This section contains the following topics:
Configuration Files for CA IAM Connector Server
Customize the Configuration for CA IAM Connector Server
Java Virtual Machine Memory Errors
Adjust the Start Parameters for the CA IAM Connector Server Service (Windows Only)
The configuration files for CA IAM Connector Server are in the following location:
cs_home/jcs/conf
Note: Any changes that you make to these files are lost when you upgrade CA IAM Connector Server. We recommend that you use the properties files in cs_home\conf\override, as described in Customize the Configuration for CA IAM Connector Server.
The server_osgi_jcs.xml file contains the following configuration settings:
Specifies the client certificate store for CA IAM Connector Server. The value is a path to the file which contains trusted certificates that are used to verify the identity of the endpoint server during SSL handshakes. Used for outbound TLS connections that the connectors make themselves, to the endpoint systems they manage. Import any issuer certificates for the endpoints to which TLS connections into this store.
Specifies the certificate store type (JKS or PKCS12).
Specifies the password protecting the connector client store. The same rules apply as for the ldapsCertificatePassword.
During SSL handshakes the peer certificate that the endpoint sends is not verified for trust. That is, the connectorClientCertStore value is ignored and not required for outbound SSL connections in this configuration.
The endpoint host certificate that is presented to CA IAM Connector Server undergoes trust checks against connectorClientCertStore contents.
When TRUE, sends SSL information to a log file.
Enables or disables the HTTP proxy, and configures the proxy details. Use a proxy if CA IAM Connector Server must communicate with other computers outside the network.
The HTTP proxy can be configured when CA IAM Connector Server is installed. You can change it later by updating this value in the configuration file.
Specifies the authentication methods. Only simple is currently supported.
Specifies the authentication principal. By default, ApacheDS sets this value to uid=admin,ou=system by ApacheDS, but an optional java.naming.security.principal.alias= can be specified to ease integration. When this alias is received for authentication, it is treated exactly as uid=admin,ou=system.
Specifies the maximum number of requests that can be processed concurrently for all activated connectors that a single connector server hosts. The default value of 200 matches the Provisioning Server configuration.
If you increase this value, consider also increasing other configuration settings. For example, you can change the heap-space for the Java Virtual Machine or "ulimit –n" setting for open files on Solaris.
Note: For more information, see Configure CA IAM Connector Server to Work Under Heavy Loads (UNIX Only).
Specifies the port on which CA IAM Connector Server listens for insecure connections. Set the port to one of the recommended ports unless many connector servers run on the same computer. Where a secure port is configured, use the secure port instead.
The insecure port can be useful for debugging purposes. By default, CA IAM Connector Server uses only ldapsPort.
Set the port to one of the following port numbers:
Specifies the port on which CA IAM Connector Server listens on for secure connections. The ldapsPort, with associated properties enableLdaps, ldapsCertificateFileldapsCertificateFile, and ldapsCertificatePassword, must be a different port from the one chosen for ldapPort. Traffic on this port is secured using the configured certificate and the Transport Layer Security (TLS) protocol.
ldapsPort can also be useful for debugging. Set the logging level in the log4j.properties file to trace LDAP requests as they are delivered to the connector server.
Set the port to one of the following port numbers:
The ldapsCertificateFile is configured to reference a Java keystore containing the standard IM Provisioning Server certificate. The default ldapsCertificatePassword was set during installation.
Specifies which LDAP schemas the connector server knows. This property incorporates schemas which have been converted to Java objects by the ApacheDS build process.
You can load additional OpenLDAP formatted schema files (see http://www.openldap.org/doc/admin23/schema.html) by placing them in the conf directory (like eta_dyn_openldap.schema) or ideally contributed from the conf/ directory within a specific connector's JCS-connector-*.jar file (refer to SDK connector's conf/etaeta_sdk_openldap.schema _nds_openldap.schema registered through its conf/connector.xml descriptor in the jcs-connector-sdk.jar sample connector).
Specifies the path to an LDAPS certificate store for CA IAM Connector Server. This store contains all the certificates that CA IAM Connector Server uses to verify its identity during inbound LDAPS (TLS) connections. At least one certificate with an accompanying private key issued to represent CA IAM Connector Server is placed in this store.
To change this value, add it to server_osgi_shared.xml. Values in this file overwrite any in server_osgi_ad.xml.
Specifies the password protecting the certificate store specified in ldapsCertificateFile.
The password can either be cleartext or obfuscated. For example:
{ALGORITHM}ciphertext
where ALGORITHM would be typically set to 'AES' . For example, {AES}LQpBXeIjOMGSsGLU
See The Password Tool.
Specifies any other standard ApacheDS interceptor services. The interceptor services that CA IAM Connector Server does not require have been deactivated.
Configure the crypto service for activating encryption convertors on specific fields according to their metadata properties. The most important setting is the isEncrypted boolean metadata setting.
Contains the path to the Java certificate keystore file in properties “keyStore” and “trustStore”.
Contains the HTTP and HTTPS ports that CA IAM Connector Server uses for sending and receiving messages.
Contains the user name and password for accessing the broker.
Enables or disables FIPS compliance.
Default: Enabled.
Contains the timeout periods for messages. When a timeout is reached, CA IAM Connector Server returns an error to the user or to the service that was expecting a response.
