Performance impacts of WAS security

 

The potential to distribute the processing responsibilities between multiple servers and, in particular, multiple machines, also introduces a number of opportunities for meeting special security constraints in the system. Different servers or types of servers may be assigned to manipulate different classes of data or perform different types of operations. The interactions between the various servers may be controlled, for example through the use of firewalls, to prevent undesired accesses to data.

From the performance point of view, there are a few things to consider when designing a secure solution. Building up SSL communication causes extra HTTP requests and responses between the machines and every SSL message is encrypted on one side and decrypted on the other side. The authorization process adds additional load to the appserver. In a distributed environment, the authorization server should be put onto a separate machine in order to offload application processing. The following three settings can help to fine-tune the security-related configurations to enhance performance:

  1. Security cache timeout

    Its setting determines how long WebSphere should cache information related to permission and security credentials. When the cache timeout expires, all cached information becomes invalid. Subsequent requests for the information result in a database lookup. Sometimes, acquiring the information requires invoking an LDAP-bind or native authentication, both of which are relatively costly operations in terms of performance.

  2. HTTP session timeout

    This parameter specifies how long a session will be considered active when it is unused. After the timeout, the session expires and another session object will be created. With high-volume Web sites, this may influence the performance of the server.

  3. Registry and database performance

Databases and registries used by an application influence the WAS performance. Especially in a distributed environment, when the authorization process uses an LDAP server, you have to consider tuning the LDAP database and LDAP server for performance first, before starting to tune WebSphere.

WebSphere security is out of the scope of this redbook. However, an entire redbook is dedicated to this topic. See IBM WebSphere V5.0 Security, SG24-6573 for details.

  Prev | Home | Next

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.