Tuesday, August 9, 2016

OpenAM with Apache 2.0 as Reverse Proxy

I'm attending ForgeRock Identity Summit 2016 in Sydney today and the Unconference tomorrow.



The summit has just ended. Unconference is the main objective why I made the 8 hours trip from Singapore. To make the session more worthwhile for me, I decided to get refreshed on OpenAM again, in particular 13.5. (Ok, I have to admit I have been busy with other products for the past few months as we have won a big tender in Singapore.)

By the way, it is about time we upgrade the OpenAM in our labs. The current version is 11. 13.5 has just been released. It's a good time to upgrade and at the same time, learn about the new feature.


While configuring OpenAM, I came across the tip for Cookie Domain. This used to be a mandatory field. It no longer is. 



Found this in documentation - 
The default configuration sets the cookie domain based on the fully qualified domain name (FQDN) of the system. For an FQDN openam.example.com, the cookie domain is set to openam.example.com, the FQDN, by default.

So, OpenAM will auto-populate for you the cookie domain derived from your Server URL which contains your FQDN. Smart right? It's overdue.


There is also an interesting section on Apache 2.0 if you deploy it as a Reverse Proxy to a container like Tomcat, which is commonly used when deploying OpenAM.

In particular, I refer to the section on 1.8.1 Tuning Apache Multi-Processing Modules.

Apache 2.0 and later comes with Multi-Processing Modules (MPMs) that extend the basic functionality of a web server to support the wide variety of operating systems and customizations for a particular site.
The key area of performance tuning for Apache is to run in worker mode ensuring that there are enough processes and threads available to service the expected number of client requests. Apache performance is configured in the conf/extra/http-mpm.conf file. 
The key properties in this file are ThreadsPerChild and MaxClients. Together the properties control the maximum number of concurrent requests that can be processed by Apache. The default configuration allows for 150 concurrent clients spread across 6 processes of 25 threads each.

Then there is this Important Notice. 


For the policy agent notification feature, the MaxSpareThreads, ThreadLimit and ThreadsPerChild default values must not be altered; otherwise the notification queue listener thread cannot be registered.

Why? It would be good to explain the technical challenge behind this.


.


No comments:

Post a Comment