Upload
darren-walsh
View
220
Download
5
Embed Size (px)
Citation preview
Java Virtual Machine Tuning
• For Sun JVM 5/6• Server option• Heap space settings• Varies with available memory• Min/Max settings
• Garbage collection• Multi-CPU core option• Disable explicit garbage collection
• https://spaces.internet2.edu/display/SHIB2/JVMTuning
Protecting your IdP• Web application listening on ports
443/8443 by default
• General Apache HTTPD & Tomcat hardening will work with Shibboleth
Logging• SHIB_HOME/logs/idp-process.log
• Default logging configuration splits logs on a daily basis – can be changed based on need
• Can be configured to send email notifications on certain message levels, such as ERROR
• https://spaces.internet2.edu/display/SHIB2/IdPProdLogging
Redundant Data Sources
• Define connections to redundant data sources
• Authentication – Login Handler
• Attribute resolver – Data Connector
Redundant Login Handlers
• Define an additional <LoginHandler>• <LoginHandler xsi:type="UsernamePassword"
• jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login1.configlogin1.config">
• . . .
• </LoginHandler>
• <LoginHandler xsi:type="UsernamePassword"
• jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login2.configlogin2.config">
• . . .
• </LoginHandler>
Redundant Data Connectors
• Use <FailoverDataConnector>• <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory"
• xmlns="urn:mace:shibboleth:2.0:resolver:dc"
• ldapURL="ldap://ldap1.example.orgldap://ldap1.example.org"
• . . .>
• <resolver:FailoverDataConnector ref="ldap2" /><resolver:FailoverDataConnector ref="ldap2" />
• . . .
• </resolver:DataConnector>
• <resolver:DataConnector id="ldap2ldap2" xsi:type="LDAPDirectory"
• xmlns="urn:mace:shibboleth:2.0:resolver:dc"
• ldapURL="ldap://ldap2.example.orgldap://ldap2.example.org"
• . . .
• </resolver:DataConnector>
Certificates• Some federations operate their own
CA
• End user browsers may not recognize the federation CA
• Use a different certificate for the authentication page
Metadata Signature Validation
• Metadata…
• should be signed by the publisher
• signatures should be validated
• InCommon does publish signed metadata
• Metadata provider definition
Metadata Signature Validation
• Download the InCommon signing certificate
• Add a metadata trust engine definition
• Add a metadata provider filter
• https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
High Availability/Clusteri
ng• Clustering is supported, limited
documentation
• Different types of clustering solutions
• Failover
• Load balancing
• Concerns
• Session state preservation
• Different architectures
High Availability/Clusteri
ng• Configuration of Terracotta, an open
source clustering solution, is provided
• Load-balancing is sufficient for most deployments
• https://spaces.internet2.edu/display/SHIB2/IdPCluster