Follow the guidelines below to deploy Identity Server in production. In addition to this, see Production Deployment Guidelines.
The following changes should be applied on a fresh Identity Server instance. Do not start the Identity Server until the configurations are finalized.
Changing the default keystore
- The private key is used for the HTTPS channel and for the token issuer to sign the issued tokens.
The following section of the
carbon.xml should be updated to match your private key information.
Changing the host name
Change the host names of the Identity Provider to match the "Common Name" of the certificate of the private key.
Changing the HTTP/HTTPS ports
<IS_HOME>/repository/conf/tomcat/catalina-server.xmlfile and change the HTTP and HTTPS ports in the <connector> elements.
Configuring chunk size
In a production environment, there is a possibility for a deadlock/database lock to occur when running a session data cleanup task in high load scenarios. To mitigate this, configure the following property to clean data in chunks. Configure this property in the
<IS_HOME>/repository/conf/identity/identity.xml file under
<SessionDataCleanUp> with the required chunk size. This value is in the number of records and depends on the database type and server capacity. It also depends on the amount of load generated by single sign-on (SSO). A higher value increases the chances of deadlocks and a lower value increases the time it takes for a cleanup.