Important container settings

Ephemeral Diffie-Hellman key size

Ensure you have the Ephemeral Diffie-Hellman key size set to 2048 bits. This is important for TLS security. This can be supplied via the java -D command line flag:

 -Djdk.tls.ephemeralDHKeySize=2048

and can be added in a systemd service file, as in the example jetty.service file in the Jetty deployment instructions in our upgrade documentation.

Increase memory if necessary

We recommend you use the MDQ metadata configuration as recommended in the metadata configuration section. This reduces the resources required by the IdP deployment and the need for future changes to adapt to increasing metadata file sizes.

If you must use the federation aggregate metadata for some reason then you will need to increase maximum Java memory for the application. It's conceivable that you may need to do so even if not. Around 4G is recommended if using the aggregate metadata file; if not then you should not need so much. This can also be supplied via a java -X command line flag in a start-up file:

 -Xmx4000m

or alternatively if using Jetty then in $JETTY_BASE/start.d/idp.ini as described in the Shibboleth Jetty 9.4 documentation or the Shibboleth Jetty 10.0 documentation.

Windows

On Windows you can also change the maximum Java memory allocation using the shibd_idpw.exe utility that is installed with the Shibboleth IdP software. Browse to C:\Program Files (x86)\Shibboleth\ProcRun and double-click shibd_idpw.exe. Select the Java tab. You can edit change the maximum Java memory by editing the value in the Maximum memory pool box.

The ephemeral Diffie-Hellman key size is already set to 2048 bits in shibd_idpw.exe. Please note that the only change made in shibd_idpw.exe that will persist across upgrades is the maximum Java memory allocation.