(zos)Security tuning tips
Generally, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere Application Server.
SAF class
When a SAF (RACF or equivalent) class is active, the number of profiles in a class affects the overall performance of the check. Placing these profiles in a (RACLISTed) memory table improves the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and increases the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), we can choose to enable and disable SAF classes to control security. A disabled class costs a negligible amount of overhead.
Additionally, if a SAF class is not RACLISTed, you must restart the application server to pick up any changes that are made to profiles in the class.
Avoid trouble: Enable all auditing on classes that control access to objects in the UNIX System Services file system, such as RACF DIRACC, DIRSRCH, FSOBJ and FSSEC, or their equivalent in other SAF security managers, severely degrades performance.gotcha
EJBROLEs on methods
Use a minimum number of EJBROLEs on methods. If we are using EJBROLEs, specifying more roles on a method leads to more access checks that must be executed and a slower overall method dispatch. If we are not using EJBROLEs, do not activate the class.
Java 2 Security
If we do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.
Level of authorization
Use the lowest level of authorization consistent with the security needs. You have the following options when dealing with authentication:
- Local authentication: Local authentication is the fastest type because it is highly optimized.
- UserID and password authentication: Authentication that uses a user ID and password has a high first-call cost and a lower cost with each subsequent call.
- Kerberos security authentication: We have not adequately characterized the cost of Kerberos security yet.
- SSL security authentication: SSL security is notorious in the industry for its performance overhead. Luckily, there is many assists available from hardware to make this reasonable on z/OS .
Level of encryption with SSL
If using SSL, select the lowest level of encryption consistent with the security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.
RACF tuning
Follow these guidelines for RACF tuning:
- Use the RACLIST to place into memory those items that can improve performance. Specifically, ensure that you RACLIST (if used):
- CBIND
- EJBROLE
- SERVER
- STARTED
- (zos) FACILITY
- (zos) SURROGAT
Example:
(zos)RACLIST (CBIND, EJBROLE, SERVER, STARTED, FACILITY, SURROGAT)
- Use of things like SSL come at a price. If we are a heavy SSL user, ensure that we have appropriate hardware, such as PCI crypto cards, to speed up the handshake process.
- Here is how you define the BPX.SAFFASTPATH facility class profile. This profile allows us to bypass SAF calls that can be used to audit successful shared file system accesses.
- Define the facility class profile to RACF.
RDEFINE FACILITY BPX.SAFFASTPATH UACC(NONE)
- Activate this change by doing one of the following:
- re-IPL
- invoke the SETOMVS or SET OMVS operator commands.
Do not use this option if we need to audit successful HFS accesses or if you use the IRRSXT00 exit to control HFS access.
- Use VLF caching of the UIDs and GIDs as shown in the example COFVLFxx parmlib member:
Example: sys1.parmlib(COFVLFxx):
********************************* Top of Data ********************. . CLASS NAME(IRRGMAP) EMAJ(GMAP) CLASS NAME(IRRUMAP) EMAJ(UMAP) CLASS NAME(IRRGTS) EMAJ(GTS) CLASS NAME(IRRACEE) EMAJ(ACEE) . ******************************** Bottom of Data ******************To avoid a costly scan of the RACF databases, make sure that all HFS files have valid GIDs and UIDs.
- Do not enable global audit ALWAYS on the RACF (SAF) classes that control access to objects in the UNIX file system. If audit ALWAYS is specified in the SETR LOGOPTIONS for RACF classes DIRACC, DIRSRCH, FSOBJ, or FSSEC, severe performance degradation occurs. If auditing is required, audit only failures by using SETR LOGOPTIONS, and audit successes for only selected objects that require it. After changing the audit level on these classes, always verify that the change has not caused an unacceptable impact on response times or CPU usage.
Subtopics
- (zos) Resource Access Control Facility Tips for customizing WebSphere Application Server
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or the security product). This paper describes these mechanisms along with some techniques for managing the security environment.
Related tasks
Protecting system resources and APIs (Java 2 security) for developing applications
Related information:
Session management settings