...
| Code Block | ||
|---|---|---|
| ||
<Context sessionCookiePath="/"> |
Increase Resource Cache Size
uPortal and the typical collection of portlets take a lot of space. Tomcat 8.5 issues warnings about running out of resource cache space. Add the following cache configuration just before the close of the Context node.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Resources cachingAllowed="true" cacheMaxSize="100000" />
</Context> |
JVM Heap Configuration
uPortal requires a larger than standard PermGen space (Java 7 only) and more heap than may be allocated by default. A good conservative set of heap settings are -XX:MaxPermSize=384m (Java 7 only) -Xmx2048m. To add these, create a file called either setenv.sh (Linux/Mac) or setenv.bat (Windows) in your CATALINA_HOME/bin directory and add the configuration as follows. Note for production settings you would typically want more heap space, at least 4GB. See Additional Tomcat Configuration below.
| Code Block | ||
|---|---|---|
| ||
JAVACATALINA_OPTS="$JAVA$CATALINA_OPTS -XX:+PrintCommandLineFlags -XX:MaxPermSize=384m -Xms1024m -Xmx2048m -Djsse.enableSNIExtension=false" |
CATALINA_OPTS vs JAVA_OPTS
The uPortal instructions above previously recommended using JAVA_OPTS for heap sizing. This can lead to problems on memory constrained systems because JAVA_OPTS will be used when trying to stop Tomcat with its own scripts. You don't typically need a large heap at all for that operation. It is recommended to use CATALINA_OPTS, this is a better choice for sizing the heap in setenv scripts, because that var will only be used for Tomcat's http-serving runtime.
Required file permissions
...
Some sites have chosen to disable SSLv3 on their CAS server due to various vulnerabilities. That can cause problems with the CAS client used in uPortal being unable to establish an HTTPS connection to the CAS server to validate the service ticket and throwing an exception
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
One solution is to set the protocols used by Java when making SSL connections. You can do this by adding the following property to JAVACATALINA_OPTS OPTS (or CATALINAJAVA_OPTS if using that):
Oracle Java7: -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
Your CAS server must be configured to use one of the mentioned protocols or the handshake will fail. If your test CAS server is publicly accessible, you can view which protocols it supports by entering its domain name into https://www.ssllabs.com/ssltest/.
If you run into troubles, refer to https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https and other resources to help diagnose the issue.
...