Disable SSPI for Single Sign-on
If you are experiencing (non-SSO) login difficulties on a Windows server and the log file indicates that SSPI is unable to find the domain, you can disable SSPI and "fall back" to the JCSI provider. To do this you must add a system property to the custom.cfg configuration file.
Note: The drawback of using JCSI on a Windows server is that some integration features (such as, SCP, SSO, and trusted KDC) are unavailable.
Security Support Provider Interface (SSPI) is used to provide web single sign-on on Windows but limits logins and administration to domains within the same forest as the Windows host. If you are hosting the console on a Windows server joined to a forest different than the one it is administering, then you should disable SSPI. A pure-Java Kerberos implementation will be used instead, but it will not be able to do single-sign-on on Windows.
To disable SSPI
-
Open the custom.cfg file for editing.
See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.
-
Add the following properties to the custom.cfg file to disable SSPI:
-Dconsole.sspi.disable=true
Or, if your problem is only with TGT validation, add this line:
-Dconsole.sspi.disable-self-test=true
-
Save the custom.cfg file.
-
Restart the Management Console for Unix service.
See Start/stop/restart Management Console for Unix service for details.
Enable SSO for remote browser clients
In order for remote browser clients to log onto the mangement console using SSO, Management Console for Unix requires that the web browser 'delegate' the user's credentials to the server. Therefore, you must enable the Management Console for Unix server for delegation.
To enable the Management Console for Unix server for delegation
-
Open Active Directory Users and Computers.
-
Navigate to the container in the domain on which the computer where Management Console for Unix is running resides.
For example, if the console is installed on a domain controller, navigate to <DomainName> | Domain controllers and find the computer object.
-
In the details pane, right-click the computer object and click Properties.
-
Open the Delegation tab, select Trust this computer for delegation to any service (Kerberos only) and click OK to save your selection and close the properties.
Note: In Active Directory, computer objects have a property that gets set when you select Trust this computer for delegation to any service (Kerberos only). SSO will not work if delegation is not enabled on the server.
For the delegation changes to take effect in Active Directory, you may need to reboot the client.
JVM memory tuning suggestions
Previous releases of the Management Console for Unix used Java 6 and tended to require manual tuning of the JVM memory settings. Java 8 reduces the need for this because, by default it automatically chooses its initial and maximum heap sizes as fractions of the host's memory size. The resulting maximum heap size can be displayed by running this command:
java -XshowSettings:vm -version
However, there may still be scenarios for which manual tuning is desirable. If you are experiencing performance degradation due to heavy demand from web service calls, simultaneous report generation, multiple browser connection querying, and so forth, One Identity recommends that you increase the JVM memory.
To tune JVM memory
-
Open the custom.cfg file for editing.
See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.
-
Set the initial or start memory size using the -Xms variable and the maximum memory size using the -Xmx variable. For example:
-Xms512m
-AND-
-Xmx512m
where "512m" specifies 512MB of memory or "1g" specifies 1GB of memory.
Note: 1024MB is the default memory requirement.
One Identity recommendations:
- For each 1,000 application database records (hosts, uses, groups, group memberships), increase the JVM memory by 20MB to support 1 to 3 simultaneous web browser connections.
- For each 1,000 records, increase the memory by 30MB to support 3 to 5 simultaneous web browser connections.
- Do not allocate more memory than you have; the console will fail to load.
These suggested specifications depend on your reporting demands. If you create more than two or three reports simultaneously, increase the memory specification.
For further information on specific settings refer to <install_directory>/jvmargs.cfg
These values are used for the JVM heap which reserves memory for the server and its database. Increasing the amount of memory available can improve performance, but increasing it too much can have a detrimental effect in the form of longer pauses for full garbage collection runs. Setting -Xms and -Xmx to the same value increases predictability by removing the most important sizing decision from the virtual machine. On the other hand, the virtual machine cannot compensate if you make a poor choice. Be sure to increase the memory as you increase the number of processors, since allocation can be parallelized. JVM heaps greater than 1.5 Gbytes require a 64-bit JVM. Anything more than that will cause the service to not start.
Numbers can include 'm' or 'M' for megabytes, 'k' or 'K' for kilobytes, and 'g' or 'G' for gigabytes. For example, 32k is the same as 32768. Unless you have problems with pauses, try granting as much memory as possible.
For further reading on garbage collection tuning refer to https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/.
-
Save the custom.cfg file.
-
Restart the Management Console for Unix service.
See Start/stop/restart Management Console for Unix service for details about restarting the Management Console for Unix Service.
Start/stop/restart Management Console for Unix service
Depending on the platform you are using, use the corresponding procedure to start, stop, or restart the Management Console for Unix service (mcu_service).