140 likes | 157 Views
Shibboleth IdP Training: Productionalization. January, 2009. Java Virtual Machine Tuning. For Sun JVM 5/6 Server option Heap space settings Varies with available memory Min/Max settings Garbage collection Multi-CPU core option Disable explicit garbage collection
E N D
Shibboleth IdP Training:Productionalization • January, 2009
Java Virtual Machine Tuning • For Sun JVM 5/6 • Server option • Heap space settings • Varies with available memory • Min/Max settings • Garbage collection • Multi-CPU core option • Disable explicit garbage collection • https://spaces.internet2.edu/display/SHIB2/JVMTuning
Protecting your IdP • Web application listening on ports 443/8443 by default • General Apache HTTPD & Tomcat hardening will work with Shibboleth
Logging • SHIB_HOME/logs/idp-process.log • Default logging configuration splits logs on a daily basis – can be changed based on need • Can be configured to send email notifications on certain message levels, such as ERROR • https://spaces.internet2.edu/display/SHIB2/IdPProdLogging
Redundant Data Sources • Define connections to redundant data sources • Authentication – Login Handler • Attribute resolver – Data Connector
Redundant Login Handlers • Define an additional <LoginHandler> • <LoginHandler xsi:type="UsernamePassword" • jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login1.config"> • . . . • </LoginHandler> • <LoginHandler xsi:type="UsernamePassword" • jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login2.config"> • . . . • </LoginHandler>
Redundant Data Connectors • Use <FailoverDataConnector> • <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory" • xmlns="urn:mace:shibboleth:2.0:resolver:dc" • ldapURL="ldap://ldap1.example.org" • . . .> • <resolver:FailoverDataConnector ref="ldap2" /> • . . . • </resolver:DataConnector> • <resolver:DataConnector id="ldap2" xsi:type="LDAPDirectory" • xmlns="urn:mace:shibboleth:2.0:resolver:dc" • ldapURL="ldap://ldap2.example.org" • . . . • </resolver:DataConnector>
Certificates • Some federations operate their own CA • End user browsers may not recognize the federation CA • Use a different certificate for the authentication page
Metadata Signature Validation • Metadata… • should be signed by the publisher • signatures should be validated • InCommon does publish signed metadata • Metadata provider definition
Metadata Signature Validation • Download the InCommon signing certificate • Add a metadata trust engine definition • Add a metadata provider filter • https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
High Availability/Clustering • Clustering is supported, limited documentation • Different types of clustering solutions • Failover • Load balancing • Concerns • Session state preservation • Different architectures
High Availability/Clustering • Configuration of Terracotta, an open source clustering solution, is provided • Load-balancing is sufficient for most deployments • https://spaces.internet2.edu/display/SHIB2/IdPCluster
Troubleshooting • SHIB_HOME/logs/idp-process.log • Common errors are documented in the wiki • Time synchronization is important • https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors