(ZOS) Security tuning tips

Generally, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when we configure WebSphere Application Server.

SAF class

When a SAF (RACF or equivalent) class is active, the number of profiles in a class affects the overall performance of the check. Placing these profiles in a (RACLISTed) memory table improves the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and increases the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), we can choose to enable and disable SAF classes to control security. A disabled class costs a negligible amount of overhead.

Additionally, if a SAF class is not RACLISTed, we must restart the application server to pick up any changes that are made to profiles in the class.

Enabling all auditing on classes that control access to objects in the UNIX System Services file system, such as RACF DIRACC, DIRSRCH, FSOBJ and FSSEC, or their equivalent in other SAF security managers, severely degrades performance.

EJBROLEs on methods

Use a minimum number of EJBROLEs on methods. If we are using EJBROLEs, specifying more roles on a method leads to more access checks that must be executed and a slower overall method dispatch. If we are not using EJBROLEs, do not activate the class.

Java 2 Security

If we do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.

Level of authorization

Use the lowest level of authorization consistent with our security needs. We have the following options when dealing with authentication:

• Local authentication: Local authentication is the fastest type because it is highly optimized.
• UserID and password authentication: Authentication that uses a user ID and password has a high first-call cost and a lower cost with each subsequent call.
• Kerberos security authentication: We have not adequately characterized the cost of Kerberos security yet.
• SSL security authentication: SSL security is notorious in the industry for its performance overhead. Luckily, there is many assists available from hardware to make this reasonable on z/OS .

Level of encryption with SSL

If using SSL, select the lowest level of encryption consistent with our security requirements. WAS enables us to select which cipher suites we use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.

RACF tuning

Follow these guidelines for RACF tuning:

• Use the RACLIST to place into memory those items that can improve performance. Specifically, ensure that you RACLIST (if used):
  • CBIND
  • EJBROLE
  • SERVER
  • STARTED

  • FACILITY

  • SURROGAT

  Example: (ZOS)

  RACLIST (CBIND, EJBROLE, SERVER, STARTED, FACILITY, SURROGAT)
  
  

• Use of things like SSL come at a price. If we are a heavy SSL user, ensure that we have appropriate hardware, such as PCI crypto cards, to speed up the handshake process.
• Here is how we define the BPX.SAFFASTPATH facility class profile. This profile allows us to bypass SAF calls used to audit successful shared file system accesses.

  • Define the facility class profile to RACF.

    
    RDEFINE FACILITY BPX.SAFFASTPATH UACC(NONE)
    
    

  • Activate this change by doing one of the following:
    • re-IPL
    • invoke the SETOMVS or SET OMVS operator commands.

  Do not use this option if we need to audit successful HFS accesses or if we use the IRRSXT00 exit to control HFS access.

• Use VLF caching of the UIDs and GIDs as shown in the example COFVLFxx parmlib member:

  Example: sys1.parmlib(COFVLFxx):

  ********************************* Top of Data ********************.
  .
  
  
  CLASS NAME(IRRGMAP) EMAJ(GMAP)
  CLASS NAME(IRRUMAP) EMAJ(UMAP)
  CLASS NAME(IRRGTS) EMAJ(GTS)
  CLASS NAME(IRRACEE) EMAJ(ACEE)
  .
  ******************************** Bottom of Data ******************
  
  

  To avoid a costly scan of the RACF databases, make sure that all HFS files have valid GIDs and UIDs.
• Do not enable global audit ALWAYS on the RACF (SAF) classes that control access to objects in the UNIX file system. If audit ALWAYS is specified in the SETR LOGOPTIONS for RACF classes DIRACC, DIRSRCH, FSOBJ, or FSSEC, severe performance degradation occurs. If auditing is required, audit only failures using SETR LOGOPTIONS, and audit successes for only selected objects that require it. After changing the audit level on these classes, always verify that the change has not caused an unacceptable impact on response times or CPU usage.

Protecting system resources and APIs (Java 2 security) for developing applications

Session management settings