Symantec Identity Manager - Connector Server limits AD connections to 10
search cancel

Symantec Identity Manager - Connector Server limits AD connections to 10

book

Article ID: 202209

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

As part of the CA Identity Manager (IM) onboarding process, Active Directory (AD) accounts are moved from one OU to another, sometimes a few hundred of them in a batch using a Bulk Task.

Before 14.3 CP2 this activity has taken a long time to complete and impacted system performance, but it did complete.  After deploying CP2 and issuing the Bulk Task, the individual move account tasks got stuck in an In Progress state and did not complete.  


When the CCS AD log was inspected it contained messages like the examples below:

11:23:00 - Connection Pool: TID:0x9be4 All 10/10 connections are busy. Sleeping for 157 milliseconds.
11:23:00 - Connection Pool: TID:0x62c4 All 10/10 connections are busy. Sleeping for 369 milliseconds.

...
12:43:14 - Connection Pool: TID:0x57c8 All 10/10 connections are busy. Sleeping for 323 milliseconds.
12:43:14 - Connection Pool: TID:0xa274 All 10/10 connections are busy. Sleeping for 425 milliseconds.

 

How can we resolve this?

Environment

Release : 14.4, 14.5

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Cause

Enhancement to product in later release.

Resolution

Identity Manager supports multiple active connections from C++ Connector Server (CCS) to Active Directory Domain Server. The default maximum connections allowed in a connection pool per endpoint is 10. The extended connection support allows multiple operations to in parallel, improving the overall scalability and stability of the application.
 

To adjust this, connect to the Provisioning Directory via an LDAP Browser, for example JXplorer, navigate to the AD Endpoint and configure the eTADSMaxConnectionsInPool values as shown below. 
Please note that the changes to the 'eTADSMaxConnectionsInPool' settings are per AD Endpoint.  You may need to modify the settings across multiple endpoints depending upon the environment.

Details to connect to Provisioning Directory:

Host: Provisioning Server hostname or IP address
Port: 20389
Level: User + Password
User DN: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta
Password: etaadmin's password

 


 

Setting the eTADSMaxConnectionsInPool value between 100 and 200 should be sufficient for heavy volumes of movements.  This should allow bulk tasks to complete more quickly - however, load tests should be made on the specific environment to see the actual behavior with the chosen value.

After changing the value, restart the C++ Connector Server.

 

Additional Information

 

This functionality was added in 14.3 CP2.   The default setting in releases prior to 14.3 CP1 was 1.

Powered by Wolken Software