Tune CSIv2
To tune the Common Security Interoperability Version 2 (CSIv2) authentication protocol, consider the following tasks:
Consider using SSL client certificates instead of a user ID and password to authenticate Java clients. Because you are already making the SSL connection, using mutual authentication adds little overhead while removing the service context containing the user ID/password completely. For more information, see Configure SSL for Java client authentication.
If you send a large amount of data that is not very sensitive, reduce the strength of your ciphers. A strong cipher takes longer to encrypt data in bulk. If the data is not sensitive, processing with 128-bit ciphers may not be worth the effort.
Consider putting just an asterisk (*) in the trusted server ID list (this means that all servers are trusted) when you use Identity Assertion for downstream delegation. Use SSL mutual authentication between servers to provide this trust. Adding this extra step in the SSL handshake performs better than having to fully authenticate the upstream server and check the trusted list. When an asterisk is used, the identify token is trusted. The SSL connection trusts the server by way of client certificate authentication.
Ensure that stateful sessions are enabled for CSIv2. This is the default, but it only requires authentication on the first request and on any subsequent token expirations.
If you are only communicating with WebSphere Application Server Version 5 servers, specify only CSI rather than CSI and SAS for the Active Authentication Protocol setting. This action removes an interceptor invocation for every request on both the client and server sides.