--- title: Preparing a Linux environment description: For Linux computing environments, complete the required tasks described in this section before initiating a PingAuthorize Server installation. component: pingauthorize version: 11.0 page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_prepare_linux_env canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/installing_and_uninstalling_pingauthorize/paz_prepare_linux_env.html revdate: April 28, 2025 section_ids: about-this-task: About this task steps: Steps setting-the-file-descriptor-limit: Setting the file descriptor limit about-this-task-2: About this task steps-2: Steps next-steps: Next steps setting-the-maximum-user-processes: Setting the maximum user processes about-this-task-3: About this task steps-3: Steps disable_system_swapping: Disabling file system swapping about-this-task-4: About this task steps-4: Steps managing-system-entropy: Managing system entropy about-this-task-5: About this task steps-5: Steps enabling-the-server-to-listen-on-privileged-ports: Enabling the server to listen on privileged ports about-this-task-6: About this task steps-6: Steps example: Example: --- # Preparing a Linux environment For Linux computing environments, complete the required tasks described in this section before initiating a PingAuthorize Server installation. ## About this task Complete the following tasks before you install PingAuthorize Server in a Linux environment: ## Steps 1. Set the file descriptor limit. 2. Set the maximum user processes. 3. Disable file system swapping. 4. Manage system entropy. 5. Enable the server to listen on privileged ports. ## Setting the file descriptor limit PingAuthorize Server allows for an unlimited number of connections. The following steps describe how to manually increase the file descriptor limit on the operating system. ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | If the operating system relies on `systemd`, see the Linux operating system documentation for instructions on setting the file descriptor limit. | ### Steps 1. Display the current `fs.file-max` limit of the system. ``` sysctl fs.file-max ``` The `fs.file-max` limit is the maximum server-wide file limit you can set without tuning the kernel parameters in the `proc` file system. 2. Edit the `/etc/sysctl.conf` file. If there is a line that sets the value of the `fs.file-max` property, make sure that its value is set to at least 1.5 times the per-process limit. If there is no line that sets a value for this property, add the following to the end of the file (100000 is just an example here; specify a value of at least 1.5 times the per-process limit). ``` fs.file-max = 100000 ``` 3. Display the current hard limit of the system. ``` ulimit -aH ``` The `open files (-n)` value is the maximum number of open files per process limit. Verify that its value is set to at least 65535. 4. Edit the `/etc/security/limits.conf` file. If the file contains lines that set the soft and hard limits for the number of file descriptors, verify that the values are set to 65535. If the properties are absent, add the following lines to the end of the file, before `#End` of file, inserting a tab between the columns. ``` * soft nofile 65535 * hard nofile 65535 ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The number of open file descriptors is limited by the physical memory available to the host. You can determine this limit with the following command.``` cat /proc/sys/fs/file-max ```If the `file-max` value is significantly higher than the 65535 limit, consider increasing the file descriptor limit to between 10% and 15% of the system-wide file descriptor limit. For example, if the `file-max` value is 810752, you could set the file descriptor limit to 100000. If the `file-max` value is lower than 65535, the host is likely not sized appropriately. | 5. Reboot the server. 6. Verify that the file descriptor limit is set to 65535. ``` ulimit -n ``` 7. For RedHat 7 or later, modify the `/etc/security/limits.d/20-nproc.conf` file to set limits for the `open files` and `max user` processes. Add or edit the following lines if they do not already exist. ``` * soft nproc 65536 * soft nofile 65536 * hard nproc 65536 * hard nofile 65536 root soft nproc unlimited ``` ### Next steps After the operating system limit is set, use one of the following methods to configure the number of file descriptors that the server uses: * Use a `NUM_FILE_DESCRIPTORS` environment variable. * Create a `config/num-file-descriptors` file with a single line, such as `NUM_FILE_DESCRIPTORS=12345`. If these values are not set, the default value of `65535` is used. | | | | - | --------------------------------------------------------------------------------------------------------- | | | This optional step ensures that the server shuts down safely before it reaches the file descriptor limit. | ## Setting the maximum user processes Set the maximum user processes higher than the default to improve memory when running multiple servers on a machine. ### About this task On some Linux distributions, such as RedHat Enterprise Linux (RHEL) Server/CentOS 6.0 or later, the default maximum number of user processes is set to `1024`, which is considerably lower than the same parameter on earlier distributions, such as RHEL/CentOS 5.x. The default value of `1024` leads to some Java virtual machine (JVM) memory errors when running multiple servers on a machine, due to each Linux thread being counted as a user process. At startup, PingAuthorize Server attempts to raise this limit to `16383` if the value reported by `ulimit` is less than that number. If the value cannot be set, an error message is displayed. In such a scenario, you must explicitly set the limit in `/etc/security/limit.conf`, as the following example shows. ``` * soft nproc 100000 * hard nproc 100000 ``` ### Steps * Set the `1683` value in the `NUM_USER_PROCESSES` environment variable. * Set the `1683` value in `config/num-user-processes`. ## Disabling file system swapping To disable the file system swapping in PingAuthorize, use `vm.swappiness`. ### About this task Disable all performance-tuning services, like `tuned`. If performance tuning is required, perform the following steps to set `vm.swappiness`: ### Steps 1. Clone the existing performance profile. 2. Add `vm.swappiness = 0` to the new profile's `tuned.conf` file in `/usr/lib/tuned/profilename/tuned.conf`. 3. Select the updated profile by running `tuned-adm profile customized_profile`. ## Managing system entropy Entropy is used to calculate random data that the system uses in cryptographic operations. ### About this task Some environments with low entropy might experience intermittent performance issues with SSL-based communication, such as certificate generation. This scenario is more typical on virtual machines but can also occur in physical instances. For best results, monitor the value of `kernel.random.entropy_avail` in the configuration file `/etc/sysctl.conf`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------ | | | To increase system entropy on a Windows system, move the mouse pointer in circles or type characters randomly into an empty text document. | ### Steps * On a UNIX or Linux system, ensure that `rng-tools` is installed and run the following command. ``` sudo rngd -r /dev/urandom -o /dev/random ``` * To check the level of a system entropy on a UNIX or Linux system, run the following command. ``` cat /proc/sys/kernel/random/entropy_avail ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------- | | | Values smaller than 3200 are considered too low to generate a certificate and might cause the system to hang indefinitely. | ## Enabling the server to listen on privileged ports To enable PingAuthorize Server to listen on privileged ports as a non-root user, grant capabilities to specific commands. ### About this task Linux systems provide capabilities that grant specific commands the ability to complete tasks that are normally permitted only by a root account. Instead of granting an ability to a specific user, capabilities are granted to a specific command. For convenience, you might enable the server to listen on privileged ports while running as a non-root user. ### Steps * To assign capabilities to an application, run the `setcap` command. For example, the `cap_net_bind_service` capability enables a service to bind a socket to privileged ports, which are defined as ports with numbers less than 1024. If Java is installed in `/ds/java`, and if the Java command to run the server is `/ds/java/bin/java`, then you can grant the Java binary the `cap_net_bind_service` capability by running the following command. ```shell $ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java ``` The Java binary requires an additional shared library, `libjli.so`, as part of the Java installation. Because additional limitations are imposed on where the operating system looks for shared libraries to load for commands with assigned capabilities, you must create the file `/etc/ld.so.conf.d/libjli.conf` with the path to the directory that contains the `libjli.so` file. #### Example: For example, if the Java installation is located in `/ds/java`, the contents must be as shown in this example. ``` /ds/java/lib/amd64/jli ``` Run the following command for the change to take effect. ```shell $ sudo ldconfig -v ```