Troubleshooting
Problem
You are experiencing LDAP performance issues and getting random CWWIM4520E error messages at WebSphere systemout.log
Symptom
When you check the WebSphere systemout.log, you can see any of the following error messages.
CWWIM4520E The 'javax.naming.NamingException: LDAP response read timed out, timeout used:20000ms"
CWWIM4520E The 'javax.naming.CommunicationException: ldap.ibm.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]' naming exception occurred during processing.
CWWIM4520E The 'javax.naming.CommunicationException: ldap.ibm.com:636 [Root exception is java.net.SocketException: Connection reset]' naming exception occurred during processing.
Cause
First, you have to discard that LDAP server started not being accessible from the WebSphere server.
It could be because the LDAP server stopped responding or even because any networking problem.
If you determine there weren't LDAP connectivity issues at the time the CWWIM4520E error messages were thrown, then consider these another problem causes:
"LDAP response read timed out" message means the response from the DC to the WebSphere query timed-out. This error message could be caused because the query is too heavy and the LDAP takes too much time to respond, following referrals option is enabled and LDAP is taking long to respond, etc
"java.net.ConnectException" or "java.net.SocketException", could indicate the connection or socket was already closed when WebSphere tried to use it.
If you have a proxy between WebSphere and LDAP server, those error messages, when they are happening randomly, could be caused when there are connections in the pool not being used longer than the timeout you configured at proxy or LDAP server level. When WebSphere uses that connection from the pool, that connection was already closed by the proxy or the LDAP server and the mentioned error happens. This behavior is explained in detail at the following technote:
WebSphere Application Server Hang in Federated Repository LDAP when using the default settings
Diagnosing The Problem
Work with your network administrators to check whether there is an underlying network connectivity problem.
Consider checking:
- Whether LDAP server is running and listening on its port; for example, use netstat -an
- If fronted by a proxy such as an LDAP load balancer, the proxy is running and listening on its port.
- The host name can be resolved; for example, use nslookup <ldaphostname>
- The network path is open; for example, use ping <ldaphostname>
- The port is open; for example, use telnet <ldaphostname> if LDAP is running in a nonsecure port or openssl s_client -connect <ldaphostname> if LDAP server is running in a secure port
After you checked that, if no networking issues were found, gathering WebSphere traces and TCP/IP traces from the same time would add additional information to debug the issue.
Use the following trace string:
*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all:HTTPChannel=all:TCPChannel=all:GenericBNF=all
Follow next instructions to enable the traces:
Setting up a trace in WebSphere Application Server:
Next instructions are for gathering the TCP/IP traces:
Using packet trace tools iptrace, snoop, tcpdump, wireshark, and nettl
Resolving The Problem
Tuning the LDAP performance settings reducing the poolTimeOut is recommended in first term as it uses to solve the most of the problems
Test with these properties as a start and tweak as needed:
Log on to the WebSphere Integrated Solutions console as the WebSphere administrator.
Click .
In the User account repository section, click Configure.
In the Repositories in the realm table, click the Repository identifier.
In the Additional properties section, click Performance.
Select or clear the Enable context pool option, and specify values for the context pool parameters
Select the Limit search time check box.
In the Milliseconds field, type 30,000.
In the Context pool section, in the Initial size field, specify 10.
In the Preferred size field, specify 10.
In the Context pool section, in the Maximum size field, specify 50. Each context is associated with one socket connection.
Select the Context pool times out check box.
In the Seconds field, specify the number of seconds to keep the idle connections in the context pool. Recommended value 10
- If you have an idle connection timeout set in the LDAP server, specify a smaller value of the half of that value in the Seconds field. For example, if the idle connection timeout on the LDAP server is set to 40 seconds, specify a value lower than 20 seconds in this field.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdYPAA0","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003EUser Registry-\u003ELDAP-\u003EFederated Repositories"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 March 2022
UID
ibm16536670