This section of the admin guide describes information related to monitoring the Curity Identity Server.
Tip
🔥🔥🔥 If you just want to know how to determine if your instance of Curity is unhealthy and on fire, refer to the information below. 🔥🔥🔥
Java Management Extensions (JMX) is a commonly used interface for monitoring the internals of a Java-based application like the Curity Identity Server. This ability to peer inside the application, however, can be dangerous. It is for this reason that JMX is disabled by default. To enable it, the ENABLE_JMX can be set before starting the Curity Identity Server; the value is ignored and can can be any non-empty value (e.g., true, 1, etc.). This can be done on the command line like this, for instance:
ENABLE_JMX
true
1
$ ENABLE_JMX=1 idsvr
With JMX enabled, the following can be monitored and, in some cases, changed:
Note that serialization must be enabled for the javax.management.* classes in order for JMX to function properly. This should be handled automatically in typical scenarios.
javax.management.*
To make tracing easier, Curity has support for adding a HTTP response header containing the node’s service-id, which is a unique string based on the service-name (see Setup Nodes for more information), to every HTTP response.
service-id
service-name
To enable this header, set the system property called se.curity:identity-server:http:service-id-header when starting up Curity. The value of this property should be the name of the header you want to contain the service-id.
se.curity:identity-server:http:service-id-header
$ JAVA_OPTS="-Dse.curity:identity-server:http:service-id-header=X-Service-Id" idsvr
When that’s done, every Curity response will contain a header like X-Service-Id: the-service-id, making it easier to trace requests to particular Curity nodes.
X-Service-Id: the-service-id
The Curity Identity Server ships with support for Java Flight Recorder and Java Mission Control. These are branded, fully-tested builds of the open-source JDK Flight Recorder and JDK Mission Control which Oracle released in 2018. Coupled with the instrumentation and data collection performed by Flight Recorder inside of Curity, Java Mission Control provides monitoring and management possibilities with very little impact on Curity’s performance.
Java Mission Control can be downloaded from Adoptium’s Web site.[1] Once it is installed and started, you can use it to attach to an instance of Curity if JMX is enabled (as described above). This will allow you to monitor, in real-time, such things as CPU, memory, threads, garbage collections, and much, much more.
You can also record the performance for later analysis. This can be very helpful in difficult support cases, for instance. This can be done in Java Mission Control or by using the jcmd command that is shipped with Curity. Using either is a two-step process:
To start a recording or to connect to a remote instance of Curity using Java Mission Control requires additional parameters to be provided when starting that instance. Refer to the Monitoring and Management section of the Java SE documentation for details of what these parameters are. As an example, running Curity in a local Docker container (which effectively makes it remote), it is possible to connect to it from Java Mission Control if it is started with additional parameters that can be passed using the JAVA_OPTS environment variable like this:
JAVA_OPTS
$ docker run -it \ -e ENABLE_JMX=1 \ -e JAVA_OPTS="-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=7091 -Dcom.sun.management.jmxremote.rmi.port=7091 -Djava.rmi.server.hostname=localhost -Dcom.sun.management.jmxremote.local.only=false" \ -e PASSWORD=$PASSWORD \ -p 6749:6749 \ -p 7091:7091 \ -p 8443:8443 \ curity/idsvr:latest
Warning
The example in listing Listing 82 is provided only for demonstration, and more secure options should be used in production.
With remote access enabled, a connection can be made using Java Mission Control by selecting the Connect… menu option in the File menu, or by selecting New Connection from the context menu of the JVM Browser, or by clicking the New Connect button from the toolbar shown in figure Fig. 28:
Fig. 28 Creating a new connection to a remote instance of Curity
Whichever method is used, the following dialogue page will be shown:
Fig. 29 JMX connection modal in Java Mission Control
Clicking the Test connection button should briefly flicker a status dialogue box and then the Status field should be changed to OK. If so, click Finish. Otherwise, tweak the settings used when starting the instance of Curity and refer to the Java Monitoring and Management documentation for additional guidance and troubleshooting tips. Baring any connectivity issues, a new JVM should be shown in JVM Browser treeview:
OK
Fig. 30 JVM Browser showing new connection to Curity instance
If the MBean Server child node of this new connection is clicked, a dashboard is shown, like that of figure Fig. 31:
Fig. 31 Dashboard showing memory, JVM CPU, remaining heap memory, and other aspects of the running instance of Curity
To start a recording in Java Mission Control, right-click the Flight Recorder item in the JVM Browser treeview under the established connection, as shown in Fig. 30, and then select Start Flight Recording…. The following dialogue will be shown:
Fig. 32 Starting a recording of the performance of an instance of Curity using Java Mission Control
Select Finish to accept the defaults or make adjustments on the current or subsequent pages as required.
When shell access to the machine running Curity is available, an alternative to start a recording is to use jcmd. With this tool, you need the process ID of the instance of the Curity Identity Server to be profiled or you can use the package name of its bootstrapper. Both alternatives work but only the latter is shown in the following listings:
$ jcmd se.curity.identityserver.app.Bootstrapper JFR.start
Note
The jcmd command is included in various versions of the JDK, but is not directly provided by Curity. The various options and subcommands supported by this tool can be found in the jcmd documentation.
After the JFR.start subcommand is run, it will print the command necessary to dump a snapshot of analysis data. It will be something like this:
JFR.start
$ jcmd 59896 JFR.dump name=1 filename=FILEPATH # where 59896 is the process ID of Curity
The state of recording can be checked using the JFR.check subcommand with either the process ID or the bootstrapper package name like this:
JFR.check
$ jcmd se.curity.identityserver.app.Bootstrapper JFR.check
If recording is not currently underway, this command will provide the instructions on how to start one.
