Infinispan caching and clustering

The Connect2id server uses the Infinispan data-grid technology for clustered in-memory storage and caching.

The Infinispan configuration file is located in the WEB-INF directory of the web application:

WEB-INF\infinispan.xml

Infinispan map and cache names

The Connect2id server utilises a number of named Infinispan maps and caches.

What is the difference between a map and a cache?

• A map stores primary data that is relatively critical. In case RAM is not sufficient to keep the entire map in memory, overflowing entries can be persisted (evicted) to disk. LRU is the suggested eviction algorithm for all Connect2id server maps.
• A cache is similar to a map, but it stores redundant data for the purpose of speeding up request processing, by avoiding lengthy database queries. Caches need not have overflow to disk enabled.

The following list details the Infinispan maps and caches used in the Connect2id server, with their names, usage and recommended settings.

• Session store maps:

  • sessionStore.sessionMap – Stores the active user sessions with the Connect2id server, keyed by a secure session identifier (SID) which is stored in the user’s browser as a cookie. The session map maxEntries setting must equal the expected number of users times the permitted session quota per user. For example, if the total user count is 1 million and the session quota is five, the maxEntries should be set to 5 million.
  • sessionStore.subjectMap – An index of the active sessions for each logged in user. The subject map maxEntries setting should therefore be set to the total expected user count.

• Authorisation store maps and caches:

  • authzStore.codeMap – Stores the pending OAuth 2.0 authorisation codes before they get exchanged for an ID and access token. The code map maxEntries setting should be large enough to accommodate the pending OAuth 2.0 codes at any one time. Can be overflown to disk to conserve RAM.
  • authzStore.accessTokenMap – Stores the active OAuth 2.0 access tokens. The access token map maxEntries setting should be large enough to accommodate all potential access tokens in the system, which is the total expected user count times the total expected number of client applications. Can be overflown to disk to conserve RAM.
  • authzStore.authzCache – Caches the issued authorisations for each user and client application combination.

• Authorisation session maps:

  • op.authSessionMap – Stores the authentication session state for each user who has an OpenID Connect login page currently opened. The maxEntries setting should be large enough for the expected number of login pages open at any one time.
  • op.consentSessionMap – Stores the consent session state for each user who has an OpenID Connect login page currently opened. The maxEntries setting should be large enough for the expected number of login pages open at any one time.

• Client registration cache:

  • op.clientRegCache – Caches the client application registrations with the Connect2id server. The maxEntries setting should equal the total expected number of registered client applications. This cache is critical to the overall system performance and should therefore be sufficiently sized.

Infinispan versions

• Infinispan 6 is used in Connect2id server up to 2.2.1.

• Infinispan 7 is used in Connect2id server 2.3 and later.

Configuring cluster networking

Infinispan uses the popular JGroups library to provide reliable messaging between the Connect2id server nodes and features such as automatic cluster formation, node discovery and health checks.

Supported transport protocols:

• UDP (with IP multicast)
• TCP

How to setup a replicated Connect2id server cluster on your local network

All you need to do is put one or more additional Connect2id servers on your local network, which should be enabled for IP multicast. The nodes will automatically detect one another and form a replication cluster, using UDP as the message transport. The detection and negotiation process can be observed in the log of each server (at DEBUG level), or by using a JMX console to Infinispan.

JGroups configuration

Out of the box the Connect2id server is configured to point to the default JGroups UDP settings in the jgroups-udp.xml file. This XML file is packaged in Infinispan’s JAR:

WEB-INF/libs/infinispan-core-[version].jar

To use a different JGroups configuration edit the global transport configurationFile property in WEB-INF/infinispan.xml:

<jgroups>
    <stack-file name="jgroups-config" path="default-configs/default-jgroups-udp.xml"/>
</jgroups>

You can read more about configuration of JGroups in the Infinispan manual, or on the JGroups website:

• Infinispan: JGroups clustered configuration
• JGroups pages

WAN replication

The Connect2id server can also be operated across data centres by means of WAN replication. The following Infinispan and JGroups documents offer further pointers on how to set that up:

• Cross-site replication with Infinispan
• Bridging remote clusters with JGroups

Resources

• The Infinispan 7 manual, with detailed information on configuring cache policy, clustering, monitoring and management.
• The JGroups website for all underlying networking stuff.