Managing Logging 23-9 Notes: ■ When force flushing is enabled, the format of the trace message object for every operation becomes fragmented. ■ By default, force flushing is disabled. After you have flushed the necessary information to the log file, you should disable force flushing. See Also: Oracle Identity Management LDAP Attribute Reference in Oracle Fusion Middleware Reference for Oracle Identity Management for information about the orcldebugforceflush attribute 23-10 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory 24 Monitoring Oracle Internet Directory 24-1 24 Monitoring Oracle Internet Directory This chapter describes Oracle Internet Directory Manageability framework, which enables you to monitor Oracle Internet Directory. For information on monitoring other Oracle Fusion Middleware components, see the Monitoring Oracle Fusion Middleware chapter in the Oracle Fusion Middleware Administrators Guide. ■ Introduction to Monitoring Oracle Internet Directory Server ■ Setting Up Statistics Collection by Using Fusion Middleware Control ■ Viewing Statistics Information with Fusion Middleware Control ■ Viewing Statistics Information from the Oracle Directory Services Manager Home Page ■ Setting Up Statistics Collection by Using the Command-Line ■ Viewing Information with the OIDDIAG Tool Introduction to Monitoring Oracle Internet Directory Server This introduction contains the following topics: ■ Capabilities of Oracle Internet Directory Server Manageability ■ Oracle Internet Directory Server Manageability Architecture and Components ■ Purging of Security Events and Statistics Entries ■ Account Used for Accessing Server Manageability Information Capabilities of Oracle Internet Directory Server Manageability The Oracle Internet Directory Server Manageability framework enables you to monitor the following directory server statistics: ■ Server health statistics about LDAP request queues, percent CPU usage, memory, LDAP sessions, and database sessions. For example, you can view the number of active database sessions over a period. You can also view the total number of connections opened to Oracle Internet Directory server instances over a period. ■ Performance statistics. Average latency in millisecond is provided for bind, compare, messaging search, and all search operations over a period. ■ General statistics about specific server operations, such as add, modify, or delete. For example, you can view the number of directory server operations over a period. You can also view the failed bind operation count. 24-2 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory ■ User statistics comprising successful and failed operations to the directory and the user performing each one. All LDAP operations are tracked for configured users. Also, the connections held by users at the ends of the statistics collection period are tracked. ■ Critical events related to system resources and security—for example, occasions when a user provided the wrong password or had inadequate access rights to perform an operation. Other critical events include ORA errors other than expected errors including 1, 100 or 1403 and abnormal termination of the LDAP server. ■ Security events tracking of users successful and unsuccessful bind and userpassword compare operations. Because bind and user password compare are among the most security sensitive operations, an exclusive category security event is used to track these two operations. This event tracks the number of these operations performed by LDAP users and applications. The basic information recorded is user DN and source IP address. For failed user password compare, additional information is tracked, specifically, the number of failed compares of one users password by another user from a given IP address. ■ Status information of the directory server and the directory replication server—for example, the date and time at which the directory replication server was invoked Oracle Internet Directory Server Manageability Architecture and Components The relationship between the various components of directory server manageability is explained in Figure 24–1 and the accompanying text in Table 24–1 . Monitoring Oracle Internet Directory 24-3 Figure 24–1 Architecture of Oracle Internet Directory Server Manageability Table 24–1 Components of Oracle Internet Directory Server Manageability Component Description Oracle Internet Directory A directory server responds to directory requests from clients. It has four kinds of functional threads: controller, worker, dispatcher, and listener. It accepts LDAP requests from clients, processes them, and sends the LDAP response back to the clients. When you use the Oracle Internet Directory Server Manageability framework to set run-time monitoring, the four functional threads of the server record the specified information and store it in local memory. See Also: An Oracle Directory Server Instance on page 3-3 for a description of the directory server Memory Resident Storage This is a local process memory. The Oracle Internet DirectoryServer Manageability framework assigns one each for statistics, tracing, and security events. Each has its own separate data structure maintained in the local memory storage. Low Priority Write Threads These dedicated write threads differ from server functional threads in that they write server statistics, security events logging, and tracing information to the repository. To maintain reduced system overhead, their priorities are kept low. External Monitoring Application This module, which is proprietary and external to the server manageability framework, collects the gathered statistics through a standard LDAP interface with the directory server and stores it in its own repository. External Repository for Server Management Information This is the repository that the monitoring agent uses to store the gathered directory server statistics. The monitoring agent determines how this repository is implemented. Oracle Internet Directory Controller Thread Worker Thread Dispatcher Thread Listener Thread Memory Resident Storage for Server Statistics Queue Memory Resident Storage for Server Tracing Queue Low Priority Write Threads Memory Resident Storage for Server Security Events Queue Logging Repository Oracle Fusion Middleware Control Common Interface for Memory Resident Storage Directory Data Repository Logging Statistics and Events Repository 24-4 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Purging of Security Events and Statistics Entries Obsolete statistics entries are removed from Oracle Internet Directory by the Oracle Internet Directory purge tool, described in Chapter 35, Managing Garbage Collection . Account Used for Accessing Server Manageability Information The Oracle Internet Directory database account ODSSM is used to access server manageability information from the database. During installation, this accounts password is set to a value provided by the user at a prompt. The credentials for this account, including the password, are stored in the Oracle Internet Directory snippet in the Oracle Enterprise Manager Fusion Middleware Control file targets.xml. The only way you can change this accounts password is to use the procedure documented in Changing the Password for the ODSSM Administrator Account on page 12-8. There is no support in the oidpasswd tool for changing this password. Setting Up Statistics Collection by Using Fusion Middleware Control This section contains the following topics: ■ Configuring Directory Server Statistics Collection by Using Fusion Middleware Control ■ Configuring a User for Statistics Collection by Using Fusion Middleware Control Configuring Directory Server Statistics Collection by Using Fusion Middleware Control To configure statistics collection from Oracle Enterprise Manager Fusion Middleware Control, follow these steps:

