search cancel

Symantec Identity Manager - Connector Server limits AD connections to 10

book

Article ID: 202209

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

As part of the CA Identity Manager (IM) onboarding process, Active Directory (AD) accounts are moved from one OU to another, sometimes a few hundred of them in a batch using a Bulk Task.

Prior to 14.3 CP2 this activity has taken a long time to complete and impacted system performance, but it did complete.  After deploying CP2 and issuing the Bulk Task, the individual move account tasks got stuck in In Progress and did not complete.  When the CCS AD log was inspected it contained messages like the examples below:

11:23:00 - Connection Pool: TID:0x9be4 All 10/10 connections are busy. Sleeping for 157 milliseconds.
11:23:00 - Connection Pool: TID:0x62c4 All 10/10 connections are busy. Sleeping for 369 milliseconds.

...
12:43:14 - Connection Pool: TID:0x57c8 All 10/10 connections are busy. Sleeping for 323 milliseconds.
12:43:14 - Connection Pool: TID:0xa274 All 10/10 connections are busy. Sleeping for 425 milliseconds.

 

What has changed in 14.3 CP2 that causes this issue?

Cause

Enhancement.

Environment

Release : 14.3 CP2, 14.4.0

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

Starting with 14.3 CP2 we have added the option to make multiple connections to Active Directory Domain Servers:
https://support.broadcom.com/external/content/release-announcements/Symantec-Identity-Governance-Administration-14.3-cumulative-Patch-2-General-Availability-notification/16129
Multiple connections supported from C++ Connector Server to the Active Directory Domain Server


Identity Manager now supports multiple active connections from C++ Connector Server (CCS) to Active Directory Domain Server. The default maximum connections allowed in a connection pool per endpoint is 10. The extended connection support allows multiple operations to in parallel, improving the overall scalability and stability of the application.
 
Since 14.3 GA the connections can be set in the provisioning schema.  If you connect via JXplorer or similar and connect to the AD Endpoint you can configure the eTADSMaxConnectionsInPool values.

 

Details to connect:

Host: Provisioning Server hostname or IP address

Port: 20389

Level: User + Password

User DN: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta

Password: etaadmin's password

 


 

Setting the eTADSMaxConnectionsInPool value between 100 and 200 should be sufficient for heavy volumes of movements.  This should allow bulk tasks to complete more quickly - however load tests should be made on the specific environment to see the actual behavior with the chosen value.

Additional Information

The default setting in releases prior to 14.3 CP1 was 1.

Please note that the changes to the 'eTADSMaxConnectionsInPool' settings are per AD Endpoint.  You may need to modify the settings across multiple endpoints depending upon the environment.

Attachments