When the Symantec Identity Suite is deployed in a three-tiered architecture, there is a possibility for the Provisioning Server and the Windows C++ Connector server to reside in different network zones. If the firewall that is being used by the organization has idle timeouts between servers in different network zones, there are some additional configurations that must be done to ensure real-time connectivity between the Provisioning Server and its associated connector servers. Currently, the provisioning server does not have the ability to automatically generate keepalives—rather, it can only maintain keepalive if a keepalive packet is sent manually. When synchronization events are attempted on an established TCP connection that has been closed due to idle timeout, the performance degrades and can take up to 20-30 minutes to complete a synchronization task.
Broadcom Case # Reference:
To resolve this issue, this configuration will have the connector server close the established session from the provisioning server before the idle timeout period on the firewall (5 minutes). That way the provisioning server does not try to use old connections that do not exist anymore and will establish new ones to perform provisioning events.
Note: Before you perform this configuration, you must ensure that JXplorer is installed on a machine that has connectivity to the Provisioning Server on all associated ports. You will also need to perform all file modifications on each provisioning server.
- Provisioning Server and Windows Connector Server are in two different network zones
- There is an application level firewall with idle timeouts on TCP connections.
Installation Tasks and Steps
Task 1: Configure the TCP Parameters to support KeepAlive
1. Modify the /etc/sysctl.conf file on each provisioning server using the following command:
a. vim /etc/sysctl.conf
b.Add the following parameter on a separate line: net.ipv4.tcp_keepalive_time=60
2. Log into the Provisioning Directory from JXplorer
a. Navigate to: eta 🡪 im 🡪 CommonObjects 🡪 Configuration 🡪 Parameters 🡪 connections 🡪 CS Pool Minimum Size
– Set “etConfigParamValue” = 0 and click “Submit” at the bottom.
3. Log into the Provisioning Manager (specified above) with the etaadmin credentials.
4. Go to System 🡪 Domain Configuration 🡪 Connections
a. Set “Expiration Time” = 180 and click “Apply”
b. Set “Refresh Time” = 60 and click “Apply”
5. Modify the following file: *Connector_Server Home Folder*\Connector Server\jcs\conf\server_osgi_ccs.xml
a. Add the following property:
<!– Validate connection when obtaining it from the connector’s connection pool –> <property name=”testOnBorrow”><value>true</value></property> in the section underneath bean property: <property name=”poolConfig”><bean class=”com.ca.commons.cfg.GenericObjectPoolConfigBeanWrapper”>
b. Save the file when done
6. Open the Windows Registry Editor (RegEdit)
7. Navigate to the following location: \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters
8. Set the following key/value pair:
“KeepAliveTime=ea60” (This is a Hexadecimal Value)
9. Export the “KeepAliveTime” registry setting and copy it to every connector server.
10. On each Connector Server, right click the file and click “Merge”
a. Accept the risk to changing registry edits by clicking “Yes”
b. You should see a success message popup that says that the keys and values stored in the file have been successfully registered to the registry.
11. Navigate to the registry key location to verify that the key has been installed properly.
12. Restart the Java Connector Server (JCS) service and the C++ Connector Server (CCS) service on the Windows Connector Server.
Summary of Configuring the Symantec Provisioning Server for TCP KeepAlive
While this use case is very specific to a particular architectural deployment of the VApp, these tuning settings are crucial to enhancing the performance of synchronization events for standalone installations as well. These changes can be made to any environment at any time and are useful outside of this use case.
Looking for additional help with the configuration of the Symantec Provisioning Server? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Identity Manager. Take your interoperability to the next level, and contact an ISX consultant today.