Authentication cache settings
Specify your authentication cache settings.
From the admin console, click...
Security > Global security > Authentication cache settings
Enable authentication cache
Specifies whether to disable the authentication cache.
Leave the authentication cache enabled for performance reasons. However, we can disable the authentication cache for debug or measurement purposes. When this choice is disabled, the performance is impacted since whenever a user is authenticated the user registry is accessed to gather information about the user. New tokens are then created for the user.
Information Value Default: Enabled
Cache timeout:
Time period at which the authenticated credential in the cache expires. Verify that this time period is less than the value for the Timeout value for forwarded credentials between servers field (the LTPA timeout).
If the application server infrastructure security is enabled, the security cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches. Security information pertaining to beans, permissions, and credentials is cached. When the cache timeout expires, all cached information not accessed within the timeout period is purged from the cache. Subsequent requests for the information result in a database lookup. On occasion, acquiring the information requires invoking a LDAP-bind or native authentication. Both invocations are relatively costly operations for performance. Determine the best trade-off for the application by looking at usage patterns and security needs for the site.
We must consider the following effects of this value on the configuration:
- Larger authentication cache timeout values can increase the security risk. For example, we might revoke a user in the user registry or repository. However, the revoked user can log into the administrative console using the credential that is cached in the authentication cache until the cache is refreshed.
- Smaller authentication cache timeout values can affect performance. When this value is smaller, the application server accesses the user registry or repository more frequently.
- Larger numbers of entries in the authentication cache, which is due to an increased number of users, increases the memory usage by the authentication cache. Thus, the application server might slow down and affect performance.
We can limit the size of the authentication cache by setting the maximum cache size value. Set both the maximum cache size and the authentication cache timeout values to balance our security risk and performance needs.
The LTPA timeout value should be set later than the ORB request timeout value. However, there is no relation between the security cache timeout value and the ORB request timeout value. For more information on the LTPA timeout value, see the documentation about authentication mechanisms and expiration. For more information on the ORB request timeout value, see the documentation about the Object Request Broker service settings.
Information Value Default: 10 minutes
Initial cache size:
The initial size of the hash table caches.
A greater number of available hash values might decrease the occurrence of hash collisions. A hash collision results in a linear search for the hash bucket, which might decrease the retrieval time. If several entries compose a hash table cache, create a table with a larger capacity that supports more efficient hash entries instead of allowing automatic rehashing determine the growth of the table. Rehashing causes every entry to move each time.
Information Value Default: 50
Maximum cache size
Indicates the maximum size of the cache.
After this limit is reached, the least used entries are removed from the cache to make space for the new entries.
Information Value Default: 25000
Use basic authentication cache keys (password one-way hashed):
Caches the userName and the one-way hashed password as the key lookup in the cache.
Disable this only if we do not want this information to be stored in the cache. If this is disabled, every time a user logs in with userName and password, the user registry is accessed, which impacts performance.
Information Value Default: True
Security domains collection LTPA