Cloud Access Manager 8.1.4 - Security and Best Practice Guide

Optimizing Cloud Access Manager for a production environment

Topics:

Before deploying Cloud Access Manager, we recommend you perform the following steps to ensure Cloud Access Manager is optimized to handle the expected workload. Using this recommended configuration, a Proxy host can typically support up to 7,000 users and a Security Token Service (STS) host can typically support up to 15,000 users. You can add further Proxy and STS hosts to support more users and to provide high availability. For a production environment, we recommend that you deploy an additional proxy host and STS host to provide high availability and protect against a single host failure. For example a company with 20,000 users would typically deploy 4 Proxy hosts (20,000/7,000 +1) and 3 STS hosts (20,000/15,000 +1).

NOTE: If you are not proxying any applications, including the Cloud Access Manager portal, the number of Proxy hosts should match the number of STS hosts.

To confirm you have deployed a sufficient number of hosts to support your users we recommend you use a phased rollout approach. Start by rolling out Cloud Access Manager to a small subset of users and monitor the CPU and memory usage of the Cloud Access Manager hosts to ensure sufficient spare capacity to scale out to the entire user base. For some applications this approach will not be possible, for example with federated applications such as Salesforce or Office 365 where you have to switch over all users at the same time. In this situation, we recommend that you use a phased roll out of applications rather than users. Start with smaller applications and gradually add more when you have verified that sufficient spare resources are available on the Cloud Access Manager hosts.

For further information on how to install additional Cloud Access Manager hosts, please refer to the document entitled One Identity Cloud Access Manager How To Configure For High Availability.

Proxy hosts

One Identity Cloud Access Manager contains a reverse proxy to provide Single Sign-On (SSO) to web applications that do not support federation, for example basic, NT LAN Manager (NTLM), header and form authentication. The reverse proxy is also used to allow secure access to internal web applications from the Internet. When you access a proxied application, all communication between the web browser and the application goes through the proxy for the entire session, not only for the authentication.

For a production environment, we recommend that each proxy host has 9GB of physical memory and 8 processor cores. For example, two quad core processors giving a total of 8 cores spread over two processors.

A single proxy host can handle up to 12,000 concurrent connections. Modern web browsers typically use between 6 and 8 persistent HTTP connections when accessing an application. But during idle periods, such as when a user is reading, they will often reduce the number of connections to just a single connection, or even close all connections until the next user interaction. The browser can use each connection to send multiple HTTP requests to the application. The proxy will close a connection after either processing 100 HTTP requests, or after the connection has been idle for 60 seconds. The browser will establish a new connection the next time it needs to make an HTTP request. So, depending on the application you want to proxy, a single Proxy host will be able to support between 1,500 users (12,000/8) and 12,000 users. Our recommended maximum of 7,000 is an average of the two.

To support up to 12,000 concurrent connections, you must configure the proxy host to increase the number of persistent HTTP connections that it can support. This in turn requires greater memory allocation for the proxy. Please refer to Memory and HTTP connections for information on how to make the two changes required.

Memory

To support a larger number of persistent HTTP connections, first increase the amount of memory available to the proxy. For a production environment, we recommend that each proxy host has 9GB of physical memory, with 6GB of this memory allocated to the Java virtual machine (JVM) used by the proxy.

NOTE: These figures are intended as guidelines. Different operating systems may require more or less RAM to be allocated to them to function effectively. For instance, 8GB RAM may be sufficient for a proxy running on Windows Server Core OS with 6 GB allocated to the JVM heap.

To configure the maximum amount of memory allocated to the Java virtual machine

Perform the following steps on the proxy host.

  1. Double click <Installation location>\Cloud Access Manager Proxy\bin\CloudAccessManagerProxyw.exe on each proxy host to open the proxy service configuration tool.
  2. Click the Java tab.
  3. In the Maximum memory pool field, enter the value 6144, then click Apply to set the maximum amount of memory allocated to the Java Virtual Machine heap to 6GB.
  4. You must restart the proxy service for this setting to take effect. To restart the proxy service, click the General tab and then click Restart.

NOTE: Memory consumption of the proxy can exceed the amount allocated to the JVM heap. This is because Java allocates memory to other processes, such as a stack for each thread. Therefore, it is not unusual for the total memory used by the proxy to exceed the value allocated to the JVM heap by up to 10%.

Disk space

We recommend the following minimum disk space requirements are observed. For further information on installation requirements, please refer to the document entitled One Identity Cloud Access Manager Installation Guide.

Table 1: Disk space requirements
Hardware Requirement Host
Disk space 25GB Proxy host.
Disk space 50GB STS host.
Disk space 50GB STS host.

NOTE: These recommended disk space values are intended as a general guideline. We suggest that you monitor disk space usage on all your servers to account for usage changes that occur, such as expanding log files (For example, from other applications such as IIS), a life time of Windows updates and system backup data.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents