SSF Tools Server Specific Task Launcher User Guide
SSF_Tools_ServerSpecificTaskLauncher_UserGuide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 9
| Download | |
| Open PDF In Browser | View PDF |
SSF Tools: Server-Specific Task Launcher User Guide Document Revision History Revision Date April 2017 December 2017 Written/Edited By Paul Wheeler Paul Wheeler Comments First release with SSD v4 Minor update for SSD v5 © Copyright 2017 SailPoint Technologies, Inc., All Rights Reserved. SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Restricted Rights Legend. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of SailPoint Technologies. The information contained in this document is subject to change without notice. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies. Regulatory/Export Compliance. The export and reexport of this software is controlled for export purposes by the U.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws and regulations as they relate to software and related documentation. Licensee will not export or reexport outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Government's Entities List; a party prohibited from participation in export or reexport transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software and related documentation. Trademark Notices. Copyright © 2017 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo, SailPoint IdentityIQ, and SailPoint Identity Analyzer are trademarks of SailPoint Technologies, Inc. and may not be used without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons indicated. Server-Specific Task Launcher User Guide Page 2 of 9 Table of Contents Introduction ........................................................................................................................................ 4 Components ....................................................................................................................................... 4 Installation .......................................................................................................................................... 4 How the Server-Specific Task Launcher Works.................................................................................. 5 Single-Server, Non-Partitioned Tasks ............................................................................................. 5 Multi-Server and/or Partitioned Tasks ............................................................................................. 5 How to use the Server-Specific Task Launcher .................................................................................. 5 Other Settings .................................................................................................................................... 7 Include Maintenance Partitions ....................................................................................................... 7 Task Start Timeout ......................................................................................................................... 7 Partitioned Task Finish Timeout...................................................................................................... 8 Limitations .......................................................................................................................................... 8 Server-Specific Task Launcher User Guide Page 3 of 9 Introduction In a multi-server environment, IdentityIQ provides the ability to run a task on any available server that is configured for task execution. However, in versions of IdentityIQ earlier than 7.2 the out-of-the-box product does not provide an easy way to run a given task on a specified server. Furthermore, a partitioned task can be run across all servers that are configured for task execution, but there is no easy way in any version of IdentityIQ to specify a group of servers that should run a given task without modifying the configuration. It would sometimes be useful to be able to run a non-partitioned task on a single specified server, or a partitioned task on a group of specified servers. The Server-Specific Task Launcher provides a solution for this. The Server-Specific Task Launcher may be useful in the following cases: • • • • Troubleshooting issues with a task and ensuring logs are always written to the same location Running tasks that export data to a local filesystem where it is important that the file is exported to the same server Aggregating files where there is no shared storage and the file will only be available on one server Running partitioned aggregation and refresh tasks on all available servers out of normal working hours, making UI servers temporarily available as task servers The Task Launcher is compatible with non-partitioned tasks and with partitioned tasks for account aggregation, identity refresh and role propagation. Components The Server-Specific Task Launcher includes these files: File name ServerSpecificTaskLauncher.java TaskLauncherService.java ServerSpecificTaskLauncher_TaskDefinition.xml Description The main Task Executor Java class A service for launching single-server nonpartitioned tasks The TaskDefinition object for the task ServerSpecificTaskLauncher_ServiceDefinition.xml The ServiceDefinition object for the service Installation The Server-Specific Task Launcher is installed by default with the SSD. If you are not using the SSD, the following procedure can be used to install it manually: 1. Compile the two Java classes and copy the resulting class files to: WEB-INF/classes/sailpoint/services/standard/tasklauncher 2. Import the two XML files using one of the following methods: • Open iiq console and use the ‘import’ command: Server-Specific Task Launcher User Guide Page 4 of 9 import/ ServerSpecificTaskLauncher_TaskDefinition.xml import / ServerSpecificTaskLauncher_ServiceDefinition.xml • In the UI use the “Import from File” functionality under Global Settings (IdentityIQ 7.0 and later) or System Setup (previous versions) 3. Restart the application servers. How the Server-Specific Task Launcher Works The Server-Specific Task Launcher uses two different methods of launching a task on a specific server or servers depending on whether the task to be launched has partitioning enabled and whether a single server or multiple servers are selected to run it. Single-Server Non-Partitioned Tasks For a single-server non-partitioned task, the task launcher uses the TaskLauncherService, which runs on every server. The launcher task creates a Custom object with a name in this format: _launchtask_ The Custom object has the task name as an attribute. When a server runs the TaskLauncher service (by default every 30 seconds) it checks for a Custom object that has a name starting with a concatentation of the name of the server that the service is running on and “_launchtask_” and, if it finds one, launches the task whose name is stored in the object directly on that server (bypassing the task scheduler). Multi-Server and/or Partitioned Tasks If the task to be launched has partitioning enabled or if multiple servers are selected to run the task, the launcher task temporarily modifies the “Task” and “Request” ServiceDefinition objects. These each have a “hosts” property that defines which servers are permitted to run tasks or process partitions (amongst other things). The Server-Specific Task Launcher modifies the “hosts” property with the names of the servers specified by the user, but only until the task has launched and (where applicable) all partitions have been assigned hosts, after which the previous values are written back, the Task Launcher closes and the launched task