Tuning CoCCA Registry System

From CoCCA Registry Services (NZ) Limited

Jump to: navigation, search

Contents

Tuning Postgresql Server

The CoCCA Registry Software use PostgreSQL database, the postgresql configuration effect on the performance of Registry System, PostgreSQL need to be tunned.

There are some point can we start to tunning the postgreSQL server as the following:

1- The most important is the Memory basic configuration:


We should first know the Total Server Memory, using command free -g , then recommended setting is assign 1/4 of Total RAM to shared_buffers parameter, and effective_cache_size can assign it 1/2 of memory, this setting should be in:

/opt/cocca-8/postgresql/data/postgresql.conf.

for example: if we have server with 11 GB RAM, we can leave 2 G for JAVA, OS (15% of RAM) and other process, and leave the 9GB for postgres process as the following:


   
   OLD shared_buffers = 128MB                  
   NEW shared_buffers = 3072MB                 
   
  

   
   OLD  #effective_cache_size = 128MB
   NEW   effective_cache_size = 6144MB
   

2- log_temp_files parameters


When it set, it logs all temporary files that are created, postgreSQL sometimes needs to write things temporarily to disk, which happens on large or complex queries in which the required memory is greater than the work_mem setting.


work_mem needs adjusting, the default value is 1MB; if there's a lot of messages for temporary files, we can change the work_mem, Use something like a binary search to find the right value, use 64MB and watch the log for temp file messages. If there's a lot of messages, choose the upper interval and set (64+128)/2 = 96MB, otherwise 32MB. this maybe lead to the minimal work_mem value.


3- disable log_statement = none in /opt/cocca-8/postgresql/data/postgresql.conf, you can turn it on to adjust the previous parameter, the CoCCA Registry software will already log error to /opt/cocca-8/postgresql/postgresql.log.


5- max_connections = 20; the maximum number of client connections allowed, the maximum number of clients suggests the maximum possible memory use # (change requires restart)


Tunning resin server


GUI security by force higher level ( TLS )

- Specifies cryptographic algorithms allowed, we suggest to add the following line under the keystore area in resin.xml


<cipher-suites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suites>


Example <http address="xx.xx.xx.xx" port="443">

         <jsse-ssl>
             <key-store-type>jks</key-store-type>
             <key-store-file>/opt/cocca-8/resin/keys/YOUR.jks</key-store-file>
             <password>******</password>

<cipher-suites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suites>

         </jsse-ssl>
       </http>

- Defines an alternative session cookie to be used for a SSL connection. Having two separate cookies increases security.

under the <server id="" address="127.0.0.1" port="6800"/> tag in resin.xml ( line 170 +- ) add the following.

      <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie> 

Custom CoCCA Registry Log in Production environment


In CoCCA Registry logging the java is configured with the log4j application, the default that CoCCA ships with is "debug" mode it will create large logs. For production this should be set to "ERROR" so that only errors are logged.


NOTE: This change needs to be made EVERY time you patch CoCCA as the new versions over-write to debug


Just change <priority value="debug"/> TO <priority value="ERROR"/> in the following file : opt/cocca-8/production//ROOT/WEB-INF/classes/log4j.xml <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">

<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">

   <appender name="console" class="org.apache.log4j.ConsoleAppender">
       <param name="Target" value="System.out"/>
       <layout class="org.apache.log4j.PatternLayout">
           <param name="ConversionPattern" value="%-5p %c{1} - %m%n"/>
       </layout>
   </appender>
   <root>
       <priority value="debug"/>
       <appender-ref ref="console"/>
   </root>

</log4j:configuration>


Using https instead of http for whois sites for ccTLD

The desired behaviour is to redirect plain connections to SSL connections. 

http://anything.com/anything.html

            redirect => https://anything.com/anything.html

Example: we will redirect the site: http://whois.nic.TLD to https://whois.nic.TLD


edit resin configuration file:


 /opt/cocca-8/resin/conf/resin.xml  

<resin xmlns="http://caucho.com/ns/resin"xmlns:resin="urn:java:com.caucho.resin">
 <cluster ...>
  <host id="registry.nic.TLD" root-directory=".">
      <host-alias>whois.nic.TLD</host-alias>
         <resin:Redirect regexp="^/whois.jsp" target="https://whois.nic.TLD/whois.jsp">
             <resin:IfSecure value="false"/>
          </resin:Redirect>
      ...
  </host>
</resin>


Notice: the whois IP address should listen to port 443, if you donot already configure resin to listen port 443 on whois IP, it will not work. for this you can add the listen on port 443 for this IP as the following:


<http address="xxx.xxx.xxx.xxx" port="443">
     <jsse-ssl>
        <key-store-type>jks</key-store-type>
           <key-store-file>/opt/cocca-8/keys/xxxxxxxxxxxxxxx</key-store-file>
             <password>********</password>
             <cipher-suites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,
              TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suites>
         </jsse-ssl>
</http>


resin support for IDN alias-host


If you need to add IDN alias-host to resin you need to add the punycode and the encoding Decimal NCRs to the main config file in resin server:


/opt/cocca-8/resin/conf/resin.xml

and at the host config section in resin.xml file, you can add the following lines (exampple domain in Arabic "نطاق"):


      <host id="registry.nic.TLD" root-directory=".">
      <host-alias>whois.nic.نطاق</host-alias>
      <host-alias>whois.nic.xn--mgb5a8an</host-alias>

Useful tools to convert the IDN to ASCII:


http://mct.verisign-grs.com/


Useful tools to convert the IDN to Decimal NCRs:


http://rishida.net/tools/conversion/


Personal tools