Improving Shibboleth Origin Performance Walter Hoehn Internet2 Spring Member Meeting 2004
Origin Transaction Overhead 50-75% of transaction time falls into one of 3 categories SSL (browser->HS & SHAR->AA) –Performance considerations are well understood –Multiple processors, load distribution, hardware accelerators AA communication with backend data sources –Cost is variable, depending on infrastructure –Optimization is site dependant –We implemented caching in v1.0 Signing Operations in HS (public key encryption) –Low hanging fruit
Apache XML Security Library Implements W3c XML Security standards XML Encryption Syntax & Processing XML Signature Syntax & Processing Uses the JCA/JCE interfaces for crypto Digitally signs SAML AuthN Assertions Performance Bottleneck Latency Throughput Library Optimizations included in 1.1
JuiCE JCE -> OpenSSL using JNI Plugs into existing java apps without modification Apache, here we come! OpenSSL Engine
Enough talk, show me the numbers… Solaris - Sun Netra X1, 500mhz, 1gb RAM ms - Sun JCE Provider 40.1 ms - JuiCE OSX - Mac Dual 2ghz G5, 1gb RAM 12.3 ms- Sun JCE Provider 8.1 ms - JuiCE Linux ghz Pentium 4, 1gb RAM 30 ms- Sun JCE Provider 9.4 ms - JuiCE
More numbers… Solaris 75% improvement Mac 34% improvement Linux 69% improvement Averages 3 times faster!
Where do we go from here? Further development of JuiCE Support for hardware crypto accelerators Further optimization of XML Security Library Shibboleth performance FAQ Best practices for configuration Hardware/Software platform recommendations Metrics Pitfalls
Walter Hoehn