PingFederate Server

Linux tuning

Follow these recommendations for your Linux environment to prevent deployment issues, to increase the performance and capacity of the networking stack, particularly TCP and the file descriptor usage, and to enable PingFederate to handle a high volume of concurrent requests.

Network/TCP tuning

For SystemV, add or modify the following entries in the /etc/sysctl.conf file.

For systemd, you can create a sysctl preload/configuration file in /etc/sysctl.d (for example, 99-sysctl.conf) in which to add and modify the following entries.

TCP Tuning
# Controls the use of TCP syncookies (default is 1)
# and increase the number of outstanding syn requests allowed.
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=8192

# Increase number of incoming connections.
# somaxconn defines the number of request_sock structures allocated
# per each listen call.
# The queue is persistent through the life of the listen socket.
net.core.somaxconn=4096

# Increase number of incoming connections backlog queue.
# Sets the maximum number of packets, queued on the INPUT side,
# when the interface receives packets faster
# than kernel can process them.
net.core.netdev_max_backlog=65536

# increase system IP port limits
net.ipv4.ip_local_port_range=2048 65535

# Turn on window scaling which can enlarge the transfer window:
net.ipv4.tcp_window_scaling=1

# decrease TCP timeout
net.ipv4.tcp_fin_timeout=10

# Allow reuse of sockets in TIME_WAIT state for new connections
# (While this may increase performance, use with caution according
# to the kernel documentation.  This setting should only be enabled
# after the system administrator reviews security considerations.)
net.ipv4.tcp_tw_reuse=1

# Increase the read and write buffer space allocatable
# (minimum size, initial size, and maximum size in bytes)
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# The maximum number of packets which may be queued
# for each unresolved address by other network layers
net.ipv4.neigh.default.unres_qlen=100
net.ipv4.neigh.eth0.unres_qlen=100
net.ipv4.neigh.em1.unres_qlen=100

# Default Socket Receive and Write Buffer
net.core.rmem_default=8388608
net.core.wmem_default=8388608
############

Increase file descriptor limits

Add or modify the following lines in the /etc/security/limits.conf file where pf_user is the user account used to run the PingFederate java process or * for all user accounts.

pf_user  soft nofile 10400
pf_user  hard nofile 10400