Shibboleth Tutorial Origins John Ball SUNY at Buffalo

Shibboleth Tutorial Origins John Ball SUNY at Buffalo john@buffalo. edu

Origin Deployment o UB Shibboleth deployment o Performance o Infrastructure o Origin plans o Web. ISO? o SSL o Hardware/OS o Testing o Other issues

UB Shib Deployment o Deploying in a load balanced/HA scenario o Virtualized services n Both Auth and Web application farm o 4 Geographic locations o Initially internal application use

Performance o Benchmarked current peaks n n DCE on Solaris Apache Web servers o Peaks for our busiest web service ~5500 unique “auths” per hour or 92 per minute o Originally estimated peak Shib capacity to be 1. 84 auths per second n with Web. ISO (Cosign) and Java encryption

Performance o Other considerations: n n n Auth session length Commitment to less than 5 seconds Goal of 1 -2 seconds maximum

Original Plans o Originally using 4 Sun V 120 s o Originally using Java for SSL o Originally using Shib with Cosign

Web. ISO? o Removed Cosign from our plans for now o Using Tomcat load balancing o This has an impact on our original HA plans o Can we save Tomcat session state?

SSL o Now using native JCE SSL o Significant performance gains

Hardware o UB Historically a Sun shop o Started with 4 Sun V 120 s o Moved to 4 Sun 280 Rs n n Dual CPU Sun Crypto Accelerator cards o Performance still CPU bound o Moved to Linux on 2 “borrowed” Dell 6650 s (used the 280 s for our LDAP)

Hardware/OS o Recently purchased 12 Dell 1750 s n Dual Xeon 3. 2 G CPUs o The more CPUs the better o Plans to deploy 2 Dells per location for production

Testing/Tweaking o Testing load using Webload and JMeter o Tweaking and testing n n Capacity Session times

Other issues o Still working on a “ 500” page error about every 500 auths –Tomcat issue? n n This may be fixed in a newer version of Tomcat This has been seen at other locations o Cisco CSS configuration o Kerberos plug-in for LDAP bug