AdminCamp `15

Transcrição

AdminCamp `15

AdminCamp ’15
Closing General Session
AdminCamp 2015 – Sept. 21-23
Notes & Domino –> mit Verse und On-Premises
Who Am I?
Administrator & Developer since version 2.0
IBM Lotus Beacon Award Winner
Services
Products
Site Performance Reviews
Legal Case Consulting
Application Development
Administrative Overhaul
Security Review & Penetration Testing
NCT Search
NCT Compliance Search
NCT Simple Sign On
NCT SAML for Domino 7+
Structural Firefighter
About this Presentation
It’s almost time to go home – Let’s have a bit of fun
Each short section is meant to stand on it’s own
IF you have to leave, that’s ok
The longer you stay, the more you may find interesting
What’s in these slides?
A selection of brief suggestions for Domino Administrators
Taken from key points of several presentations
A selection of strange but true facts
These have nothing at all to do with IBM Domino
DID YOU KNOW?
The lighter was invented
before the match
Let’s Talk About Disk Speed
Will SSD (Flash) drives really help?
Solid State Drives (SSD)
Also known as “FLASH” drives
Getting more common on Laptops, Netbooks
Reliability Issues are Largely Resolved
VERY Fast READ Times
Write Performance Quickly Degrades
This is changing quickly, but still the case for most uses
Windows 7 & Windows Server 2008 R2 Support “TRIM”
http://en.wikipedia.org/wiki/TRIM
Good for Program Files, Java Libraries
Bad for NSF Databases, Indexing, Translogs
SSD Performance Problems with Indexing
View Indexing creates lots of very small, temporary files
Solid State Drives do not handle tiny files as well
Typical spinning drives write in sectors of 512 bytes
Newer drives, designed after 2011, use 4kb sectors.
The smallest unit an SSD can write is a “Block” which can be anywhere from
256kb to 4mb in size.
To write a smaller amount of data to a block, the entire block is still written. If there is existing
data in part of a block, the whole block is read, altered in memory, then re-written.
The Samsung EVO 840 – a current high quality SSD, uses a 2mb block size. This is
500 times larger than a spinning drive
New Cached Controllers Save Money
SATA RAID w/ SSD Cache Drives
Allow inexpensive spinning SATA Drives in RAID Configurations
Attach 128GB or 256GB SSD for Read/Write Cache
Cache drive is connected directly to the controller
The controller manages the cache
Benefits
All the safety, hot-swap, and management of RAID
All the performance of an SSD
SATA Drive are CHEAP CHEAP CHEAP
Product Examples:
Adaptec 6805Q with MaxCache 3.0
LSI MegaRAID SAS 9271-8i
DID YOU KNOW?
If you have 23 people in a room,
there is a 50% chance that
two of them have the
same birthday
Look at that View!
The better you make your database views work,
the faster your server will be
Use the “Manage Views” Admin Client Feature
Switch @Responeses to @AllDescendants
NO visible difference to users
Can reduce view sizes drastically
View #2 is 153 Times the Size of #1 and has the EXACT same content
Limit Sorted Columns
Each Additional Sorted Column Can DOUBLE the size of the view index
5 Sorted Columns?
In our 30k Doc Example, Our 6mb View could become:
6mb * 2 * 2 * 2 * 2 == 96 mb
DID YOU KNOW?
Oxford University
is older than the
Aztec Empire
Authentication Buzzwords
The minimum you need to know
about SAML and OAUTH
OAUTH Acts like a “valet key”
The ‘Client’ gets its
own set of
credentials to access
your account
You can limit what
those client
credentials may do
on your behalf
Allows you to control
or revoke access on a
case by case basis.
OAuth Terminology
Resource Owner: Who’s Content Is it?
Client: Who wants to access the content?
Server: Where does the content live?
SAML Overview
SAML is a very rich and detailed specification which provides for passing identity
along with meta data between an Identity Provider and one or more Service
Providers
Data is passed in XML packages
Generally using http protocols, but not necessary always. The XML can be passed almost any
way.
Packaged XML can be signed, encrypted, both, or neither
Communication can be made directly between the SP and the IdP or the XML
packages can be passed by the requesting client.
Usually, the packets are passed by the requesting client as part of the http GET or POST data
SAML Terminology
Security Assertion Markup Language
IdP – Identity Provider
Oracle Identity Manager
IBM Tivoli Federated Identity Manager
Microsoft Active Directory Federation Services
SP – Service Provider
Your Domino Server
Assertion – What the IdP tells the SP
DID YOU KNOW?
Humans went to the moon before we
figured out that it would be a good idea
to put wheels on suitcases
Let’s Talk About HTTP
Here’s some settings most people don’t ever touch
Server Wide HTTP Settings - Basics
• Host Name is used by the server
when generating references
• DNS Lookups only need to be on if
you are logging and want the DNS
name of the requesting clients
• The Number of Active Threads is
critical for performance tuning!
• We will visit this setting at length
Domino HTTP Threads
One web page may require several threads
- One thread per HTTP/HTTPS Request
• Including every image, script, and style sheet
- Any agent uses a thread of it’s own
• Including WQO and WQS agents
Traveler uses 1 thread per device
Domino default is 40 threads
Traveler will change this using an INI parameter
- NTS_MAX_HTTP_THREADS
- 32 bit Traveler Server: 100
- 64 bit Traveler Server: 400
Deciding How Many Threads to Allocate
Thread pooling means waiting for page loads
• Like a line for checkout at the grocery store
Up to 40k Per Thread
- Can be an issue – especially on 32 bit servers
