System Recommendations and Supported Platforms
- John Jellema
- troinine-ubi
Introduction
This page includes useful information for the consideration of an environment specification and system recommendation for running Ubisecure Identity Server. Below you will find the currently supported software, actively tested browsers and hardware requirements and recommendations. All recommendations are based on an example reference environment of 100 000 active users with 100 logins per second as normal sustainable, non-impacting load.
These are not intended to highlight the minimum requirements but instead Ubisecure's recommendations in order to effectively run the Identity Server in a production environment. Ubisecure performs release testing on a variety of environments for each release, using a combination of single and dual-node installations on Linux and Windows Server operating systems and with automated and manual regression testing performed by a variety of the listed supported browsers in their latest stable distribution.
Your exact environment needs may need to be reviewed and altered depending on what types of workloads you run. Your workload is influenced for example by these factors (but not limited to):
Active users having user account in Ubisecure Directory and CustomerID database
Number of internal and external authentications
Number of requests to Identity Server APIs
Number of interactions with CustomerID registration flows and Self-Service UI
Supported Browsers
Ubisecure Identity Server has been tested with the following desktop browsers
Google Chrome
Mozilla Firefox
Safari
Microsoft Edge
Ubisecure recommends to use the latest version of each browser
Supported Operating Systems
Ubisecure Identity Server supports a number of Linux distributions and Microsoft Windows Server
Platform | Distribution | Versions | EOL |
|---|---|---|---|
Linux distributions | Rocky Linux | 8 | May 2029 |
Rocky Linux | 9* | May 2032 | |
RedHat Enterprise Linux | 8 | May 2029 | |
RedHat Enterprise Linux | 9* | May 2032 | |
Microsoft Windows | Windows Server | 2016 | January 2027 |
|
| 2019 | January 2029 |
*) libxcrypt-compat package must be installed when using OpenLDAP on RHEL 9 based Linux distribution
Software Requirements
The following chapter lists the required software that is used to run Ubisecure Identity Server. Ubisecure lists the software that it uses internally to develop, test and operate Identity Server.
Java
Java 11 is required in order to run Ubisecure applications, including SSO, CustomerID and related components. Identity Server has been tested with the following Java builds. Releases prior IDS 2022.1 are Java 8 based and are no longer supported by Ubisecure.
Customers are encouraged to update their installed Java version with the latest available patch release. The patch version noted in the table below was used at the time of release, but later Java patch versions will ensure the best available security levels are met. For example, Java 11 (11.0.14) was tested, but Java 11 (11.0.22) is available for customer use.
SSO | CustomerID | Build | Version |
|---|---|---|---|
9.x.x | 6.x.x | Java 11 (11.0.14) | |
Java 11 (11.0.14) | |||
Unsupported Legacy versions require older Java |
|
|
|
8.x.x | 5.x.x | Java 8 (1.8.0_312) | |
Java 8 (1.8.0_312) |
RedHat OpenJDK
Unfortunately, RedHat OpenJDK does not support an extensive amount of ciphers. Due to this limitation, we have not tested and therefore cannot recommend using RedHat OpenJDK. Please ensure you use one of the supported versions of Java shown above.
Databases
Ubisecure Directory
Ubisecure Directory requires an LDAP implementation. Identity Server supports the following LDAP implementations
LDAP implementation | Version | Notes |
|---|---|---|
OpenLDAP | 2.5.16 | Included in the SSO Linux distribution package. The used database backend is Memory-Mapped Database (MDB) |
Microsoft AD-LDS | Windows Server 2016, Windows Server 2019 | Tested with the version included in the respective Microsoft Windows Server version |
Relational Databases
CustomerID and Accounting support the following Relational Databases
Database | Version | Upgrade | EOL |
|---|---|---|---|
PostgreSQL | 16 | 14 → 16 | November 2028 |
PostgreSQL | 14 | 12 → 14 | November 2026 |
PostgreSQL | 9.6 | 9.5->9.6 | November 2021 |
PostgreSQL | 12 | 9.6 → 12 | November 2024 |
PostgreSQL 16
We have completed testing of PostgreSQL 16.1 with IDS 2024.1 releases. This offers support for installations through November 2028. If you have any concerns, please open a ticket with support. We will be happy to review your environment and ensure that it will continue to operation smoothly.
