1. Improving Shibboleth Origin Performance Walter Hoehn Internet2 Spring Member Meeting 2004

2. Origin Transaction Overhead  50-75% of transaction time falls into one of 3 categories SSL (browser->HS & SHAR->AA) –Performance considerations are well understood –Multiple processors, load distribution, hardware accelerators AA communication with backend data sources –Cost is variable, depending on infrastructure –Optimization is site dependant –We implemented caching in v1.0 Signing Operations in HS (public key encryption) –Low hanging fruit

3. Apache XML Security Library  Implements W3c XML Security standards XML Encryption Syntax & Processing XML Signature Syntax & Processing  Uses the JCA/JCE interfaces for crypto  Digitally signs SAML AuthN Assertions  Performance Bottleneck Latency Throughput  Library Optimizations included in 1.1

4. JuiCE  JCE -> OpenSSL using JNI  Plugs into existing java apps without modification  Apache, here we come!  OpenSSL Engine

5. Enough talk, show me the numbers…  Solaris - Sun Netra X1, 500mhz, 1gb RAM 160.3 ms - Sun JCE Provider 40.1 ms - JuiCE  OSX - Mac Dual 2ghz G5, 1gb RAM 12.3 ms- Sun JCE Provider 8.1 ms - JuiCE  Linux - 2.3 ghz Pentium 4, 1gb RAM 30 ms- Sun JCE Provider 9.4 ms - JuiCE

6. More numbers…  Solaris 75% improvement  Mac 34% improvement  Linux 69% improvement Averages 3 times faster!

7. Where do we go from here?  Further development of JuiCE Support for hardware crypto accelerators  Further optimization of XML Security Library  Shibboleth performance FAQ Best practices for configuration Hardware/Software platform recommendations Metrics Pitfalls

8. Walter Hoehn wassa@memphis.edu shib-users@internet2.edu juice-dev@xml.apache.org