OpenSAML user discussion

[Sanga Viswanathan <>]

Actually I got significant performance improvement with xmlsec-1.1 jar
files. It used to take around 300 to 500ms to sign when 30 to 50 concurrent
requests were being made and the older xmlsec library were being used. The
time went down to around  0 to 15ms with the new xmlsec-1.1 jar file.
The algorithm being used is sha1-hmac and I m using symmetric key. Maybe PKI
based signature would take longer time but for now I m happy with the
results I m getting.

-Sanga

-----Original Message-----
From: Smith Baylor 
[mailto:]
 
Sent: Tuesday, October 19, 2004 12:58 PM
To: Scott Cantor
Cc: Sanga Viswanathan; 

Subject: Re: Opensaml/xmlsec performance


No matter what you do, software version of XML security libraries will not
cut it.  You will need a specialized appliance - fine tuned
hardware/software combination.  Note that using Java will also degrade
performance here.  You will need straight C with hardware acceleration to do
a reasonable job.

IBM or Sun folks may say use more hardware - but, my experience states that
this is a very expensive and a unreasonable proposition.

--Smith


On Thu, 14 Oct 2004 13:45:43 -0400, Scott Cantor 
<>
 wrote:
> > I have been using opensaml and was not signing the saml assertions 
> > initially. When we had done performance testing, we had gotten 
> > reasonable numbers. However now with signing turned on, I see the 
> > response time degrade significantly.
> 
> It will degrade pretty significantly no matter what you do, because 
> the signing outweighs basically every XML operation. That said...
> 
> > This gets worse as the load increases.
> 
> This is because you're thrashing the CPU. No matter how fast it gets, 
> if you're saturating the CPU, you need to keep the number of threads 
> reasonable to avoid context switching overhead. With the old library 
> you're using, we found that any more than about 5 active threads would 
> kill a CPU. We didn't get good performance, but we got consistent 
> performance if we throttled it.
> 
> >  I know there has been a lot of fixes put into the xmlsec-1.1 
> > version and would like to know what your experience has been. If I 
> > were to use the new xmlsec jar file, is that the only jar to replace 
> > or the corresponding xalan jar is also needed.
> 
> OpenSAML 1.0 includes xmlsec 1.1. It speeds up signing by roughly a 
> factor of 3, so it's like night and day. If you're using an earlier 
> version of my code, I can't promise the 1.1 version will work, since 
> it isn't supported. Endorsing Xalan is only an issue if you're running 
> JDK 1.4.2_05. Or you can grab the latest xmlsec cvs code that has a 
> fix.
> 
> -- Scott
> 
>