mace-opensaml-users - Re: Opensaml/xmlsec performance
Subject: OpenSAML user discussion
List archive
- From: Smith Baylor <>
- To: Scott Cantor <>
- Cc: Sanga Viswanathan <>,
- Subject: Re: Opensaml/xmlsec performance
- Date: Tue, 19 Oct 2004 12:57:47 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=nrhkmWtGBbLmdBUQoRLDbCWXe0ePrZh1mzXZYLodgsDOkt1CZg1Jqxu7Y+DtiH5AfhQTzo9tu2e/sEmKwJ0RqaQnTwtj2VT1QL/1wSkYgWPggZJdwYve2LHtstRKtObRVKGu9HbUzB31vheE85GQX7gKTkMksUajchWMXlVpgHw
No matter what you do, software version of XML security libraries will
not cut it. You will need a specialized appliance - fine tuned
hardware/software combination. Note that using Java will also degrade
performance here. You will need straight C with hardware acceleration
to do a reasonable job.
IBM or Sun folks may say use more hardware - but, my experience states
that this is a very expensive and a unreasonable proposition.
--Smith
On Thu, 14 Oct 2004 13:45:43 -0400, Scott Cantor
<>
wrote:
> > I have been using opensaml and was not signing the saml
> > assertions initially. When we had done performance testing,
> > we had gotten reasonable numbers. However now with signing
> > turned on, I see the response time degrade significantly.
>
> It will degrade pretty significantly no matter what you do, because the
> signing outweighs basically every XML operation. That said...
>
> > This gets worse as the load increases.
>
> This is because you're thrashing the CPU. No matter how fast it gets, if
> you're saturating the CPU, you need to keep the number of threads reasonable
> to avoid context switching overhead. With the old library you're using, we
> found that any more than about 5 active threads would kill a CPU. We didn't
> get good performance, but we got consistent performance if we throttled it.
>
> > I know there has been a lot of fixes put into the xmlsec-1.1
> > version and would like to know what your experience has been.
> > If I were to use the new xmlsec jar file, is that the only
> > jar to replace or the corresponding xalan jar is also needed.
>
> OpenSAML 1.0 includes xmlsec 1.1. It speeds up signing by roughly a factor
> of 3, so it's like night and day. If you're using an earlier version of my
> code, I can't promise the 1.1 version will work, since it isn't supported.
> Endorsing Xalan is only an issue if you're running JDK 1.4.2_05. Or you can
> grab the latest xmlsec cvs code that has a fix.
>
> -- Scott
>
>
- Opensaml/xmlsec performance, Sanga Viswanathan, 10/14/2004
- RE: Opensaml/xmlsec performance, Scott Cantor, 10/14/2004
- Re: Opensaml/xmlsec performance, Smith Baylor, 10/19/2004
- RE: Opensaml/xmlsec performance, Sanga Viswanathan, 10/19/2004
- Re: Opensaml/xmlsec performance, Smith Baylor, 10/19/2004
- RE: Opensaml/xmlsec performance, Scott Cantor, 10/14/2004
Archive powered by MHonArc 2.6.16.