Note: PostgreSQL 9.6 is no longer recommended for use with any SSO 9.x.x or CID 6.x.x release versions.
Redis
In high-performance deployments Ubisecure Identity Server uses Redis as a session storage. Identity Server has been tested with version 7.2.4. For more information, please refer to Redis Configuration - SSO.
Hardware recommendations
These hardware recommendations can easily sustain a deployment with 100 000 active users and 100 logins per second. Complex organisational structures or specific use cases may require the use of Redis to support session load and remove replication requirements from OpenLDAP or AD-LDS.
Storage
Identities
Ubisecure Identity Server uses two persistent data stores for storing identity related information; PostgreSQL and LDAP. The necessary storage size largely depends on the number of users, roles, organisations and custom attributes stored in the Ubisecure Identity Server.
The following table lists the actual size of data on disk for a typical deployment storing users in 100 different organisations, including 5 roles for each organisation and 5 custom attributes for each user:
Number of user accounts | Ubisecure Directory size (GB) | CustomerID database size (GB) |
|---|---|---|
100 000 | 1.0 | 0.4 |
250 000 | 2.4 | 0.8 |
500 000 | 4.8 | 1.6 |
1 000 000 | 8.0 | 2.4 |
On average, each LDAP user account entry takes roughly a bit less than 10 kB whereas CustomerID database entry takes roughly 3 kB. Deployments that do not use Redis as a session storage, an additional 10 kB per single-sign-on session should be considered. The single-sign-on sessions are stored in Ubisecure Directory.
Accounting login events
In addition to identity data, as of IDS 2019.1 login events are collected into the Accounting Service database. The following table lists the actual size of data on disk for a system which contains roughly 100 000 monthly active users each able to select any of 10 configured authentication methods. Daily and monthly reports will require additional space depending on the complexity of the supported environment. The numbers shown in the table below should be used as an indication of the disk space required for the accounting service as of this release.
Number of login events | Accounting database size (GB) |
|---|---|
100 000 | 0.2 |
250 000 | 0.5 |
500 000 | 0.7 |
1 000 000 | 1.0 |
5 000 000 | 4.0 |
10 000 000 | 8.0 |
CPU
Application | CPU cores |
|---|---|
SSO and Accounting* | 2 |
CustomerID | 2 |
Ubisecure Directory | 2 |
PostgreSQL | 2 |
*) Currently Accounting is installed alongside SSO thus the processes share the same resources.
Memory
Ubisecure applications
For running the Identity Server applications, the following table lists the memory recommendations.
Application | Recommended amount of RAM (GB) |
|---|---|
SSO | 2 |
Ubisecure Directory (OpenLDAP) Linux | 8 |
Ubisecure Directory Windows | 1 |
CustomerID | 4 |
Accounting | 1 |
PostgreSQL | 4 |
For more information on memory configurations, please refer to
CustomerID: Wildfly JVM settings reference
PostgreSQL: PostgreSQL resource consumption
Redis memory considerations
When deploying Redis with Ubisecure Identity Server each single-sign-on session takes maximum of 10 kB of memory in Redis. In a typical Redis deployment (3 primary instances backed up by 3 secondary instances) this would mean
Number of concurrent sessions | Number of Redis primary instances | Memory required per Redis instance (GB) |
|---|---|---|
1 000 | 3 | 0.01 |
10 000 | 3 | 0.07 |
100 000 | 3 | 0.67 |
250 000 | 3 | 1.67 |
500 000 | 3 | 3.33 |
1 000 000 | 3 | 6.67 |
Note that the sessions are shared between the three primary instances. For more information, please refer to Redis Configuration - SSO.
Contents
- 1 Introduction
- 2 Supported Browsers
- 3 Supported Operating Systems
- 4 Software Requirements
- 4.1 Java
- 4.1.1 RedHat OpenJDK
- 4.2 Databases
- 4.2.1 Ubisecure Directory
- 4.2.2 Relational Databases
- 4.2.3 PostgreSQL 16
- 4.2.4 PostgreSQL JDBC Driver
- 4.2.5 Redis
- 4.1 Java
- 5 Hardware recommendations
- 5.1.1 Reverse Proxy
- 5.2 Storage
- 5.2.1 Identities
- 5.2.2 Accounting login events
- 5.2.3 Configure login event data cleanup
- 5.3 CPU
- 5.4 Memory
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.