Security cache properties

The following Java virtual machine (JVM) security cache custom properties determine whether the authentication cache is enabled or disabled. If the authentication cache is enabled, as recommended, these custom properties specify the initial size of the primary and secondary hash table caches, which affect the frequency of rehashing and the distribution of the hash algorithms.

Important: The com.ibm.websphere.security.util.tokenCacheSize and com.ibm.websphere.security.util.LTPAValidationCacheSize properties were replaced with the com.ibm.websphere.security.util.authCacheSize property.
You can specify these system properties by completing the following steps:
  1. Click Servers > Application servers > server_name.
  2. Under Server Infrastructure, expand Java and Process Management.
  3. Click Process Definition > Java Virtual Machine.
  4. Under Additional properties, click Custom properties > New.
  5. Under General Properties, specify the property name and its value. You can specify multiple property name and value pairs delimited by a space.
  6. Click OK.

WebSphere Application Server includes the following security cache custom properties:

com.ibm.websphere.security.util.authCacheSize
Specifies the initial size of the primary and secondary hash table caches. A higher number of available hash values might decrease the occurrence of hash collisions. A hash collision results in a linear search for the hash bucket, which might decrease the retrieval time. If several entries compose a hash table cache, you create a table with a larger capacity that supports more efficient hash entries instead of allowing automatic rehashing determine the growth of the table. Rehashing causes every entry to move each time.
Default: 50
Type: Integer
com.ibm.websphere.security.util.authCacheEnabled
Specifies whether to disable the authentication cache. For example, you can cache the user ID and the one-way hashed password as the key lookup for the cache or use a token. The com.ibm.websphere.security.util.authCacheEnabled custom property has three possible values:
  • A true value enables the authentication cache. The user registry or repository is not accessed multiple times.
  • A false value disables the authentication cache. The user registry or repository is accessed multiple times, which impacts performance. If you add com.ibm.websphere.security.util.authCacheEnabled=false to the Java virtual machine (JVM), the cache is disabled. WebSphere Application Server invokes a custom Java Authentication and Authorization Service (JAAS) login module.
  • A BasicAuthDisabled value enables the authentication cache, but does not allow credentials to be looked up by a user ID and a one-way hash password.
Default: True
com.ibm.websphere.security.util.authCacheMaxSize
Specifies the maximum size of all entries in the authentication cache. This prevents unbounded growth of the cache. There are approximately three to four lookup entries per login added to the cache. Assume this size should be set to about five time the number of distinct users who might login to your system during a single cache timeout period (the default is 30 minutes)

For example, if you have 200 users who might login during a 30 minute period, you should have a maximum cache size set to 1000 to handle this number of users without re-authentication occurring. Setting this value too large may cause memory issues if your JVM heap size is too small to handle the number of cache entries. Setting this value too small can affect the login performance of users who re-authenticate frequently (such as moving around secured links on a web site).

Default 25000
Type Integer



Related tasks
Revoking users from a cache
Tuning security configurations
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 12:02:36 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-zos&topic=rsec_tuneproperties
File name: rsec_tuneproperties.html