+

Search Tips   |   Advanced Search

(zos)

Security tuning tips

Generally, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere Application Server.


SAF class

When a SAF (RACF or equivalent) class is active, the number of profiles in a class affects the overall performance of the check. Placing these profiles in a (RACLISTed) memory table improves the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and increases the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), we can choose to enable and disable SAF classes to control security. A disabled class costs a negligible amount of overhead.

Additionally, if a SAF class is not RACLISTed, you must restart the application server to pick up any changes that are made to profiles in the class.

Avoid trouble: Enable all auditing on classes that control access to objects in the UNIX System Services file system, such as RACF DIRACC, DIRSRCH, FSOBJ and FSSEC, or their equivalent in other SAF security managers, severely degrades performance.gotcha


EJBROLEs on methods

Use a minimum number of EJBROLEs on methods. If we are using EJBROLEs, specifying more roles on a method leads to more access checks that must be executed and a slower overall method dispatch. If we are not using EJBROLEs, do not activate the class.


Java 2 Security

If we do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.


Level of authorization

Use the lowest level of authorization consistent with the security needs. You have the following options when dealing with authentication:


Level of encryption with SSL

If using SSL, select the lowest level of encryption consistent with the security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.


RACF tuning

Follow these guidelines for RACF tuning:


Subtopics


Related tasks

  • Protecting system resources and APIs (Java 2 security) for developing applications


    Related information:

  • Session management settings