This topic applies only on the z/OS operating system.

Security tuning tips

As a general rule, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere Application Server.

SAF class

When a SAF (RACF or equivalent) class is active, the number of profiles in a class will affect the overall performance of the check. Placing these profiles in a (RACLISTed) memory table will improve the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and will increase the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), you can choose to enable and disable SAF classes to control security. A disabled class will cost a negligible amount of overhead.

EJBROLEs on methods

Use a minimum number of EJBROLEs on methods. If you are using EJBROLEs, specifying more roles on a method will lead to more access checks that need to be executed and a slower overall method dispatch. If you are not using EJBROLEs, do not activate the class.

Java 2 Security

If you do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security).

Level of authorization

Use the lowest level of authorization consistent with your security needs. You have the following options when dealing with authentication:
  • Local authentication: Local authentication is the fastest type because it is highly optimized.
  • UserID and password authentication: Authentication that utilizes a userID and password has a high first-call cost and a lower cost with each subsequent call.
  • Kerberos security authentication: We have not adequately characterized the cost of kerberos security yet.
  • SSL security authentication: SSL security is notorious in the industry for its performance overhead. Luckily, there is a lot of assists available from hardware to make this reasonable on z/OS.

Level of encryption with SSL

If using Secure Sockets Layer (SSL), select the lowest level of encryption consistent with your security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance. For additional information about SSL, see Secure Sockets Layer security for WebSphere Application Server for z/OS.

Setting the custom property, security_disable_sysplex_encryption_optimization disables the optimization that is used for communicating applications that use SSL and reside in the same sysplex. Setting this custom property allows the handshake process between a client using a JSSE provider and a server that uses system SSL to select a cipher that provides the strongest encryption. When the optimization is enabled, the cipher selected is one that is common between the cipher suites and is one which does not provide encryption. Examples of such ciphers are SSL_RSA_WITH_NULL_MD5 and SSL_RSA_WITH_NULL_SHA.
Note: You set this custom property by using the administrative console Environment > WebSphere Variables panel.

RACF tuning

Follow these guidelines for RACF tuning:




Subtopics
Resource Access Control Facility Tips for customizing WebSphere Application Server
Related tasks
Protecting system resources and APIs (Java 2 security)
Tuning security configurations
Related information
Session management settings
Secure Sockets Layer security for WebSphere Application Server for z/OS
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=rprf_tunezsec
File name: rprf_tunezsec.html