Redirector configuration tips
- Redirector load capacity recommendations.
- Windows server and Windows workstation registry modifications for Z and I Emulator for Web
- Windows TCP Registry parameters
- Java Registry parameters
- Migrating Redirector information into LDAP
- Setting up Z and I Emulator for Web Redirector with SSL using Self-Signed Certificate
-
Redirector load capacity recommendations.
Be sure that the number of connections you are trying to establish is not affecting the performance of your Redirector machine. You can use the following information as a guide for estimating the load capacity of the Z and I Emulator for Web Redirector on AIX and Windows. Actual numbers may vary, depending on the following factors: hardware, network traffic, server load, and the frequency of session establishment.
On average, the Redirector established 13 connections per second. Each established connection then started a new transaction (data sent) 1/10 of a second after the previous transaction ended (data received). Most services and programs were stopped on the test machines, including the Web servers.
AIX
Hardware specifications
We used the following hardware and network specifications on an isolated test network:
- Model 7025
- Dedicated dual processor, 2 GB memory
- -Xms 512M service manager shell script memory parameter
Redirector load capacity recommendations
Connection type Recommended number of users SSL 10,000 Non-SSL 15,000 Service manager parameters
Set the following parameters in the sample service manager shell script:
Parameter Description ulimit -n Controls the number of open file descriptors. -Xms Minimum memory parameter for Java. It must be greater than 256 MB. Windows
Hardware specifications
We used the following hardware and network specifications on an isolated test network:
- Windows 2000 Server
- Dedicated dual 2 GHz processors, 1 GB memory
Redirector load capacity recommendations
Connection type Recommended number of users SSL 3,000 Non-SSL 4,000 -
Windows server and Windows workstation registry modifications for Z and I Emulator
for Web
To achieve maximum throughput, you may need to modify the following parameters in the Windows Registry:
Parameter Description MaxUserPort Controls the maximum port number used when an application requests any available user port from the system. KeepAlive Keeps the REDIRECTOR connection alive during a period of inactivity. -Xms Minimum memory parameter for Java. It must be greater than 256 MB. -Xmx Maximum Java heap size. -
Windows TCP Registry parameters
When running the Z and I Emulator for Web Redirector on a Microsoft Windows server, you should review the following Microsoft Knowledge articles:
- Microsoft Knowledgebase Article 319504 describes how to modify the registry entry for MaxUserPort to increase the allocated TCPIP ports. We suggest modifying the existing registry entry or adding the parameter to the registry. The value of this parameter should be 65534.
- Microsoft Knowledgebase Article 238643 describes other Microsoft Windows TCPIP parameters. We suggest that you modify the value for KeepAliveTime. The default value for this parameter is two hours. This value can cause the operating system to keep TCP resources for connections that have terminated in use for two hours. If the Z and I Emulator for Web client disconnects from the Z and I Emulator for Web server for reasons other than logging off from the telnet session, it could take two hours for the Z and I Emulator for Web Redirector to close and free up all of the TCP connection resources being used between the Z and I Emulator for Web Redirector and Telnet server. Shortening the time from two hours to 30 minutes helps prevent TCP resources from being consumed by inactive sessions not fully closed. In addition, shortening the KeepAliveTime forces the operating system to check on connections more frequently. This allows the TCP protocol stack of Microsoft Windows to quickly detect the closed sessions and free up the resources.
-
Java Registry parameters
The Java parameters -Xms and -Xmx may require modification if you attempt to load the Z and I Emulator for Web server to the maximum capacity. If you notice the Redirector unexpectedly terminating or the presence of javacore.* files existing on your server, it may indicate you need to modify these Java parameters.
Make the following changes directly in the Windows Registry to update the Java options:
- From a command window, run Regedit.
- Search for IBMServiceManager, which should be located under HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services. Under IBMServiceManager, double-click Parameters.
- Locate the AppParameters key.
- Add the following parameters to the key before the
-classpath
parameter.
For example, on a system with less then 512Mb, setMake sure that you leave a space before -classpath and the additional parameters. It is important that the operating system have enough memory to run all Java functions required. Do not allocate all Java memory. -Xms256M -Xmx768M
, where -Xms sets the initial Java heap size and -Xmx sets the maximum Java heap size. Adjust the both values based on the total memory on your machine. The minimum value for the parameter -Xms should be 256M. The size of the -Xmx parameter is influenced by the amount of memory you have installed and should be set as large as possible. - Exit Regedit.
- From the Windows Control Panel, stop and restart the Z and I Emulator for Web Service Manager to make the changes active. If the Z and I Emulator for Web Service Manager fails to stop, go back and check the parameters you changed.
-
Migrating Redirector information into LDAP
In the Z and I Emulator for Web Administration Utility, if you enable the directory service to use LDAP, you must restart the Service Manager to migrate the Redirector information into LDAP. The Redirector Service panel in the Administration Utility is not updated with the Redirector information for the LDAP directory service until the Service Manager is restarted.
-
Setting up Z and I Emulator for Web Redirector with SSL using Self-Signed
Certificate
In addition to what you will find in the Planning, Installing, and Configuring Z and I Emulator for Web guide, use the following tips to set up Z and I Emulator for Web Redirector with SSL using Self-Signed Certificate.
If you are using SSL on the Redirector on Microsoft Windows or IBM AIX platform with a self-signed certificate, verify that the Z and I Emulator for Web Server Key and the CustomizedCAs.class files have been created and are located in the correct folders. The CustomizedCAS.class file should be located in the Z and I Emulator for Web publish directory. If applicable to your operating system, make sure the file permission bits for the CustomizedCAS.* file is set to 755.
When using a certificate from a public authority, you do not need to create the CustomizedCAs.class file. Take the following steps to create the Z and I Emulator for Web Server Key file:
- If any existing ServerKeyStore.jks or CustomizedCAs.class files exist, back them up to a different directory or delete them.
- Use any open source Key and Certificate Management utility to create a new CMS key database file, for example, ServerKeyStore.jks. You will need to enter a password for the key database and select to store the password to a file. If you set an expiration period for the password, be sure to remember when it will expire.
- Select Personal Certificates from the menu drop-down and create a New Self-Signed Certificate.
- Extract the Certificate as a Base64 .arm file or binary .br file to /zieforweb/bin.
- Save the file to ServerKeyStore.jks in the \zieforweb\bin directory.
Take the following steps to create the CustomizedCAs.class file:
- Select Key Database File > New. Create an SSLight key database class, for
example, CustomizedCAs.class in /zieforweb/ZIEWeb.
Select Signer Certificates from the drop-down and add the .arm certificate file. Label the certificate appropriately.The password must be zieweb
. - Select Key Database File and Save As. Select CMS key database file as JKS database. Replace the old file if it exists.
- Restart the Z and I Emulator for Web Service Manager.
- Modify or create a Redirector service with client-side security or security set to both sides if appropriate.
- Modify or create a session to connect to the above configured Redirector with SSL enabled.
- If appropriate, make sure the file permissions for customizedCAs.* are set to 755.