Recommendations for Application Servers of type NSH_Proxy

This topic provides general recommendations for sizing and optimizing Application Servers defined as type NSH_Proxy (or as type ALL, which includes the NSH_Proxy functionality). The term NSH proxy server refers to Application Servers of type NSH_Proxy.

The following tables presents the various NSH-proxy–related parameters that you should configure through the Application Server Administration Console (blasadmin utility) for any Application Server of type NSH_Proxy or ALL. After changing any of these settings, remember to restart the Application Server to pick up the changes made through blasadmin.

The settings on this page are divided into the following categories:

Recommendation

BMC recommends the use of NSH proxy servers for security.

Client connection service and thread pool settings

For the best performance, configure the NSH proxy server for the number of concurrent NSH connections that you expect it to manage. Some jobs, such as File Deploy Jobs, occasionally require as many as three simultaneous NSH connections per executing work item. User-written NSH script jobs might require more simultaneous NSH connections, depending on the actions that the scripts are performing.

Component

Parameter

Description and recommended value

AppServer

MaxNshProxyContexts

Maximum number of NSH connections to the NSH Proxy Server.

Set this value to the maximum number of concurrent NSH connections that you want the NSH proxy server to manage. By default this value is set to 50. Ensure that this value is set to no more than 2000.

AppServer

MaxNshProxyThreads

Maximum number of NSH proxy threads that are available to process Network Shell client connections.

Each proxy thread can accommodate multiple Network Shell client connections by switching between connections when there is no traffic on a particular connection. Increasing the maximum number of proxy threads can improve performance for Network Shell users. However, using an excessive number of threads can potentially degrade the performance of a Network Shell proxy server.

By default this value is set to 15.

The value of this parameter can be significantly less than MaxNshProxyContexts, to account for idle NSH connections. In the absence of usage estimates specific to the installation, BMC suggests an initial estimate of 20 percent of MaxNshProxyContexts.

For example, if MaxNshProxyContexts is set to 132 and you expect 20 percent of users to be active at the same time, set this value to 26 (132 × 0.2). If you have two load balanced NSH proxy servers, you can distribute the 26 NSH contexts between the two servers (13 each).

AppServer NshProxyMaxThreadIdleTime

Maximum idle time for thread processing.

This setting enables you to adjust the performance of proxy threads that process Network Shell client connections. Use one of the following values:

  • 0 - Provides the best thread switching performance. A thread is always available to serve another connection after traffic ends on the current connection.

  • -1 - Provides the fastest performance for a particular connection. Each thread is dedicated to a single connection so the thread never switches connections.

  • >0 - Provides a compromise between the two settings described above. A value greater than zero specifies a period, in milliseconds, that a thread should remain idle. While the thread is idle it continues to serve the current connection. When the specified period expires, the thread can switch to another connection. The longer you instruct a thread to be idle, the harder it is for that thread to process more than one connection.

By default, this parameter is set to 500 milliseconds.

AppServerMaxHeapSize

Maximum heap size for this Application Server.

Recommended values:

  • For 32-bit systems:
    • Microsoft Windows: 1024 MB
    • Linux: 1536 MB
    • Oracle Solaris: 2048 MB
  • For 64-bit systems:
    • Windows: 4096 MB
    • Linux: 4096 MB
    • Solaris: Not applicable

AppServer

MaxJMXConnections

These connections are used for communication between Application Servers. In environments with many Application Server instances, this setting may need to be increased from the default of 20.

AppServer

MinPort,MaxPort

These settings specify a range of available ports used for communication between Application Servers. The default range provides for 50 ports (BasePort+50-BasePort+9899) which is sufficient for most environments.

AppServer IdleNshProxyPruneTime

Maximum idle time (in minutes) for a connection with a Network Shell client.

When there is no traffic over the connection between a Network Shell client and its proxy for this period of time, the connection is automatically closed. By default, this value is set to 120 minutes.

AppServerNshProxyApplicationSessionTimeOut

The number of seconds to allow the NSH proxy session to remain active based on the last authentication credentials that were provided, before timing out. By default, this value is set to 600 seconds (10 minutes). Improved handling of these sessions minimizes the number of handshakes that take place during the connection between the client and NSH proxy. For more information, see To control Network Shell proxy sessions.

