Monitoring
Monitoring is a key aspect of every day system administration. Through monitoring, administrators can obtain information about resource usage (cpu, memory, etc.) that allows them to better tune the solution and prevent potential issues. Besides monitoring basic resources, IAM.tf also provides usage statistics, like the number of user sessions an Identity Provider is handling, or the maximum number of simultaneous sessions registered for that same provider. Additionally administrators can also use modify server parameters, or even manage user sessions.
The tutorial introduces the different monitoring options available in IAM.tf, and then it explains how to configure and effectively use them to keep track of the server health. It describes statistical information like system resources and user activity, and how to use this information to prevent performance issues or service outages.
Using Java Management Extension (JMX)
IAM.tf adheres to the Java standard for monitoring and management: Java Management Extension (JMX) which is widely adopted by management solutions (consoles, monitoring services, etc). This allows IT departments to leverage their existing monitoring infrastructure, by connecting any JMX client to IAM.tf. IAM.tf provides a wide variety of Managed Beans (Mbeans) that allow you to fully monitor and administrate your IAM.tf servers.
Prerequisites
Before staring with this section, make sure that the following prerequisites are fulfilled:
JMX Client (Java Console can be used)
IAM.tf 1.0.0 or above
Running identity appliance (recommended)
Monitoring and Management System Settings
You can configure the JMX service on your IAM.tf server by opening Atricore Web console, and then accessing the Monitoring and Management option located in the System Settings section. These are the available settings, but you normally don’t need to change them as the default values will work on most environments.
| Field | Description |
| RMI Registry Port | The port number the IAM.tf RMI Registry service will bind to. By default, IAM.tf will bind to port 1099. |
| RMI Server Port | The port number the IAM.tf RMI Server will bind to. By default, IAM.tf will bind to port 44444. |
| Service URL | The service URL the IAM.tf JMX Service will bind to. |
Tips
To bind the JMX service to other address than localhost (127.0.0.1), you need to manually edit the Service URL located at: $IAMTF_HOME/etc/org apache.karaf.management.cfg Only replace localhost with the server IP address, but keep the rest of the URL unmodified. Setting the bind address will be a console option in future versions.
Connecting to the JMX Service
You can connect any JMX client using the service URL provided by the Atricore console. You probably need to replace the host name with the IAM.tf server name or IP address. For instance, if your IAM.tf server is using IP 192.168.1.100, the JMX URL will look like:
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-iamtf
The connection is secured using basic authentication, you can use any Administrator user registered in the default identity vault. When running a remote JMX client you need to open the proper TCP ports and bind the JMX service to a different address (the default is localhost).
Tips
You can manage Administrator user accounts with the Account and Entitlement Management feature that is available in the Atricore Web Console. The default Administrator credentials are: admin for username and atricore for password, but you can use any user account that is associated with the Administrator group.
Monitoring JVM Resources
The most critical JVM resources are CPU utilization and memory usage. Through JMX you can keep track of both resources, and depending on your management infrastructure, you can define alert policies to detect when the resources reach a critical value.
CPU utilization
This normally depends on load. You want a safety margin allowing IAM.tf to handle traffic peaks therefore the average utilization should not go over 40%. You may need to add additional nodes, or increase your VM specs (when using virtualization) if your average CPU utilization is too high.
The other aspect to keep in mind is that when memory is running low, the JVM will consume a lot of CPU resources during garbage collection. If the garbage collector is using more that 10% of the total used CPU, you may want to consider increasing the available memory for IAM.tf, specifically the memory heap size.
The JMX support provides a way to keep track of CPU utilization, as shown in the graphic bellow. You can use any JMX tool to monitor CPU utilization, as well as the the Java Console (jconsole), or the the Java Visual VM (jvisualvm) bundled with the JDK.
