, define the value.
- Click OK.
- Set session invalidation timeout
-
This parameter defines the amount of time a session can remain unused before it is no longer valid.
Note: The default setting is 1200. When this setting is used, the session invalidation timeout is 1200 seconds.- On the Runtime Tuning Parameters panel, select Session Invalidation Timeout.
- Click Edit.
- In the Session Invalidation Timeout window, define the value in seconds.
- Click OK.
- Set session reaper poll interval
-
This parameter defines the wake-up interval in seconds for the process that removes invalid sessions. The minimum value is 30 seconds.
The default setting is Unset. When this setting is used, or if a value less than the minimum is entered, an appropriate value is automatically determined and used. This value overrides the default installation value, which is 30 - 360 seconds, based on the session invalidation timeout value. Because the default session invalidation timeout is 1800 seconds, the reaper interval is usually between 120 and 180 seconds.
- On the Runtime Tuning Parameters panel, select Session Reaper Poll Interval.
- Click Edit.
- In the Session Reaper Poll Interval window, define the value in seconds.
- Click OK.
- Set the keystore that is used by the runtime server
-
This parameter defines the key database that contains the runtime server's private key.
- On the Runtime Tuning Parameters panel, select Keystore.
- Click Edit.
- In the Keystore window, select the key database from the list.
- Click OK.
- Set the truststore that is used by the runtime server
-
This parameter defines the key database that contains keys that are trusted by the runtime server
- On the Runtime Tuning Parameters panel, select Truststore.
- Click Edit.
- In the Truststore window, select the key database from the list.
- Click OK.
- Configure an outbound HTTP proxy
-
You must specify values for the properties for the HTTP proxy. You might also need to import the root CA certificate from the proxy. See Table 1. HTTP proxy properties.
You must also set the JVM property
http.nonProxyHosts
by specifying the outgoing request that bypasses the HTTP proxy. The value must include the string"localhost^|127.0.0.1*|127.0.0.1:2026"
. Set the value with theruntime_profile.jvm_option
advanced tuning parameter.For example,runtime_profile.jvm_option -Dhttp.nonProxyHosts="*.mydomain.com|*.myotherdomain.com|localhost^|127.0.0.1*|127.0.0.1:2026"
Table 1. HTTP proxy properties Name Sample Value Description http.proxyHost
http.proxy.ibm.com
The hostname or IP address of the HTTP proxy http.proxyPort
3128
The port of the HTTP proxy https.proxyHost
https.proxy.ibm.com
The hostname or IP address of the HTTPS proxy https.proxyPort
3128
The port of the HTTPS proxy - For each property in the table above:
- On the Runtime Tuning Parameters panel, select the property.
- Click Edit.
- In the property window, enter the value. See the sample values in the table.
- Click OK.
- When all properties are set, follow the prompt to deploy the pending changes.
Certain functions, such as the OpenID connect single sign-on flow, require the root CA certificate of the outbound HTTP proxy to be imported to the Security Verify Access runtime keystore.
Complete the following steps:
- Go to your HTTP Proxy application and obtain the necessary certificate for exchange. The exact steps to take are specific to the proxy application. Place the certificate on the local file system where it can be accessed by the appliance.
- On the Security Verify Access system, log in to the local management interface and select System > Secure Settings > SSL Certificates
- Select the
rt_profile_keys
keystore. - Select Manage > Edit SSL Certificate Database.
- Select Manage > Import.
- On the Signer Certificate panel, browse to locate the Certificate File. Enter a Certificate Label. Click Import.
- Deploy the changes.
- For each property in the table above:
- Delete the value of a parameter
- Use this button to delete the existing value of a parameter.
- Select the parameter to reset the value for.
- Click Delete. The value of the parameter is then changed to
Unset
.
- Manage the application interface on which the runtime listens
-
- On the Runtime Tuning Parameters panel, under Runtime
Listening Interfaces, you can add, edit, or delete a listening interface.Note: If the runtime is exposed on an external IP address there must be network restrictions in place to ensure that access is not allowed from untrusted clients, or the runtime must be configured to require mutual TLS authentication.
- To add a listening interface
-
- Click Add.
- In the Runtime Listening Interfaces window, select the listening interface from the list.
- Specify the listening port.
- Select the SSL check box if security is required.
- Click OK.
- To modify a listening interface
-
- Select the listening interface to edit.
- Click Edit.
- In the Runtime Listening Interfaces window, edit the values as needed.
- Click OK to save the changes.
- To delete a listening interface
-
- Select the listening interface to delete.
- Select Delete.
- Confirm the deletion.
- On the Runtime Tuning Parameters panel, under Runtime
Listening Interfaces, you can add, edit, or delete a listening interface.
- Manage tracing specification
-
Note: Setting trace for Oracle components “oracle.*” results in the underlying Oracle JDBC jar file being changed to a debugging jar file. This might have adverse effects on performance and as such Oracle tracing should only be enabled for debugging purposes and disabled once complete.
- Select the Runtime Tracing link from the top of this page. You can also access this panel from the top menu by selecting Monitor > Logs > Runtime Tracing.
- Use one of the following ways to edit the trace level of a component.
- Select the component name from the Component list. Select the ideal trace
level for this component from the Trace Level list. Then, click
Add. Repeat this process to modify trace levels for other components if
needed. To clear all of the tracing levels, click Clear.To log all events, select
ALL
as the trace level.Note: This setting increases the amount of data in logs, so use this level when necessary.com.tivoli.am.fim.authsvc.* com.tivoli.am.fim.trustserver.sts.modules.*
Table 2. Valid trace levels. The following table contains the valid trace levels. Level Significance ALL All events are logged. If you create custom levels, ALL includes those levels and can provide a more detailed trace than FINEST. FINEST Detailed trace information that includes all of the details that are necessary to debug problems. FINER Detailed trace information. FINE General trace information that includes methods entry, exit, and return values. DETAIL General information that details sub task progress. CONFIG Configuration change or status. INFO General information that outlines the overall task progress. AUDIT Significant event that affects the server state or resources. WARNING Potential error or impending error. This level can also indicate a progressive failure. For example: the potential leaking of resources SEVERE The task cannot continue, but component, application, and server can still function. This level can also indicate an impending unrecoverable error. FATAL The task cannot continue, and component, application, and server cannot function. OFF Logging is turned off. - Enter the name and value of the trace component in the Trace
Specification field. To modify multiple components, separate two strings with a colon
(:). Here is an
example.
com.x.y.*=WARNING:com.a.b.*=WARNING:com.ibm.isva.*=INFO
- Select the component name from the Component list. Select the ideal trace
level for this component from the Trace Level list. Then, click
Add. Repeat this process to modify trace levels for other components if
needed. To clear all of the tracing levels, click Clear.
- Click Save.
- When you make changes, the appliance displays a message that there are undeployed changes. If you have finished making changes, deploy them.