continues running until completion on the specified server(s). IdentityIQ only polls the ServiceDefinition objects once every 60 seconds, so when using this method of launching a task the Task Launcher must pause for 60 seconds after changing the values of the ServiceDefinition hosts before launching the task. How to use the Server-Specific Task Launcher In order to use the Task Launcher it is necessary to create a new instance of the launcher from the template Task Definitions. To do this, go to Setup -> Tasks (or Monitor -> Tasks in versions of IdentityIQ earlier than 7.0). Click “New Task” and create a new task instance for “Server-Specific Task Launcher”: Server-Specific Task Launcher User Guide Page 5 of 9 The New Task screen will appear for the Server-Specific Task Launcher as shown below: Give the Task Launcher instance a name, then in the “Task to launch” field select the task you want to launch from the dropdown. The “Run on servers” multi-select field lists all the servers that are currently online; select the server(s) from this list that you want to run the task on. For a non-partitioned task, selection of a single server will cause the task to be launched on that server, or if you select multiple servers any one of them will run it. If the selected task is partitioned, its execution may be shared by Server-Specific Task Launcher User Guide Page 6 of 9 any or all of the selected servers. Save and execute the task, or save it and schedule for execution later. The Task Results page for the Task Launcher will provide information on progress. When it has launched the selected task and has finished it will display the server(s) that the task was launched on. Other Settings The task has some hidden settings that are only editable in the Debug screen in IdentityIQ. The TaskDefinition for each Task Launcher instance can be edited to modify these settings. Include Maintenance Partitions By default, for partitioned aggregation tasks the Task Launcher will only ensure that the partitions that are concerned with the aggregation activities are launched on the selected servers since these are usually the partitions that are associated with most of the workload. When these partitions are completed an optional “Check Deleted Objects” partition and a “Finish Aggregation” partition are processed. However, it may take a long time for these maintenance partitions to start processing as they can only commence once the aggregation partitions have finished, and the hosts on which these maintenance partitions run is only determined after the aggregation partitions have completed. To avoid waiting for this and to ensure the Task Launcher can set the ServiceDefinition hosts back as early as possible and finish its work, the default setting is to not wait for the assignment of hosts on the maintenance partitions, so it is possible that they will run on servers other than those selected in the Task Launcher. Similarly, partitioned role propagation tasks are not monitored by default for their “Finish Role Propagation” partition to have a host assigned. To force the Task Launcher to wait for assignment of hosts for maintenance partitions so that they will always run on the selected servers, add this to the attributes map in the TaskDefinition for the Task Launcher instance: Task Start Timeout If a multi-server or partitioned task does not launch promptly it may be a sign of an issue with that task, but the Task Launcher is designed to time out if the selected task does not launch within a reasonable time, by default 2 minutes. This helps to ensure the Task Launcher does not take too long to reset the original hosts values in the ServiceDefinition objects. To change this timeout, set the taskStartTimeout value in the TaskDefinition to the required number of seconds. For example, this will make it time out after 5 minutes Server-Specific Task Launcher User Guide Page 7 of 9 Partitioned Task Finish Timeout Some partitioned tasks can take a long time for all partitions to be assigned hosts, so the Task Launcher has a timeout after which it sets the original hosts values back in the ServiceDefinition objects, by default 2 hours. Any further assignment of hosts to partitions will use the original hosts values. To change this timeout, set the partitionedTaskFinishTimeout value in the TaskDefinition to the required number of seconds. For example, this will make it time out after 3 hours: Limitations The Server-Specific Task Launcher has the following limitations: • • • • • For a single-server non-partitioned task, the task will launch when the server selected to launch the task runs the TaskLauncher service and queries for a Custom object intended for that server. There may be a short delay in this process because the service runs at a defined frequency (every 30 seconds by default). This is defined in the “interval” property of the TaskLauncher ServiceDefinition object. While the interval can be decreased by modifying this value, care should be taken when doing this. It is not recommended that this value be decreased to a value below 15 seconds, in order to avoid potential performance issues that might occur if it runs too frequently. For a multi-server or partitioned task, the Task Launcher must pause for 60 seconds before launching the selected task; this is to allow IdentityIQ time to poll for the new hosts settings in the ServiceDefinition objects. For a multi-server or partitioned task, when an instance of the Server-Specific Task Launcher is running it will be possible to run another instance to launch a different multi-server or partitioned task (either through setting the Task Launcher instance to allow concurrency or by creating a new Task Definition with a different name) but the second instance will wait until the first has completed before doing anything; this is because the first instance needs to set the original hosts values back in the ServiceDefinition object before the second instance changes them again to potentially different values. If any other task starts running (via a schedule or manually) while the Server-Specific Task Launcher is running for a multi-server or partitioned task, it will run on the same server(s) defined by the launcher because it will be referencing the same hosts values in the ServiceDefinition objects. If a task is started up to 60 seconds after the launcher has finished launching a multi-server or partitioned task it is possible that it will use the same servers defined by the launcher because of the 60 second frequency that IdentityIQ uses to poll the ServiceDefinition objects. The Server-Specific Task Launcher will not work for multi-server or partitioned tasks when the Task and Request servers are defined in the iiq.properties file using the environment.taskSchedulerHosts and environment.requestSchedulerHosts properties. This is Server-Specific Task Launcher User Guide Page 8 of 9 an older way of defining which servers are Task or Request servers, and this configuration should be moved into the ServiceDefinition objects for Task and Request. • The Server-Specific Task Launcher will not work with versions of IdentityIQ earlier than 6.2. Server-Specific Task Launcher User Guide Page 9 of 9
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : No Page Count : 9 Language : en-US Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Microsoft® Word 2016 Creator Tool : Microsoft® Word 2016 Create Date : 2017:12:15 10:16:56+00:00 Modify Date : 2017:12:15 10:16:56+00:00 Document ID : uuid:0321C683-DED6-4F08-A4D3-E549C5086FA1 Instance ID : uuid:0321C683-DED6-4F08-A4D3-E549C5086FA1 Creator : Microsoft® Word 2016EXIF Metadata provided by EXIF.tools