WAS v8.5 > Tune performance > Tune web services > Tune Web Services SecurityTune Web Services Security for v8.5 applications
Unrestricted JCE policy files
For web services applications that use transport level security for XML encryption or digital signatures, the default, restricted JCE jurisdiction policy file shipped with WAS v8.5 may introduct performance degradation. IBM and Oracle Corporation provide versions of JCE jurisdiction policy files that do not have restrictions on cryptographic strengths. If you are permitted by your governmental import and export regulations, download one of these jurisdiction policy files. After downloading one of these files, the performance of JCE and Web Services Security might improve.
Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before applying a fix pack, and reapply these files after the fix pack is applied.
Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
For WAS platforms using IBM Developer Kit, Java Technology Edition v6, we can obtain unlimited jurisdiction policy files by completing the following steps:
- Download unrestricted IBM SDK Policy file
- Install unrestricted JCE policy files
US_export_policy.jar and the local_policy.jar files are placed in...
JVM jre/lib/security/
Other tuning options
- Use WS-SecureConversation when appropriate for JAX-WS applications.
The use of symmetric keys with a Secure Conversation typically performs better than asymmetric keys used with X.509. The use of WS-SecureConversation is supported for JAX-WS applications only, not JAX-RPC applications.
- Use the standard token types provided by WAS. Use of custom tokens is supported, but higher performance is achieved with the use of the provided token types.
- For signatures, use only the exclusive canonicalization transform algorithm. See the W3 Recommendation web page (http://www.w3.org/2001/10/xml-exc-c14n#) for more information.
- Whenever possible, avoid the use of the XPath expression to select which SOAP message parts to protect. The WS-Security policies shipped with WAS for JAX-WS> applications use XPath expressions to specify the protection of some elements in the security header, such as Timestamp, SignatureConfirmation, and UsernameToken. The use of these XPath expressions is optimized, but other uses are not.
- Although there are Websphere Application Server extensions to WS-Security that can be used to insert nonce and timestamp elements into SOAP message parts before signing or encrypting the message parts, you should avoid the use of these extensions for improved performance.
- There is an option to send the base-64 encoded CipherValue of WS-Security encrypted elements as MTOM attachments. For small encrypted elements, the best performance is achieved by avoiding this option. For larger encrypted elements, the best performance is achieved using this option.
- When signing and encrypting elements in the SOAP message, specify the order as sign first, then encrypt.
- When adding a timestamp element to a message, the timestamp should be added to the security header before the signature element. This is accomplished using the Strict or LaxTimestampFirst security header layout option in the WS-Security policy configuration.
- For JAX-WS> applications, use the policy-based configuration rather than WSS API-based configuration.
In IBM WAS v6.1 and later, Web Services Security supports the use of cryptographic hardware devices. There are two ways in which to use hardware cryptographic devices with Web Services Security. See Hardware cryptographic device support for Web Services Security for more information.
Related concepts:
Programming models for web services message-level security
Hardware cryptographic device support for Web Services Security