Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Introduction

This page includes useful information for the consideration of an environment specification and system recommendation for running Ubisecure Identity Server. Below you will find the currently supported software, actively tested browsers and hardware requirements and recommendations. All recommendations are based on an example reference environment of 100 000 active users with 100 logins per second as normal sustainable, non-impacting load.

These are not intended to highlight the minimum requirements but instead Ubisecure's recommendations in order to effectively run the Identity Server in a production environment.  Ubisecure performs release testing on a variety of environments for each release, using a combination of single and dual-node installations on Linux and Windows Server operating systems and with automated and manual regression testing performed by a variety of the listed supported browsers in their latest stable distribution. 

Your exact environment needs may need to be reviewed and altered depending on what types of workloads you run. Your workload is influenced for example by these factors (but not limited to):

  • Active users having user account in Ubisecure Directory and CustomerID database
  • Number of internal and external authentications 
  • Number of requests to Identity Server APIs
  • Number of interactions with CustomerID registration flows and Self-Service UI

Supported Browsers

Ubisecure Identity Server has been tested with the following desktop browsers

  • Google Chrome
  • Mozilla Firefox
  • Safari
  • Microsoft Edge

Ubisecure recommends to use the latest version of each browser

Supported Operating Systems

Ubisecure Identity Server supports a number of Linux distributions and Microsoft Windows Server

While RedHat 7 / Centos 7 are still being supported, it is possible to continue using those operating systems. Before their end of support, in June 2024, we recommend updating the operating system to RedHat 8 / Rocky Linux 8 or RedHat 9 / Rocky Linux 9

PlatformDistributionVersionsEOL
Linux distributions
Rocky Linux 

8

May 2029
Rocky Linux9*May 2032
RedHat Enterprise Linux7June 2024
RedHat Enterprise LinuxMay 2029
RedHat Enterprise Linux9*May 2032
Microsoft WindowsWindows Server2016January 2027


2019

January 2029

*) libxcrypt-compat package must be installed when using OpenLDAP on RHEL 9 based Linux distribution

Software Requirements

The following chapter lists the required software that is used to run Ubisecure Identity Server. Ubisecure lists the software that it uses internally to develop, test and operate Identity Server.

Java

Java 8 or 11 is required in order to run Ubisecure applications, including SSO, CustomerID and related components. Identity Server has been tested with the following Java builds. Releases from IDS 2022.1 (SSO 9.x.x and CustomerID 6.x.x) and later require a Java11 installation.

Customers are encouraged to update their installed Java version with the latest available patch release. The patch version noted in the table below was used at the time of release, but later Java patch versions will ensure the best available security levels are met. For example, Java 11 (11.0.14) was tested, but Java 11 (11.0.22) is available for customer use.

SSOCustomerIDBuildVersion
8.x.x5.x.xAdoptiumJava 8 (1.8.0_312)
Oracle CorporationJava 8 (1.8.0_312)

9.x.x

6.x.xAdoptiumJava 11 (11.0.14)
Oracle CorporationJava 11 (11.0.14)

RedHat OpenJDK

While we do support Centos 7, unfortunately, RedHat OpenJDK does not support an extensive amount of ciphers. Due to this limitation, we have not tested and therefore cannot recommend using RedHat OpenJDK. Please ensure you use one of the supported versions of Java shown above.

Databases

Ubisecure Directory

Ubisecure Directory requires an LDAP implementation. Identity Server supports the following LDAP implementations

LDAP implementationVersionNotes
OpenLDAP2.5.16Included in the SSO Linux distribution package. The used database backend is Memory-Mapped Database (MDB)
Microsoft AD-LDSWindows Server 2016, Windows Server 2019Tested with the version included in the respective Microsoft Windows Server version

Relational Databases

CustomerID and Accounting support the following Relational Databases

DatabaseVersionUpgradeEOL
PostgreSQL9.69.5->9.6November 2021
PostgreSQL129.6 → 12November 2024
PostgreSQL1412 → 14November 2026
PostgreSQL1614 → 16November 2028

PostgreSQL 16

We have completed testing of PostgreSQL 16.1 with IDS 2024.1 releases. This offers support for installations through November 2028. If you have any concerns, please open a ticket with support. We will be happy to review your environment and ensure that it will continue to operation smoothly. 

