IdP Memory Problem
A number of IdPs in the federation have found that Tomcat's default heapspace memory allocation of 64MB is not enough, due to the increasing size of the UK federation metadata file. Shibboleth 1.3 IdPs in particular have been affected by Java memory problems. Shibboleth 2.x IdP memory usage is more efficient, but nonetheless a minimum of 512MB is recommended.
These issues may manifest themselves as follows:
- the IdP cannot read the metadata file properly, and as a result fails to authenticate SPs
- the IdP crashes or hangs
To determine whether your IdP is affected, check the Tomcat catalina.out log file, in the logs subdirectory of your Tomcat install directory. If you see the following error then your IdP is affected:
java.lang.OutOfMemoryError: Java heap space
The solution is to allocate more Java heapspace to Tomcat. For a Linux or Unix system the -X option to the CATALINA_OPTS variable can be used. The usual way is to add something like this to the Tomcat start-up file:
export CATALINA_OPTS=-Xmx512m
which sets Tomcat's maximum heap space to 512MB (a number other than 512 can be used as necessary). If CATALINA_OPTS is already being set in the Tomcat start-up file then ensure you add the -X option to any pre-existing options.
In Windows it is easier to use the "Manage Tomcat" application to increase the heap space, which should be installed at a location something like this:
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe
The relevant setting is the "Maximum memory pool" on the Java tab.
The Tomcat service must be restarted to pick up the changes.
Please note that there is another related problem that affects the metadatatool Java application that is used by Shibboleth 1.3 IdP sites to refresh the federation metadata; that problem is documented here.