February 28, 2018 at 9:03 am #21034JasperGParticipant
At my current workplace we have noticed that the idRepo file is slowly increasing in size and while i have found a way to prevent it from growing by adding some parameters to the debugconfig.properties file, i have serious doubts on whether this is useful/smart. The config parameters added are:
From what i can understand the idRepo is an important part to manage identities and acts as somewhat of a datastore. I found a blog (https://blogs.forgerock.org/petermajor/2013/08/identity-repositories/) which is one of the few sources of valuable information. If further clarification is needed I can try to provide it as much as possible.
The decission on my mind right now is:
With the method i have to prevent the idRepo from growing would it be wise to add this to a production environment?
The reason for my doubt is that from what i can see the idRepo file helps the system perform faster searches due to the persistent research mechanic. I feel that if i prevent the idRepo from growing i would also prevent it from saving the info needed for the fast searches and thus slowing down the production environment. My train of thought might be completelly wrong but I am having major problems finding good and claer documentation which works for me.
I have some additional questions coming from a coworker which might provide some extra info.
Whenever you add a user profile, does this get added to the idRepo?
Does the idRepo have a relation with sessions opened in openAm?
Does the session timeout have any effect to the idRepo? (currently set to 1 year)February 28, 2018 at 2:07 pm #21062Rogerio RondiniParticipant
So.. are you talking about “IdRepo” debug log file in the “../openam/debug/” folder ?
If so, maybe you are bit confused with namings. IdRepo from Peter’s blog post is the Identity Repository service defined by the Java Abstract class “public abstract class IdRepo” which is basis to implements any kind of target repository, such as LDAPv2Repo.java to connect with LDAP databases or DataBaseRepo.java (don’t remember the exact name) to connect with Relational Databases. Indeed, that is the key service of OpenAM and there are a lot of things around to improve performance.
The IdRepo you are (probably) talking about is just the log file, nothing else. If it is increasing fast, probably is because the DEBUG LOG LEVEL is enabled in OpenAM, which should be used only on lower environment and troubleshooting purpose. For PRD, the recommended level is “ERROR” which only writes error message in the IdRepo log file.
Direct answer to you questions:
1. No, IdRepo in case is a log file. If you add a user profile it will use Identity Repository service to write in the backend user repository, some LDAP server for example.
RogerioFebruary 28, 2018 at 2:16 pm #21063JasperGParticipant
Thanks for the quick reply. Yes im talking about the file which is in openAm/debug. So that would mean its simply a logging file.
Your answer also helps me understand the difference and why the online documentation was so confusing for me.
Your answer would also mean the following:
1. I can delete the file from the debug folder as its just a log file.
2. Because of the logging settings mentioned in my original post i would end up with more log files but they would be ordered on day. And they get removed after 7 days preventing similar situations from happening (large log files).
3. I will check if the production environment is set to error (I think it is) and if its not set it to error.
Once again thanks for the clarification. As this was also impacting the prod environment I wasn’t sure on how to correctly undertake action as my knowledge is very limited but your answer has provided the needed clarification!February 28, 2018 at 5:28 pm #21068Mike JangSpectator
I think your question relates to the external data store on our Access Management product. I think you might get more responses if you asked the question on that forum, https://forum.forgerock.com/forum/fr-projects/openam/
You must be logged in to reply to this topic.