Note: PostgreSQL 9.6 is no longer recommended for use with any SSO 9.x.x or CID 6.x.x release versions. 

PostgreSQL JDBC Driver

Currently tested PostgreSQL JDBC driver version is 42.7.1

For upgrading PostgreSQL from 9.6 to 12, follow PostgreSQL official documentation for upgrading with pg_dumpall (https://www.postgresql.org/docs/12/upgrading.html). We have created Knowledge Base "How-to" article with information how we have tested the upgrade and also include estimated migration times. See Upgrade and migrate to new version of PostgreSQL


Redis

In high-performance deployments Ubisecure Identity Server uses Redis as a session storage. Identity Server has been tested with version 7.2.4. For more information, please refer to Use Redis with Identity Server.

Hardware recommendations

These hardware recommendations can easily sustain a deployment with 100 000 active users and 100 logins per second.

Reverse Proxy

Ubisecure recommends always deploying a reverse proxy or load balancer in front of any operational environment. This is useful for security and traffic management of any internet facing environment.

Storage

Identities

Ubisecure Identity Server uses two persistent data stores for storing identity related information; PostgreSQL and LDAP. The necessary storage size largely depends on the number of users, roles, organisations and custom attributes stored in the Ubisecure Identity Server.  

Note that while using Ubisecure Directory (OpenLDAP) on Linux you need to make sure that the storage allocation is sufficient to handle the expected increase of identities. If the identities in the system go above allocated storage, the system will stop working. 

Make sure that you chose a proper openldap.maxsize that suits your needs. The default value (10GB) that comes with the installation is meant for handling 1 000 000 user accounts

Increasing the openldap.maxsize will require a restart of the service to take effect

Also note that openldap.idlexp will need to be revised if you increase the openldap.maxsize. The default value for the openldap.idlexp is set to 20, which will handle 1 000 000 user accounts

The following table lists the actual size of data on disk for a typical deployment storing users in 100 different organisations, including 5 roles for each organisation and 5 custom attributes for each user:

Number of user accountsUbisecure Directory size (GB)CustomerID database size (GB)
100 0001.00.4
250 0002.40.8
500 0004.81.6
1 000 0008.02.4

On average, each LDAP user account entry takes roughly a bit less than 10 kB whereas CustomerID database entry takes roughly 3 kB. Deployments that do not use Redis as a session storage, an additional 10 kB per single-sign-on session should be considered. The single-sign-on sessions are stored in Ubisecure Directory.

Accounting login events

In addition to identity data, as of IDS 2019.1 login events are collected into the Accounting Service database. The following table lists the actual size of data on disk for a system which contains roughly 100 000 monthly active users each able to select any of 10 configured authentication methods.

Number of login eventsAccounting database size (GB)
100 0000.2
250 0000.5
500 0000.7
1 000 0001.0
5 000 0004.0
10 000 0008.0

Configure login event data cleanup

It is highly recommended to configure the cleanup of old login event related data. See Accounting Service additional configuration for more details.

CPU

ApplicationCPU cores
SSO and Accounting*2
CustomerID2
Ubisecure Directory2
PostgreSQL2

*) Currently Accounting is installed alongside SSO thus the processes share the same resources.

Memory

Ubisecure applications

For running the Identity Server applications, the following table lists the memory recommendations. 

For optimal performance of Ubisecure Directory (OpenLDAP) on Linux it is recommended that the system has at least the amount of RAM that can fit the max size of the user data storage as described above in the Storage section
ApplicationRecommended amount of RAM (GB)
SSO2
Ubisecure Directory (OpenLDAP) Linux8
Ubisecure Directory Windows1
CustomerID4
Accounting1
PostgreSQL4

For more information on memory configurations, please refer to

Redis memory considerations

When deploying Redis with Ubisecure Identity Server each single-sign-on session takes maximum of 10 kB of memory in Redis. In a typical Redis deployment (3 primary instances backed up by 3 secondary instances) this would mean

Number of concurrent sessionsNumber of Redis primary instancesMemory required per Redis instance (GB)
1 00030.01
10 00030.07
100 00030.67
250 00031.67
500 00033.33
1 000 00036.67

Note that the sessions are sharded between the three primary instances. For more information, please refer to How to use Redis with Identity Server.

Contents

  • No labels