When the dump subcommand is run, the recording will be captured in the specified file. At that point, the file can be opened in Java Mission Control or other tools that support the JDK Flight Recorder format.
Dumping the recording to a file does not stop the recording. To do that, use the JFR.stop subcommand. This also accepts a filename and name parameter like JFR.dump does except that it stops the recording and the filename parameter is optional. If the filename is not provided, then a dump will not be simultaneously made. An example of stopping a recording named 1 is shown in the following listing:
JFR.stop
filename
name
JFR.dump
$ jcmd se.curity.identityserver.app.Bootstrapper name=1 filename=/tmp/recording_1.jfr
It is also possible to start a recording by providing certain command line options to the Curity Identity Server. This can be done in various ways. For example, this can be achieved by configuring the JVM options. A better way typically though is to set the JAVA_OPTS environment variable to include the parameters necessary to start the recording when the Curity Identity Server starts. Either way, the parameters will be something like these:
-XX:StartFlightRecording=filename=my-good-file.jfr,duration=10m
For information about available flags that can be passed when starting a recording, refer to the flight recorder command reference.
Using either Java Mission Control, command line options provided to the Curity Identity Server, or jcmd, the resulting file can be analyzed and potentially shared with support. This will give a lot of insight into the source of potential issues. For more information on Flight Controller and Mission Control, refer to the following sources:
Curity Identity Server contains an HTTP endpoint providing node status information. Its operation is configured by the following environment variables.
STATUS_CMD_ENABLED
STATUS_CMD_PORT
4465
STATUS_CMD_HOST
0.0.0.0
STATUS_CMD_MAX_THREADS
16
By default, this status endpoint is enabled, however it can be disabled by setting the STATUS_CMD_ENABLED environment variable to false or by starting idsvr with the --no-status parameter.
false
idsvr
--no-status
The status endpoint supports HTTP GET and HEAD requests to the / path. The response will have status code:
GET
HEAD
/
200
isServing
/serving
503
In both cases, the response body will contain a JSON representation of the node status, containing the following fields:
isReady
nodeState
BOOTING
WAITING
RUNNING
ERROR
STOPPING
clusterState
STANDALONE
CONNECTING_TO_CLUSTER
CONNECTED
ADMIN
configurationState
UNINITIALIZED
CONFIGURED
RECONFIGURING
transactionId
isAdminServing
pluginsInitialized
The status endpoint also contains the /serving and /admin-serving paths to expose the isServing and isAdminServing information respectively via the status code, which is useful if the probing system is unable to process JSON representations. These paths accept both GET and HEAD requests. The response for the /serving path will have an empty body and status code:
/admin-serving
The response for the /admin-serving path will have an empty body and status code:
404
Note that the /admin-serving path is only served on admin nodes. On runtime nodes, a request to this path will return 404.
The Curity Identity Server installation also contains the bin/status command line tool that can be used to probe the HTTP status endpoint. It uses the same environment variables the server uses and has two invocation parameters:
bin/status
-j
--json
-h
--help
-v
The status tool performs a request to the local node status endpoint and writes the response body to the standard output. The tool exit code is described in the following table.
status
0
4
103
104
105
Each run-time and admin node exposes an endpoint where certain information is published in a Prometheus-compliant format (i.e., Prometheus’ OpenMetrics format). This allows the Prometheus monitoring tool (or others that can process data in this format) to monitor certain metrics about the behavior of the node. This endpoint is exposed over HTTP and listening on the same interface as the status endpoint described above. The port used is one greater than the status endpoint (4466 by default). The URI is /metrics, so, for example, the URL of the data would be https://localhost:4466/metrics.
4466
/metrics
https://localhost:4466/metrics
The metrics exposed and their meanings is described in the following table:
The client_id of the idsvr_oauth_token_issued metric for ID tokens will be that of the requesting client (i.e., the authorized party). For all other tokens, the client_id is the ID of the client to whom the token was issued.
client_id
idsvr_oauth_token_issued
Request thread pool metrics (whose name starts with idsvr_request_pool_) are only available when JMX is enabled.
idsvr_request_pool_
In addition to the global metrics described above, some plugins may contribute with metrics related to their particular usage. Namely, the JDBC data source plugin exposes metrics of the underlying connection pool.
The labels in the previous table have the meanings described in the following table:
By default no unique values are reported for client_id to prevent value explosion which Prometheus has a hard time handling. If the system only contains a small number of clients then this can be enabled by setting the system property se.curity:identity-server:reporting:include-client-id-label=true when starting the Curity Identity Server.
se.curity:identity-server:reporting:include-client-id-label=true
Gathering of data can be disabled. If this is set when the node starts, no data will be published. To disable gathering of data, in the admin UI, go to System ‣ General. There, toggle off Enable Reporting. Once that change is committed, all nodes will stop gathering data.
Enable Reporting
If you want to setup certain alerts when things go wrong in the Curity Identity Server, you can simply setup the following:
datasource_*_sum
datasource_*_count
log4j2_appender_total
error
warn
cpu_usage
http_server_request_time_sum
http_server_request_time_count
Configuring Prometheus metrics is done under /environments/environment/reporting section.
/environments/environment/reporting
enable
include-profile-id
profile_id
% show environments environment reporting enable true; include-profile-id true;