Memory usage
JVM memory is divided in heap and non-heap memory. The most critical value, and the one that you may need to update based on your needs, is the heap memory. IAM.tf is by default configured to use 1Gb of system memory as heap, but this value can be increased if necessary. The maximum value depends on the platform, but normally 1Gb is enough for most deployments, configuring heap size larger than 8Gb way produce additional garbabe collector CPU utilization due to the fact that the managed memory size is too large. A proper heap memory configuration should ensure that, in average, a 70% or less of the available heap is used.
You can monitor memory usage with any JMX tool, the the Java Console (jconsole), or the the Java Visual VM (jvisualvm).
JVM Threads
JVM threads can also be monitored using any JMX tool. The number of live threads, and the threads peak will depend on your system load. Most threads are created to handle user HTTP connections to the server, and you can monitor both values using JMX. A thread pool is kept to improve performance, therefore normally the number of threads will not go much lower that 400.
Managed Beans
Managed Beans (MBeans) are Java components that represent manageable resources. There are multiple MBeans availabe in IAM.tf; some MBeans are provided by the JVM or the infrastructure included in the product, but others are IAM.tf specific and allow administrators to monitor and manage user activity. MBeans are organized in namespaces, IAM.tf will automatically configure Identity Appliance MBeans using the appliance namespace and name using the pattern below:
<appliance-namespace>.<appliance-name>.idau
For instance, if your Identity Appliance namespace is com.atricore.qa and the appliance name is ida1 , all Appliance specific MBeans will be available under the namespace com.atricore.qa.ida1.idau as shown in the following image. MBean type will depend on the managed identity component, all Identity Providers will be grouped as IdentityProvider MBeans.
Identity Provider MBean
Attribute values are initialized every time the Identity Appliance is started.
| Attribute | Description |
| SessionCount | Number of live sessions |
| MaxSessionCount | Max Number of live sessions |
| TotalCreatedSessions | Number of user sign-ins |
| TotalDestroyedSessions | Number of sign-outs either due to session tiemout or user log-out. |
| MaxInactiveInterval | SSO Session timeout in minutes, can be updated but will be restored to the configured value if the appliance is restarted. |
Operations can be used to obtain information about user activity, and also to manage user sessions. Some operations are intended for internal use, this is the list of relevant methods. This operations only apply to the current IdP. They will not affect other IdPs either in the same Identity Appliance or in different Appliances.
| Operation | Arguments | Description |
| invalidateAllSessions | None | Termimate all SSO sessions, all users will be logged out |
| invalidateUserSessions | String: username | Terminate all SSO sessions associated to the user |
| invalidateSession | String: session identifier | Terminate the SSO session associated to the given identifier |
| listUserSessions | None | List all SSO session, provides information about creation time, last accessed time, username. (This may cause performance issues) |
| listSessionsAsTable | None | List all SSO session, provides information about creation time, last accessed time, username. |
| listUserSessionsAsTable | String: username | List user specific SSO sessions, provides information about creation time, last accessed time, username. |
JMX Tools
Java Visual VM tool
This tool is bundled with the Java Development Kit since version 6. It allows you to monitor any JVM process. This is the overview screen for a IAM.tf server under load testing.
Java Console tool
The Java Management Console is also provided with the JDK and it can be used to both monitor resources and to access Managed Bean components, a feature that the Java Visual VM does not support.
Remote Monitoring
Atricore also provides remote motoring for your IAM.tf deployments. This managed monitoring service allows Atricore to keep track of system resources, performance, user satisfaction (Apdex index) and sso statistics remotely, using a cloud base system. The system will also monitor problems that require immediate attention, such as those that can affect service availability, so that they can be addressed quickly to avoid system outages. The service requires that your IAM.tf server can connect to the Internet in order to push the required information. HTTP proxies are supported, you can specify the host and port in your monitoring agent configuration file.
Activating Managed Monitoring
In order to activate IAM.tf Managed monitoring, you need the following prerequisites:
Managed monitoring agent
Managed monitoring configuration
The service is based on NewRelic, which the installation of a specific set of components.