1. Shibboleth Tutorial Origins John Ball SUNY at Buffalo john@buffalo.edu

2. Origin Deployment  UB Shibboleth deployment  Performance  Infrastructure  Origin plans  WebISO?  SSL  Hardware/OS  Testing  Other issues

3. UB Shib Deployment  Deploying in a load balanced/HA scenario  Virtualized services Both Auth and Web application farm  4 Geographic locations  Initially internal application use

6. Performance  Benchmarked current peaks DCE on Solaris Apache Web servers  Peaks for our busiest web service ~5500 unique “auths” per hour or 92 per minute  Originally estimated peak Shib capacity to be 1.84 auths per second with WebISO (Cosign) and Java encryption

7. Performance  Other considerations: Auth session length Commitment to less than 5 seconds Goal of 1-2 seconds maximum

8. Original Plans  Originally using 4 Sun V120s  Originally using Java for SSL  Originally using Shib with Cosign

9. WebISO?  Removed Cosign from our plans for now  Using Tomcat load balancing  This has an impact on our original HA plans  Can we save Tomcat session state?

10. SSL  Now using native JCE SSL  Significant performance gains

11. Hardware  UB Historically a Sun shop  Started with 4 Sun V120s  Moved to 4 Sun 280Rs Dual CPU Sun Crypto Accelerator cards  Performance still CPU bound  Moved to Linux on 2 “borrowed” Dell 6650s (used the 280s for our LDAP)

12. Hardware/OS  Recently purchased 12 Dell 1750s Dual Xeon 3.2G CPUs  The more CPUs the better  Plans to deploy 2 Dells per location for production

13. Testing/Tweaking  Testing load using Webload and JMeter  Tweaking and testing Capacity Session times

14. Other issues  Still working on a “500” page error about every 500 auths –Tomcat issue? This may be fixed in a newer version of Tomcat This has been seen at other locations  Cisco CSS configuration  Kerberos plug-in for LDAP bug