How to Increase Java Heap Size in Config.groovy to Resolve OutOfMemoryError in RSA Authentication Manager 8.3 and Later
4 days ago
Originally Published: 2019-04-12
Article Number
000049261
Applies To
  • RSA Product Set: SecurID
  • RSA Product/Service Type: Authentication Manager
  • RSA Version/Condition: 8.3 and higher
  • Component: Config.groovy, biztier, console heap

 

Issue

Use this article if your RSA Authentication Manager Security Console is experiencing any of the following symptoms and your appliance has 16 GB or more of available RAM:

  • The Security Console returns an HTTP 503 (Service Unavailable) error
  • Stuck threads, transaction timeouts, or Java heap space errors appear in the logs:

    In /opt/rsa/am/server/logs/biztier.log:
    Date&Time> <Error> <WebLogicServer> <securidadmin> <biztier> <[ACTIVE] ExecuteThread: '50' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <>
<1554957986183> <BEA-000337> <[STUCK] ExecuteThread: 

<Date&Time> <Info> <EJB> <securidadmin> <biztier> <BEA-010227> <EJB exception occurred during invocation from home or business: com.rsa.command.CommandServerEjb30_vraifm_Intf generated exception: COMMAND_EXECUTION_UNEXPECTED_ERROR 
Caused by: com.rsa.common.SystemException: com.rsa.common.UnexpectedDataStoreException: unable to select group from IMS_GROUP_DATA 
Caused by: java.sql.SQLException: The transaction is no longer active - status: 'Marked rollback. [Reason=weblogic.transaction.internal.TimedOutException:
Transaction timed out after 600 seconds 
BEA1-7296CB88F9924262E80E]'. No further JDBC access is allowed within this transaction.

    In /opt/rsa/am/server/logs/console.log: 
     
     '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1554471588597> <BEA-000337> <[STUCK] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "620" seconds working on the request "Http Request Information: weblogic.servlet.internal.ServletRequestImpl@6c4c9b83[GET /console-ims/DashBoardUserGroupMembership.do]"

    In /opt/rsa/am/server/logs/imsTrace.log:
     
    INFO | jvm 1 | main | 2019/03/27 19:20:42 | Exception in thread "OARequestHandler Dispatcher Thread" java.lang.OutOfMemoryError: Java heap space 

INFO | jvm 1 | main | 2019/03/27 19:22:46 | Exception in thread "weblogic.GCMonitor" java.lang.OutOfMemoryError: Java heap space 
STATUS | wrapper | main | 2019/03/27 19:23:05 | TERM trapped. Shutting down. 

Caused by: java.lang.OutOfMemoryError: Java heap space 
at java.util.Arrays.copyOfRange(Arrays.java:2694) 
at java.lang.String.<init>(String.java:203) 
at java.lang.StringBuilder.toString(StringBuilder.java:405) 
at com.rsa.authmgr.internal.common.dal.hibernate.util.FilterHQL.createQuery(FilterHQL.java:543) 
at com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql$3.doInHibernate(DataObjectAccessSql.java:931) 
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:407) 
at org.springframework.orm.hibernate3.HibernateTemplate.executeFind(HibernateTemplate.java:344) 
at com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql.executeFind(DataObjectAccessSql.java:902) 
at com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql.executeSearch(DataObjectAccessSql.java:856) 
at com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql.executeCiSearch(DataObjectAccessSql.java:821) 
at com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql.search(DataObjectAccessSql.java:661) 
at com.rsa.authmgr.internal.admin.agentmgt.dal.sql.AgentAccessSQL.searchAccessibleAgentsByGroups(AgentAccessSQL.java:61) 
at com.rsa.authmgr.internal.admin.agentmgt.impl.AgentLocatorImpl.searchAccessibleAgentsByGroups(AgentLocatorImpl.java:183) 
at com.rsa.authmgr.admin.agentmgt.SearchAccessibleAgentsForPrincipalCommand$Executive.execute(SearchAccessibleAgentsForPrincipalCommand.java:25) 
at com.rsa.authmgr.admin.agentmgt.SearchAccessibleAgentsForPrincipalCommand.performExecute(SearchAccessibleAgentsForPrincipalCommand.java:217)


    In the System Log report (Security Console > Reporting):

    16042 GetPrincipalGroupsCommand ActivityMonitorCommand SQL No value specified for parameter 3 Could not get JDBC Connection; Rolled back. Transaction timed out after 599 seconds 
 16099 Administrator “<admin>” attempted to read a group ou=<group or ou> 
 16263 Find user across Identity Sources <LDAP Identity Source name>
 16294 Failed to connect to identity source <LDAP Identity Source name>