AppServerNshProxySocketConnectTimeout

The number of seconds to continue trying to obtain a Network Shell proxy socket connection to the Application Server, before timing out. By default, this value is set to 60 seconds.

AppServerNshProxySocketOperationTimeout

The number of seconds to allow for NSH proxy socket reads before the socket times out. By default, this value is set to 7200 seconds.

Database connection settings

The number of available database connections can affect Job Server performance. The following parameters are recommended for database connections:

Component

Parameter

Description and recommended value

Database

MaxGeneralConnections

Maximum connections in the pool for the general thread group. The default setting for this parameter should be sufficient.

Database

MinGeneralConnections

Controls the minimum number of database connections created on startup for the General Connection pool. Because connections are created on demand, this has no impact on performance.

DatabaseMaxClientConnections

Maximum connections in the pool for client connections. Use the following rules of thumb:

  • For an Application Server configured to act exclusively as an NSH proxy server, this value should be twice the value of MaxNshProxyThreads.
  • For an Application Server configured to act as both a Configuration server and an NSH proxy server, this value should be 2 times the sum of the values for MaxWorkerThreads + MaxNshProxyThreads.
  • For an Application Server configured to act as both a Job server and an NSH proxy server, this value should be 2 times the sum of the values for MaxWorkerThreads + MaxNshProxyThreads.

Database

MinClientConnections

Controls the minimum number of database connections created on startup for the Client Connection pool. Because connections are created on demand, this has no impact on performance. The default is 0.

Database

MaxIdleTime

Maximum idle time, in seconds, for database connections. The Application Server closes database connections that are idle longer than the specified timeout. If there is a network device between the Application Server and database with a lower idle timeout, then this setting should be adjusted. The default is 600 seconds (10 minutes).

Database

MinTimeToLog

Controls logging of long running database queries. Leave at 0 to disable this functionality.

Database

FetchSize

Number of rows fetched simultaneously from the database. The default is 100 rows.

Database

IdleConnectionTestPeriod

Number of seconds that connections are idle before being tested. The default is 600 seconds (10 minutes).

Load balancer environments

The following Application Server configuration parameters are recommended for NSH proxy servers using a load balancer. For more information, see Considerations for load balancing.

Component

Parameter

Description and recommended value

AppServer

ValidateRequestURL

If set to true, the Application Server verifies that its own address appears in the list of request URLs encoded in the session credential.

For Application Servers in a load balancer environment, or otherwise using a custom ProxyServiceURL, take into account the type of traffic that you are load balancing:

  • If you are load balancing only authentication traffic (that is, connections to the AuthServiceURL), but are not load balancing traffic to the NSH_Proxy server (that is, to the ProxyServiceURL), or setting a custom ProxyServiceURL, set this parameter to true.
  • If you are load balancing all traffic — to both the AuthServiceURL and the ProxyServiceURL — or setting a ProxyServiceURL that does not match the appserver hostname, set this parameter to false, as the client sends its request to the load balancer, and not to the NSH proxy server that receives the connection request.

AppServer

ValidateClientIpAddress

Whether to enable (a value of true) or disable (a value of false) client network address validation.

In a load balancer environment, use the following guidelines to set the value for this parameter:

  • If you are load balancing only authentication traffic (that is, connections to the AuthServiceURL), but are not load balancing traffic to the NSH_Proxy server (that is, to the ProxyServiceURL), then check whether the load balancer was configured to pass through the client IP address:
    • If the load balancer was configured to pass through the client IP address, set this parameter to true.
    • If the load balancer was not configured to pass through the client IP address, then from the point of view of the Authentication Server, the client's IP address is that of the load balancer (that is, client connections appear to originate from the load balancer rather than from the actual client). Therefore, set this parameter to false.
  • If you are load balancing all traffic — to both the AuthServiceURL and the ProxyServiceURL — set this parameter to true, regardless of whether the load balancer was configured to pass through the client IP address.

AuthServer

ProxyServiceURLs

Set this parameter to contain the URL for the client's view of the load balancer for the NSH proxy servers.

Was this page helpful? Yes No Submitting... Thank you

Comments