Page 8
IBM Tivoli Identity Manager Performance Tuning Guide
3 IBM Tivoli Identity Manager application
The IBM Tivoli Identity Manager application includes several configuration files that provide an area for
tuning various parts of the application’s performance. These are in the
data/ directory under the IBM
Tivoli Identity Manager product home directory.
3.1 Recycle bin
When objects such as people, accounts, roles, and provisioning policies are deleted from the IBM Tivoli
Identity Manager system using either the graphical user interface (GUI) or the application program
interface (API), these objects are not removed from the underlying directory server but rather moved into
the recycle bin. The recycle bin is implemented as the following LDAP container:
ou=recycleBin, ou=itim, ou=<tenant>, <suffix>
When LDAP entries are moved under this DN due to a deletion, the attribute erIsDeleted is set to the
value
Y to enable IBM Tivoli Identity Manager to identify these objects as entries it should neither display
to the user nor act upon. Because of the LDAP search filter that IBM Tivoli Identity Manager uses, having
a large number of entries in the recycle bin can negatively impact performance. It is recommended that
the size of the recycle bin be kept as small as possible for optimum performance.
There are several ways to remove entries from the recycle bin. IBM Tivoli Identity Manager includes a
script that will delete entries in the recycle bin older than a specified age range. See the discussion of the
recycle bin age limit in IBM Tivoli Identity Manager Server Installation and Configuration Guide for
WebSphere Environments for more information.
An alternate method is to use an LDAP display tool to view the entries and delete them directly in the
directory server. Be careful to only delete the deleted entries themselves and not the
ou=recycleBin
container. Similarly, it is possible to use a combination of the ldapsearch and ldapdelete commands to
delete entries. For example:
ldapsearch -h <host> -p <port> -D <user> -w <password> \
-b "ou=recycleBin,ou=itim,ou=<tenant>,<suffix>" -s sub "erisdeleted=Y" dn | \
ldapdelete -h <host> -p <port> -D <user> -w <password>
After deleting entries from the recycle bin, run runstats to make IBM DB2 pick up the changes. See the
IBM LDAP Server – Runstats section for more information.
3.2 Reconciliations
Reconciliations are resource-intensive operations and can take a while for services with a large account
population. Limiting the number of attributes returned by the adapter and processed by IBM Tivoli Identity
Manager can improve reconciliation performance. Large reconciliations may also exceed the default Max
Duration and if so the value can be increased.
3.2.1 Threads
When processing DSML feeds, IBM Tivoli Identity Manager creates threads to process the data. The
number of threads may need to be adjusted to optimize performance because of the widely varying
workload that differently defined reconciliation jobs exhibit.
Determining the values
num_recon_threads – The number of threads used when processing DSML feeds.
Recommended value: 2 for DSML feeds with workflow, 3 for DSML feeds without workflow.