[OPENAM-9685] SSOAdmin is slow with a site configured Created: 13/Sep/16  Updated: 30/May/17  Resolved: 21/Oct/16

Status: Resolved
Project: OpenAM
Component/s: audit logging
Affects Version/s: 13.0.0, 13.5.0
Fix Version/s: 13.5.1, 14.0.0

Type: Bug Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 28, AM Sustaining Sprint 29
Support Ticket IDs:


If you use ssoadm and your openam is behind a site, every command takes a lot of time

How to reproduce

  • Setup openam with a site:
  • install ssoadm and follow the instruction for a site
     other-lb-url=openam-url ...]"

expected behavior

A normal execution time

current behavior.

SSOAdm takes a lot of time, as it tries to connect to the audit endpoint without reading the "com.iplanet.am.naming.map.site.to.server"

POST /openam/json/realm-audit/access?_action=create HTTP/1.1
Accept-API-Version: protocol=1.0,resource=1.0
iPlanetDirectoryPro: AQIC5wM2L...ABQtNTQ3MTY1ODI5MTUwODgxMzcyNwACUzEAAjAx*
Content-Length: 374
Content-Type: application/json; charset=UTF-8
Host: openam.example.com:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.4.1 (Java/1.7.0_95)
Accept-Encoding: gzip,deflate
{"request":{"protocol":"ssoadm","operation":"SEARCH_REALM","detail":{"search pattern":"*","recursive":"non recursive"}},"eventName":"AM-ACCESS-ATTEMPT","realm":"/","transactionId":"4f049aff..ebed330f41-0","timestamp":"2016-06-13T07:28:09.746Z","userId":"id=amadmin,ou=user,dc=opensso,dc=java,dc=net","component":"ssoadm","trackingIds":["1de71b7f0a99743101"]}HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.


Use the option --nolog with the ssoadm command, it will disable the audit logging just for this command.

Comment by Philip Anderson [ 30/May/17 ]

I can't reproduce this, could be because my LB is running on a VM on my mac? 


Mac with OpenAM 13.5.0 running at am1.example.com:18081 and ssoadm (with com.iplanet.am.naming.map.site.to.server configured as described above)

LoadBalancer running on a VM hosted on my Mac running via HAProxy on lb.example.com:80

results for 13.5.0 were:
list servers:

philipanderson@Sysadmins-MacBook-Pro-2 ~/AMTools/admin/openam/bin$ time ./ssoadm list-servers -u amadmin -f /tmp/pwd.txt
real    0m2.888s 
user    0m7.143s 
sys    0m0.333s

create realm:

philipanderson@Sysadmins-MacBook-Pro-2 ~/AMTools/admin/openam/bin$ time ./ssoadm create-realm --realm withsite -u amadmin -f /tmp/pwd.txt   
Realm was created.   
real    0m3.940s 
user    0m9.926s 
sys    0m0.421s

List servers

philipanderson@Sysadmins-MacBook-Pro-2 ~/AMTools/admin/openam/bin$ time ./ssoadm list-servers -u amadmin -f /tmp/pwd.txt   
real    0m2.847s 
user    0m6.868s 
sys    0m0.342s

Create realm

philipanderson@Sysadmins-MacBook-Pro-2 ~/AMTools/admin/openam/bin$ time ./ssoadm create-realm --realm nosite -u amadmin -f /tmp/pwd.txt   
Realm was created.   
real    0m4.103s 
user    0m9.170s 
sys    0m0.418s



No real difference between having a site configured or not, I'm sure it's got to be something in my setup / understanding of this issue. Quentin CASTEL [X] any ideas? 

Generated at Wed Oct 21 10:32:44 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.