Show Statistics to determine need
- Domino.threads.active.peak
- http.currentconnections
- http.peakconnection
Domino Thread Pooling Methods
Configured in the NOTES.INI
- HTTPQueueMethod = 0
• Default Prior to 8.5.1
• Simple Round Robin – You get in the next line regardless of how many are in it already
• If you get in the wrong line, you wait, even if another line is open
• Optimized Line Assignments – You get put in the shortest line at the time you arrive
• If your line takes a long time, you’re stuck in it
• Default For 8.5.1+
• There is only one line, each request gets the next available thread
Let the browser cache common items
Resources that don’t change frequently can be cached
JPG
PNG
GIF
MOV
MP3
MSI
MPG
ZIP
EXE
Don’t Advertise Your Server Type
HttpDisableServerHeader=0 (Default)
HttpDisableServerHeader=1
Once you disable the
default You can use an
HTTP Response Header
rule to use any value you
want for the server
DID YOU KNOW?
No square piece of paper can be folded
in half more than 7 times
Here are more obscure HTTP
settings to worry about
Server Wide Settings
• Listen Queue Size
• This is all the sessions waiting for an active thread
• Setting it higher will probably hurt, not help
• The operating system also limits the queue size
• Maximum Number of concurrent sessions
• Very little documentation available
• Should be at least as high as the number of threads
• Probably best to leave it alone
• Persistent Connections
• Disable on most servers after version 5
• It is now faster to re-establish the session than hold it open
Tuning HTTP Memory Usage
HTTPUseNotesMemory & iNotesUseNotesMemory
- Setting to 0 will use the OS memory management routines
• Better memory utilization & performance (slight)
• Less debugging information available
HTTPJVMMaxHeapSize
-
Introduced in 8.5 to govern the memory used by the HTTP JVM
JavaMaxHeapSize is similar but applies to all JVM processes
The default value in 8.5 is 256Mb
The default value in 8.5.2 is 64Mb
On IBM iSeries 256Mb is required
On 64 bit machines with plenty of memory you can set much higher
JavaStackSize
- Default is 409600 (400kb)
- You only need to increase this if your has deeply nested function calls and recursive algorithms.
Multiple SSL Certs on One Server
Yes! It Can Be Done
EVERY Web Site Definition MUST be bound to a UNIQUE IP address -- NOT bound
to DNS Name
That’s all it takes
The same Domino Session Token for different Domains
Thank Paul Mooney for this one!
Create the LTPA Token in the web sites view for the first domain.
Copy and Paste a copy of that document, creating a duplicate
Edit the duplicate copy to change the domain
That’s all it takes
HTTPD.CNF
• MIME type configuration
• If you make changes mark the file read-only and back it up
• This file will be over-written during server upgrades
DID YOU KNOW?
The arteries of a
blue whale are
so large, that a
human could
swim through
them
SMTP Routing
Here’s a cheat sheet
SMTP Routing in a Nutshell
Server Documents except the server that will route smtp
Set "SMTP Listener" to Disabled
Set "Routing Tasks" to "Mail Routing" – but not "SMTP Mail Routing"
Create a "Foreign SMTP Domain" Domain Document
Route *.* to "OurFakeName"
Create a Connection Document
Type: SMTP
Source Server: The domino server with smtp
Destination Server: MAKE UP a name
Destination Domain: "OurFakeName"
Routing Task: SMTP Mail Routing
DID YOU KNOW?
The earth is smoother
than a billiard ball,
if both were the
same size
To a security consultant, there
are only 2 Levels of Paranoia
1. Absolute
2. Insufficient
The ECL Hack
Here’s why you should tighten up your ECLs
Send a message to someone with a link
The link is actually a hotspot
The hotspot actually opens the page indicated
The hotspot also does other things
User Impersonation Attack
Very Difficult To Spot
ECL Hack Code
ECL Hack Result
The SMTP Hack
220 mail.domain.ext ESMTP Sendmail (version); (date)
HELO local.domain.name
250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you
MAIL FROM: [email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO: [email protected]
250 2.1.0 [email protected]... Recipient ok
Subject: whatever you want
250 2.1.0 [email protected]... Subject ok
This is the message body...
.
250 2.0.0 ???????? Message accepted for delivery
Quit
221 2.0.0 mail.domain.ext closing connection
Connection closed by foreign host.
DID YOU KNOW?
The
Mona Lisa
has no
eyebrows
One Last Tip
Make your Client load faster
Notes 8 Client Tweak
To make the Eclipse based client load faster
Open this folder:
{NotesProgramDirectory} \framework \rcp \deploy
Prior to 8.5.1 use this folder instead:
{NotesProgramDirectory} \framework \rcp \eclipse \plugins
\com.ibm.rcp.j2se.{Version}
Edit the file: jvm.properties
Change the line: vmarg.Xmx=-Xmx256m
So that it reads: vmarg.Xmx=-Xmx512m
Note: You can set it higher, but aim for no more than half of your available RAM
Readers on my blog overwhelmingly report fantastic results with this one
DID YOU KNOW?
The Electric Chair was
invented by a Dentist
DID YOU KNOW?

AdminCamp `15

Transcrição

Documentos relacionados

Firmenportraits Company portraits Halle 4, Stand 4F61

IBM Lotus Domino Server and Application Performance in the Real

Welcome to Grade 6! We are very much looking forward to meeting

Apartamento al lado del Yumbo Center

felt - Ute Zeller von Heubach

30236 - A2 - Bocconi University

Internships and Jobs - Leuphana Universität Lüneburg

Steinbeck Musikquiz Runde 2 Team: Nenne den Interpreten des

Module 4: Conflicts

Ausgewählt und kommentiert vom Süddeutsche Zeitung Magazin

Profiles - Sourcing Day Poland 2015 Międzynarodowa Giełda