Each of the Curity Identity Server’s run-time nodes runs inside a separate instance of the Java Virtual Machine (JVM). This VM includes a number of options and flags that can severely impact performance. To configure these, like all other configuration of the Curity Identity Server, the configuration service’s API is used. The flags of the JVM are configured per service (i.e., per run-time node) from this central service. This is helpful for a few reasons:
Configuration of a service’s JVM options is done by setting the property jvm-options of a service role. After this is set, the Curity Identity Server needs to be restarted for the changes to take effect. This is one of the few configuration changes in the Curity Identity Server that requires a manual restart of the service; all others are immediately and automatically applied.
Warning
These changes will not take effect on a server node’s first run unless the file $IDSVR_HOME/var/jvm-options is created and contains the same flags as configured. Without this file, the first run will use the default JVM settings, and changes will only take effect after the node has been restarted.
$IDSVR_HOME/var/jvm-options
To configure the JVM setting in the UI:
Show Advanced Settings
JVM Options
Commit
To change the JVM settings, use the REST API as follows:
In a shell or using a similar API client (e.g., Postman), make an HTTP PATCH request to add the JVM options. For instance, this can be done using curl like this:
PATCH
Listing 186 Changing the default JVM options¶ $ SERVICE_ROLE=runtime $ curl -k -u admin:Password1 -X PATCH -H "Content-Type: application/vnd.yang.data+xml" -d ' <service> <jvm-options>-XX:+PrintGCDetails -XX:+UseG1GC</jvm-options> </service> ' "https://localhost:6749/admin/api/rest/running/environments/environment/services/service-role/$SERVICE_ROLE"
$ SERVICE_ROLE=runtime $ curl -k -u admin:Password1 -X PATCH -H "Content-Type: application/vnd.yang.data+xml" -d ' <service> <jvm-options>-XX:+PrintGCDetails -XX:+UseG1GC</jvm-options> </service> ' "https://localhost:6749/admin/api/rest/running/environments/environment/services/service-role/$SERVICE_ROLE"
Verify that the options was set correctly by making an HTTP get request like the following:
get
Listing 187 Checking that the configuration was successfully updated¶ $ curl -k -u admin:Password1 \ "https://localhost:6749/admin/api/rest/running/environments/environment/services/service-role/$SERVICE_ROLE/jvm-options" This will return an XML element containing the configured valued, like this: Listing 188 An example of the configured JVM options returned from the REST API¶ <jvm-options xmlns="https://curity.se/ns/conf/base" xmlns:y="http://tail-f.com/ns/rest" xmlns:base="https://curity.se/ns/conf/base"> -XX:+PrintGCDetails -XX:+UseG1GC </jvm-options>
$ curl -k -u admin:Password1 \ "https://localhost:6749/admin/api/rest/running/environments/environment/services/service-role/$SERVICE_ROLE/jvm-options"
This will return an XML element containing the configured valued, like this:
<jvm-options xmlns="https://curity.se/ns/conf/base" xmlns:y="http://tail-f.com/ns/rest" xmlns:base="https://curity.se/ns/conf/base"> -XX:+PrintGCDetails -XX:+UseG1GC </jvm-options>
Restart the node to begin using this new configuration. This is the only configuration change in the Curity Identity Server that requires a restart of a node. Upon restart, the new JVM settings will be used.
This setting can also be updated using the Command Line Interface (CLI). To do this, follow these steps:
Start the CLI by starting idsh.
idsh
Enter configuration mode by typing configure and hit enter.
configure
Type the following and press enter:
Listing 189 Setting the JVM options in the configuration mode of the CLI¶ set environments environment services service TestServer1 jvm-options "-XX:+PrintGCDetails -XX:+UseG1GC" Tip Be sure to include the arguments in quotes.
set environments environment services service TestServer1 jvm-options "-XX:+PrintGCDetails -XX:+UseG1GC"
Tip
Be sure to include the arguments in quotes.
Commit the transaction by typing commit and pressing enter.
commit