    Prerequisites:

    • SSH access to the primary Authentication Manager server
    • Operating system credentials (rsaadmin or the username configured during Quick Setup)
    • Sufficient available RAM on the appliance (16–32 GB minimum recommended)
    • Operations Console administrator credentials (required to retrieve secrets if needed)

 

Tasks

To resolve this issue:

  1. Increase both console and biztier heap size memory allocation in: 
     
    /opt/rsa/am/config/src/scripts/Config.groovy
  2. Reboot the RSA Authentication Manager server.
Resolution

Task 1: Increase Heap Size in Config.groovy

  1. Log in to the primary Authentication Manager server via SSH using the operating system credentials.
    NOTE: If a different username was selected during Quick Setup, use that username instead of rsaadmin.
    NOTE: If SSH is not enabled on the Authentication Manager instance, enable it before proceeding. For instructions, see Enable Secure Shell on the Appliance

  2. Navigate to the Config.groovy scripts directory: 
    cd /opt/rsa/am/config/src/scripts/

     

  3. Back up the original Config.groovy file:
     
    cp Config.groovy Config.groovy.orig

     

  4. Open the Config.groovy file for editing using vi and press I to enter edit mode.
     
    vi Config.groovy

     

  5. Under the heapsizes normal section, update the biztier and console values for the 8G, 16G, and 32G memory profiles as follows:

     
     
    "8G" {
    opsconsole = "512m"
    biztier = "3072m"
    console = "2048m"
    radiusoc = "100m"
    quicksetup = "512m"
}
"16G" {
    opsconsole = "512m"
    biztier = "4096m"
    console = "4096m"
    radiusoc = "100m"
    quicksetup = "512m"
}
"32G" {
    opsconsole = "1024m"
    biztier = "10240m"
    console = "5120m"
    radiusoc = "256m"
    quicksetup = "512m"
}

     

  6. Save and close the file:
    • Press Esc to exit edit mode.
    • Type :wq and press Enter to save and exit.
  7. Reboot the Authentication Manager server and wait for it to fully restart before proceeding.
     
    sudo reboot
  8. Verify: Confirm the updated heap sizes are active by running: 
    ps -ef | grep biztier
ps -ef | grep console

    The output should show the updated -Xms and -Xmx values matching your memory profile. For example:

    -Xms4096m -Xmx4096m
  9. Repeat Steps 1–8 on each replica server, one at a time.

Task 2: Reduce LDAP Group Search Memory Consumption (Optional)

  1. Log in to the Operations Console.

  2. Navigate to Deployment Configuration > Identity Sources > Manage Existing.

  3. Click the context arrow next to the identity source and choose Edit.

  4. Click the Map tab.

  5. Scroll to Directory Configuration — User Groups.

  6. For Search Scope, change the value from Search all sublevels to Search only single level.

  7. Under Use MemberOf Attribute, clear the option Enable the use of the MemberOf attribute.

    Before: 
    LDAP group search 
    After:

    No Member of 

  8. Click Save or Save and Finish.

  9. Verify: Confirm the identity source settings have been saved and monitor the Security Console for recurrence of the OutOfMemoryError.

Notes

  • Wrapper Configuration Files: There is no need to manually update wrapper.java.additional entries 35 and 36 in /opt/rsa/am/server/wrapper/BiztierServerWrapper.conf or ConsoleServerWrapper.conf. These files are automatically updated by Config.groovy after reboot. However, if you apply the same heap size changes directly to both wrapper files, you can apply the changes without a full reboot by restarting Authentication Manager services instead:

    /opt/rsa/am/server/rsaserv restart all

  • Memory Allocation Principles: Increasing heap size is only effective when the appliance has spare RAM available. If spare RAM is not available, consider reducing the scope of resource-intensive operations such as LDAP group searches (see Task 2) rather than increasing allocations.

  • User Dashboard Memory Impact: The Security Console User Dashboard performs resource-intensive queries across all identity sources, including group membership, authentication history, and accessible agent information. If Help Desk administrators do not require all this data, restricting LDAP group search scope (Task 2) can significantly reduce memory consumption.

  • Alternative Memory Approaches: There are three ways to address OutOfMemoryError issues in Authentication Manager:

    • Allocate more memory (Task 1) — if spare RAM is available
    • Reduce resource consumption (Task 2) — by adjusting LDAP group search settings
    • Apply both approaches together for maximum effect

Related Articles

Trending Articles

Don't see what you're looking for?