1. Select Administration, then Server Properties from the Oracle Internet Directory

menu, then select Statistics. 2. In the General section of the page, select Stats Flag to enable statistics collection. Fusion Middleware Control extracts monitored data from the statistics and events repository, presenting it in a Web-based graphical user interface. Users can view the data in a normal browser. A repository can store the collected data for generic and custom queries. Logging Repository File System This repository uses a file system to store information traced across various modules of the directory server. By using a file system for this purpose, the Oracle Internet Directory Server Manageability framework uses the features and security of the operating system. Directory Data Repository This repository contains all user-entered data—for example, user and group entries. Statistics and Events Repository This repository is like the tracing repository except that it stores the information in the same database as the directory data repository rather than in a file system. In this way, the Oracle Internet Directory Server Manageability framework uses: ■ Normal LDAP operations to store and retrieve the information ■ Existing access control policies to manage the security of the gathered information The directory manageability framework isolates the gathered information from the directory data by storing the two separately. Table 24–1 Cont. Components of Oracle Internet Directory Server Manageability Component Description Monitoring Oracle Internet Directory 24-5 3. Specify the number of minutes in the Stats Frequency field to control the frequency of statistics collection. 4. Select values from the Bind Security Event Tracking and Compare Security Event Tracking lists.

5. To collect statistics about users, select User Statistics Collection in the User

Statistics section of the page. 6. In the Event Levels section of the page, select the events you want to track. Configuring a User for Statistics Collection by Using Fusion Middleware Control To configure a user so that Server Manageability collects statistics for that user:

1. From the Oracle Internet Directory menu, select Administration, then Shared

Properties .