The default message timeout (30 minutes).
The timeout for a one-level LDAP search (1 hour).
The timeout for a subtree LDAP search (8 hours).
The timeout for messages coming from the web UI (60 seconds).
The timeout after a connection error occurs (60 seconds).
The time before an ideal HTTP connection is considered inactive (2 minutes).
Default socket timeout for HTTP clients (60 seconds).
The number of times an HTTP operation can be retried (3).
The connection details to a local or remote CCS.
Previous versions of this connector server were named Java CS or JCS. From CA Identity Manager 12.6 onwards, the connector server is named CA IAM Connector Server At the same time, we changed the way configuration is handled.
The configuration for CA IAM Connector Server is stored in five configuration files, which are described in Configuration Files for CA IAM Connector Server.
When you upgrade CA IAM Connector Server, any changes you made to the XML configuration files are lost. This loss happens whether you are upgrading from Java CS or from CA IAM Connector Server.
However, any changes you made to the following files are preserved:
The settings in these files override the settings in the XML configuration files.
For this reason, we recommend that you do not change the settings in the XML configuration files. Instead, add any settings that you want to configure to the properties files in the override folder.
Note: Each XML configuration file has a matching override file. However, the filenames of the override files do not contain _osgi. Otherwise they match. For example, server_ad.properties is the override file for server_osgi_ad.xml.
Follow these steps:
Ensure that you use property names that match the nested structure of the entries in the XML configuration files.
You can configure the Exception Map setting to contain groups of exception messages that require special handling (and optionally associated retry delay and retry count settings).
In particular, the JDBC connector defines entries for exceptions signifying these conditions which drive retrying when connections to the endpoint experience problems:
In addition to these triggering exceptions, each ExceptionRetryGroup has associated resilientDelay and resilientMaxRetries settings which specify how many retry attempts are required when a matching exception is encountered, and the delay between each attempt.
When you install CA IAM Connector Server, you can enable FIPS. If you upgrade to CA IAM Connector Server from a Java CS that had FIPS enabled, it is still enabled after the upgrade.
In either of these situations, you can disable FIPS without running the installation program again.
The FIPS setting is in the server_osgi_shared.xml. We recommend that you customize this setting in an override file.
Follow these steps:
cs_home/conf/override/server_shared.properties
If it does not already exist, follow the steps in Customize the Configuration for CA IAM Connector Server to create it.
JsafeJCE.fipsEnabled=false
We recommend that you consider carefully the ulimit -n setting for the user for which you install CA IAM Connector Server. The default setting is too low to allow CA IAM Connector Server to function properly under load.
When this problem occurs the Java virtual machine shuts down and the following message appears in the jcs_daily log:
exiting because of 120 exceptions in a row: Too many open files
CA IAM Connector Server requires a minimum ulimit -n setting of around 80.
Follow these steps:
The default value is stored in the following file:
cs_home/jcs/conf/server_osgi_ad.xml
If a custom value has been specified, it is stored in the following file:
cs_home/jcs/conf/override/server_ad.properties
CA IAM Connector Server uses two certificates: one for each of the following roles:
When you install CA IAM Connector Server these certificates each have a temporary password. We recommend that you update these passwords.
By default, these certificates are stored in the same keystore. However you can store them in separate keystores if you prefer.
Follow these steps:
cs_home/jcs/tools/ldaps_password
ldaps_password new-password
This command updates the encrypted commonConfiguration.keystorePassword value in server_shared.properties.
ldaps_password new-password connectorManager.connectorClientCertStorePassword ../conf/override/server_jcs.properties
This command updates the encrypted connectorManager.connectorClientCertStorePassword value in server_jcs.properties.
Note: The password for the keystore is the password that you set during CA IAM Connector Server installation.
Note: Alternatively, you can manage the keystore using the keytool utility included in the Java Runtime Environment. This lets you install your own certificate instead of the default Provisioning Server certificate that the installer configures.
During stress or high load, the Java Virtual Machine can run out of memory. This may affect the functionality of CA IAM Connector Server.
If an out-of-memory error occurs frequently, you can set Java VM debugging options to alert you when it happens.
To do this, use the following debugging setting to specify a command that the Java VM will invoke when the OutOfMemoryError is thrown:
-XX:OnOutOfMemoryError= string
Note: For more information about setting JVM debugging options, see the following pages on www.oracle.com:
If the Java process runs out of memory, you can increase the memory available to it.
On Windows, Follow these steps:
You can edit the JVM memory options JvmMs and JvmMx which defien the minimum and maximum amount of memory that the JVM can use. To do this, locate the following registry key on Windows and expand it:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs
On UNIX, Follow these steps:
Create a file named jvm_options.conf in the Connector Server data folder with the following Java arguments:
-Xms128M -Xmx1024M -d64
Specifies the minimum heap memory allowed for CA IAM Connector Server
Example: -Xms128M specifies that the minimum heap memory allowed for CA IAM Connector Server is 128 MB.
Specifies the maximum heap memory allowed for CA IAM Connector Server.
Example: -Xmx1024M specifies that the maximum heap memory allowed for CA IAM Connector Server is 1024 MB.
Specifies that the JVM is run in a 64-bit environment.
To adjust any CA IAM Connector Server service start (including related JVM parameters), go to the following location in the Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|