Redirector configuration tips

1. Redirector load capacity recommendations.
2. Windows server and Windows workstation registry modifications for Host On-Demand
3. Windows TCP Registry parameters
4. Java Registry parameters
5. Migrating Redirector information into LDAP
6. Setting up Host On-Demand Redirector with SSL using Self-Signed Certificate

1. Redirector load capacity recommendations.

   Be sure that the number of connections you are trying to establish is not affecting the performance of your Redirector machine. You can use the following information as a guide for estimating the load capacity of the Host On-Demand 9 Redirector on AIX and Windows. Actual numbers may vary, depending on the following factors: hardware, network traffic, server load, and the frequency of session establishment.

   On average, the Redirector established 13 connections per second. Each established connection then started a new transaction (data sent) 1/10 of a second after the previous transaction ended (data received). Most services and programs were stopped on the test machines, including the Web servers.

   AIX

   Hardware specifications

   We used the following hardware and network specifications on an isolated test network:

   • Model 7025
   • Dedicated dual processor, 2 GB memory
   • -Xms 512M service manager shell script memory parameter

   Redirector load capacity recommendations

   Connection type	Recommended number of users
   SSL	10,000
   Non-SSL	15,000

   Service manager parameters

   Set the following parameters in the sample service manager shell script:

   Parameter	Description
   ulimit -n	Controls the number of open file descriptors.
   -Xms	Minimum memory parameter for Java. It must be greater than 256 MB.

   Windows

   Hardware specifications

   We used the following hardware and network specifications on an isolated test network:

   • Windows 2000 Server
   • Dedicated dual 2 GHz processors, 1 GB memory

   Redirector load capacity recommendations

   Connection type	Recommended number of users
   SSL	3,000
   Non-SSL	4,000

2. Windows server and Windows workstation registry modifications for Host On-Demand

   To achieve maximum throughput, you may need to modify the following parameters in the Windows Registry:

   Parameter	Description
   MaxUserPort	Controls the maximum port number used when an application requests any available user port from the system.
   KeepAlive	Keeps the REDIRECTOR connection alive during a period of inactivity.
   -Xms	Minimum memory parameter for Java. It must be greater than 256 MB.
   -Xmx	Maximum Java heap size.

3. Windows TCP Registry parameters

   When running the Host On-Demand Redirector on a Microsoft Windows server, you should review the following Microsoft Knowledge articles:

   • Microsoft Knowledgebase Article 319504 describes how to modify the registry entry for MaxUserPort to increase the allocated TCPIP ports. We suggest modifying the existing registry entry or adding the parameter to the registry. The value of this parameter should be 65534.
   • Microsoft Knowledgebase Article 238643 describes other Microsoft Windows TCPIP parameters. We suggest that you modify the value for KeepAliveTime. The default value for this parameter is two hours. This value can cause the operating system to keep TCP resources for connections that have terminated in use for two hours. If the Host On-Demand client disconnects from the Host On-Demand server for reasons other than logging off from the telnet session, it could take two hours for the Host On-Demand Redirector to close and free up all of the TCP connection resources being used between the Host On-Demand Redirector and Telnet server. Shortening the time from two hours to 30 minutes helps prevent TCP resources from being consumed by inactive sessions not fully closed. In addition, shortening the KeepAliveTime forces the operating system to check on connections more frequently. This allows the TCP protocol stack of Microsoft Windows to quickly detect the closed sessions and free up the resources.

4. Java Registry parameters

   The Java parameters -Xms and -Xmx may require modification if you attempt to load the Host On-Demand server to the maximum capacity. If you notice the Redirector unexpectedly terminating or the presence of javacore.* files existing on your server, it may indicate you need to modify these Java parameters.

   Make the following changes directly in the Windows Registry to update the Java options:

   1. From a command window, run Regedit.
   2. Search for IBMServiceManager, which should be located under HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services. Under IBMServiceManager, double-click Parameters.
   3. Locate the AppParameters key.
   4. Add the following parameters to the key before the -classpath parameter.

      Make sure that you leave a space before -classpath and the additional parameters. It is important that the operating system have enough memory to run all Java functions required. Do not allocate all Java memory.

      For example, on a system with less then 512Mb, set -Xms256M -Xmx768M, where -Xms sets the initial Java heap size and -Xmx sets the maximum Java heap size. Adjust the both values based on the total memory on your machine. The minimum value for the parameter -Xms should be 256M. The size of the -Xmx parameter is influenced by the amount of memory you have installed and should be set as large as possible.
   5. Exit Regedit.
   6. From the Windows Control Panel, stop and restart the Host On-Demand Service Manager to make the changes active. If the Host On-Demand Service Manager fails to stop, go back and check the parameters you changed.

5. Migrating Redirector information into LDAP

   In the Host On-Demand Administration Utility, if you enable the directory service to use LDAP, you must restart the Service Manager to migrate the Redirector information into LDAP. The Redirector Service panel in the Administration Utility is not updated with the Redirector information for the LDAP directory service until the Service Manager is restarted.

6. Setting up Host On-Demand Redirector with SSL using Self-Signed Certificate

   In addition to what you will find in the Planning, Installing, and Configuring Host On-Demand guide, use the following tips to set up Host On-Demand Redirector with SSL using Self-Signed Certificate.

   If you are using SSL on the Redirector on Microsoft Windows or IBM AIX platform with a self-signed certificate, verify that the Host On-Demand Server Key and the CustomizedCAs.class or CustomizedCAs.p12 files have been created and are located in the correct folders. The CustomizedCAS.class or CustomizedCAS.pk12 file should be located in the Host On-Demand publish directory. If applicable to your operating system, make sure the file permission bits for the CustomizedCAS.* file is set to 755.

   When using a certificate from a public authority, you do not need to create the CustomizedCAs.class or CustomizedCAs.p12 file.

   Take the following steps to create the Host On-Demand Server Key file:

   1. If any existing HODServerKeyDb.kdb or CustomizedCAs.class or CustomizedCAs.p12 files exist, back them up to a different directory or delete them.
   2. Use the Host On-Demand Certificate Management to create a new CMS key database file, for example, HODServerKeyDb.kdb. You will need to enter a password for the key database and select to store the password to a file. If you set an expiration period for the password, be sure to remember when it will expire.
   3. Select Personal Certificates from the menu drop-down and create a New Self-Signed Certificate.
   4. Extract the Certificate as a Base64 .arm file or binary .br file to /hostondemand/bin.
   5. Save the file to HODServerKeyDB.kdb in the \hostondemand\bin directory.

   Take the following steps to create the CustomizedCAs.class or CustomizedCAs.p12 file:

   1. Select Key Database File > New. Create an SSLight key database class, for example, CustomizedCAs.class or CustomizedCAs.p12 in /hostondemand/HOD.

      The password must be hod.

      Select Signer Certificates from the drop-down and add the .arm certificate file. Label the certificate appropriately.
   2. Select Key Database File and Save As. Select CMS key database file as PKCS12 database. Replace the old file if it exists.
   3. Restart the Host On-Demand Service Manager.
   4. Modify or create a Redirector service with client-side security or security set to both sides if appropriate.
   5. Modify or create a session to connect to the above configured Redirector with SSL enabled.
   6. If appropriate, make sure the file permissions for customizedCAs.* are set to 755.
   Prior to connecting at the client, delete the temporary Internet file cache in the browser if using the Microsoft JVM on the client before starting the session and restart the browser.