2. Select the General tab.

3. Add the users distinguished name to User DN. This adds the users DN to the

attribute orclstatsdn. For example: cn=Mary Lee, ou=Product Testing, c=us cn=Michael Smith, ou=Product Testing, c=us Table 24–2 Configuration Attributes on Server Properties Page, Statistics Tab Field or Heading Configuration Attribute Stats Flag orclstatsflag Stats Frequency min orclstatsperiodicity Bind Security Event Tracking and Compare Security Event Tracking orcloptracklevel User Statistics orclstatslevel Event Levels orcleventlevel Notes: ■ After you enable User Statistics collection, you also must specify individual users for statistics collection. See Configuring a User for Statistics Collection by Using Fusion Middleware Control on page 24-5. ■ If you do not select SuperUser Login as an event level, the corresponding Security values on the Oracle Internet Directory home page is always 0. ■ In 11g Release 1 11.1.1, consecutive settings of orcldebugflag and of orcloptracklevel are additive. Note: If you have configured orclldapconntimeout so that idle LDAP connections are closed after a period of time, as described in the Oracle Internet Directory chapter of Oracle Fusion Middleware Performance and Tuning Guide, be aware that connections do not time out as per this setting for users who are configured for statistics collection. 24-6 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory cn=Raj Sharma, ou=Human Resources, c=us Viewing Statistics Information with Fusion Middleware Control You can use Oracle Enterprise Manager Fusion Middleware Control to view many of the features of Oracle Internet Directory Server Manageability, as explained in this section. Viewing Statistics Information on the Oracle Internet Directory Home Page The Oracle Internet Directory Home Page displays the following information: ■ Performance – Average Operation Response Timems – Messaging Search Response Timems – Bind Response Timems ■ Load – Total LDAP Connections – Operations Completed – Operations in progress ■ Security – Failed Bind Operations – Failed SuperUser Logins – Successful SuperUser Logins ■ Resource Usage – CPU Utilization – Memory Utilization ■ Average Response and Load – LDAPserverResponse – numCompletedOps Click Table View if you want to see values in tabular form. In the Security section of the page, the values for Failed Bind Operations, Failed SuperUser Logins, and Successful SuperUser Logins are 0 if you have not enabled collection of these metrics. See Setting Up Statistics Collection by Using Fusion Middleware Control on page 24-4 for more information. Viewing Information on the Oracle Internet Directory Performance Page From the Oracle Internet Directory menu, select Monitoring, then Performance Summary . The following metrics are shown by default: ■ Server Response See Also: Viewing Queue Statistics by Using Fusion Middleware Control on page 41-13 for information on replication queue statistics. Monitoring Oracle Internet Directory 24-7 ■ Total Operations ■ Messaging Search Operation Response Time ■ Bind Operation Response Time ■ Compare Operation Response Time ■ Total Number of Security Events Objects in Purge Queue ■ Total Number of Security Refresh Events Objects in Purge Queue ■ Total Number of System Resource Events Objects in Purge Queue To display other metrics, expand the Metrics Palette by clicking the arrow on the right edge of the window. You can collapse the Metrics Palette by clicking the arrow on the left edge of the window. The default time interval is 15 minutes. To change the time interval, click Slider, then use the sliders to set the time interval. You can also click the Date and Time icon, set the start and end date and time on the Enter Date and Time dialog, then click OK. Click the Refresh icon to refresh the page. The View list enables you to view and save charts. The Overlay list enables you to overlay the metrics for a different Oracle Internet Directory target. Viewing Statistics Information from the Oracle Directory Services Manager Home Page The Oracle Directory Services Manager home page for Oracle Internet Directory lists the following information: ■ Uptime ■ LDAP Connections ■ OID Procs ■ Number of Entries ■ LDAP Change Log Entries ■ Replication Agreements ■ Debug Enabled ■ Operation Latency Setting Up Statistics Collection by Using the Command-Line This section contains the following topics: ■ Configuring Health, General, and Performance Statistics Attributes Notes: ■ For non-critical events, there is a time lag of several minutes, up to orclstatsperiodicity, before the corresponding metric is updated. ■ You must click the Refresh icon to see updated metrics. 24-8 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory ■ Configuring User Statistics Collection from the Command LineConfiguring Event Levels from the Command LineConfiguring a User for Statistics Collection by Using the Command Line Configuring Health, General, and Performance Statistics Attributes You can use ldapmodify and ldapsearch to set and view statistics collection-related configuration attributes. These attributes are in the instance-specific configuration entry, as described in Chapter 9, Managing System Configuration Attributes. To enable the collection of health, general, and performance statistics, set the orclStatsFlag and orclStatsPeriodicity attributes. For example, to enable the Oracle Internet Directory Server Manageability framework for the component oid1, you create an LDIF file that looks like this: dn:cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclstatsflag orclstatsflag:1 To upload this file, enter the following command: ldapmodify -h host -p port_number -D bind_DN -q -f file_name where the bind DN authorized to perform server manageability configuration is cn=emd admin,cn=oracle internet directory. Configuring Security Events Tracking To configure security events tracking, set the attribute orcloptracklevel. This attribute is located in the instance-specific configuration entry, as described in Chapter 9, Managing System Configuration Attributes. Table 24–3 lists the values of orcloptracklevel to configure different levels of bind and compare information collection: The metrics recorded by each orcloptracklevel value are listed in the following table: Table 24–3 Values of orcloptracklevel orcloptracklevel value Configuration 1 Bind DN only 2 Bind DN and IP address 4 Compare DN only 8 Compare DN and IP address 16 Compare DN, IP address and failure details