VIP Web Services best practice for high-availability and optimal performance

book

Article ID: 150810

calendar_today

Updated On:

Products

VIP Authentication Service

Issue/Introduction

 

Resolution

Symantec VIP Web Services (API) Best Practices for High Availability and Optimal Performance

Your client implementation will vary depending on your specific configuration. The following are best-practice guidelines meant to provide connectivity optimization. 

  • Include a unique request ID with every request sent to VIP Services. This identifier simplifies locating your organization's transactions and for reconciling against the client logs. Symantec recommends using a unique prefix to identify your subsystem, followed by a random string. For example, you can use 2FAUTHXXXXXXX or ACMEXXXXXXX to identify requests that originated from your two-factor authentication system.
  • Disable DNS caching to benefit from the VIP Services' active-active High-Availability feature.
  • If your application is coded in Java™: Most Java JVMs cache DNS entries by default and ignore the TTL that is specified in the DNS protocol. If your application is Java-based, you need to disable this behavior by setting the networkaddress.cache.ttl and networkaddress.cache.negative.ttl Java security properties to 0. (source: http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html)
  • Enable HTTP 1.1 keep-alive to save setup costs for subsequent requests after a connection has been established.
  • Use connection pools to avoid creating new connections. Connection pool parameters will vary - please refer to your Web Services library documentation on how to enable and tune connection pools.
  • For monitoring purposes, the GetServerTime API can be used to monitor connectivity from the client side. This lightweight API provides an estimate of the lowest response time that you can expect from the client.
  • Symantec recommends an SSL timeout of up to 5 seconds and 3 retries.
  • Due to VIP Service load balancing algorithms, SSL session resumption is not supported. 
  • Run any type of bulk update (such as disabling credentials of inactive users) during off-peak hours. Typically, these hours should be scheduled during weekends or between 12:00 AM PST to 3:00 AM PST.
  • Load data can be obtained directly from Symantec. Do not perform load testing on VIP end-points. 
  • VIP Web Service WSDLs, unique URLs, and product documentation are often updated when VIP server-side APIs are updated. Periodically check VIP Manager for the latest builds.