Identity Manager and CA Directory Credit Limit
search cancel

Identity Manager and CA Directory Credit Limit

book

Article ID: 27259

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

ISSUE:

This document provides a solution for the following scenario:

If you are using CA Directory as a policy store for CA Identity Manager, and CA Identity Manager is not responding, and you see the following message in the CA Directory log file: "WARN : ldap_indication: Credit limit reached",

then you should change the user credits limit as described below.

Environment

Release:
Component: Directory,  SiteMinder, Identity Manager

Cause

The limit set for credits has been reached.

Resolution

Solve "Credit limit reached" issue:

Change the user credits limit in the following files:

%dxhome%/config/limits/
smpolicystore.dxc

and change the line from the old value, for example,
set credits = 5;

to the new value that fits your needs, for example,
set credits = 1000;

You must restart the CA Directory server for the new value to take effect.

You may need to change
%dxhome%/config/limits/

Default.dxc or other limits file depending on your CA Identity Manager application or user store. For example, if you have a user store that uses dxserver neteauto, and in neteauto_trace.log, you see "WARN : ldap_indication: Credit limit reached", then you need to change neteauto.dxc too.

The following explains the meaning of the user credits:

Additional Information

User Credits

Setting the DSA credits to 5 (in the limits configuration file) instructs the DSA that all user associations (meaning unique client IP address and port pairs) can have a maximum of 5 operations outstanding at any given time before the DSA imposes flow control. The flow control is imposed on their user association only (it has no bearing on DXlink or other DSP chaining that occurs server-to-server) by not processing any more incoming requests until a response for one of the 5 outstanding requests is returned to the client. Whenever credit=0 (for eaxmple, there are 5 operations outstanding on a single user association) then the "Warning: ldap_indication: Credit limit reached" message is logged (correctly from now on).

Our recommendation on credits is to set them as high as you predict will ever be required. If an application allows for 1000 simultaneous operations on a single connection to the DSA, then set credits > 1000. For diagnostic purposes, the "x500" trace level shows the current credit per association, per operation.

Powered by Wolken Software