IdP Platform Recommendations
NOTE the recommendations herein are that, recommendations. Many other hardware/software variations can be used successfully, this is simply meant to give you an idea of what types of systems you should be looking at.
The following hardware is suffcient for deploying an !IdP that could be used to learn about Shibboleth and demonstrate a small exemplar use case (on the order of 25-40 logins per minute).
- Pentium III class processor in the 1GHz range
- 512MB RAM
- 150MB storage
- Any ethernet card
The following hardware is suited for a production deployment supporting around 150 simultaneous requests.
- Xeon/Opteron class processor (mid-level spec)
- 2GB RAM
- Gigabit ethernet card
To increase the availability the production machines should have their hard drives mirrored (RAID 1). Also the use of multiple servers and load balancing hardware is suggested.
Single vs. Multiple (Core) Processors
Unlike most web applications the IdP is CPU bound, because of the large number of cryptographic operations performed. Most multi-core systems sacrifice some CPU speed, because of thermal issues, in order to get more cores on the CPU. Since Java 1.5 most JVMs do now scale across cores but it is our recommendation that faster cores, over more cores, is still the better option. This results in lower response times (because the crypto operations are performed more quickly) but slightly less overall throughput.
Generally the IdP is run within Tomcat with an Apache HTTP server front-end. Apache 2 and Java 1.5 are recommended. Be sure to tune both Apache and the JVM used by Tomcat appropriately.
The most influential tuning within Apache is the MPM used and how it's configured. The worker MPM is strongly encouraged. We recommend very few servers and a fair number of threads within each (maybe 3-5 servers and 75-100 threads).
Proper tuning of the JVM is the single most important factor in IdP performance (assuming you don't choke connections with unreasonably restrictive Apache configs). Assuming a Sun JVM the following items should be configured:
- Use the server VM instead of the client by using -server flag
- Increase the amount of heap initially allocated using -Xms###M (where ### is the amount of memory to allocate, probably something around 256-512)
- Increase the max amount of memory that can be used using -Xmx###M (where ### is the amount of memory to allocate, probably something around 1024-1536, don't go above 1800 as in most boxes this is the upper limit of jvm size, solaris and 64bit OSs may be able to go higher)
- If your hardware does have multiple processor cores turn on the throughput garbage collector using the -XX:+UseParallelGC flag