Oracle Fusion Middleware security services enable you to secure critical applications and sensitive data. This chapter describes how you can configure security services for optimal performance.
This chapter contains the following topics:
Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.
Oracle Platform Security Services
Oracle Platform Services is a key component of Oracle Fusion Middleware. It offers an integrated suite of security services and is easily integrated with Java SE and Java EE applications that use the Java security model. Security Services includes features that implement user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications.
Using Oracle Platform Security for Java, applications can enforce fine-grained access control upon resource users. The three key steps are:
Configure and invoke a login module, as appropriate. You can use provided login modules, or you can use custom login modules.
Authenticate the user attempting to log in, which is the role of the identity store service.
Authorize the user by checking permissions for any roles the user belongs to for whatever the user is attempting to accomplish, which is the role of the policy store service.
Oracle Web Services Security
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages.
Note:
The information in this chapter assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. For more information, see the Oracle Fusion Middleware Security and Administrator's Guide for Web Services before tuning any security parameters.
This section offers some general guidelines on how to identify a performance bottleneck and how to approach addressing such problems.
If you discover a performance bottleneck, you should first verify that you have addressed the expected traffic load throughout your Web services deployment. If there is a system in the critical path that is at 100% CPU usage, you may simply need to add one or more computers to the cluster.
If there is a bottleneck in your deployment, it is likely to be within one of the following:
Traffic through a slow connection with an agent
Latency in connections to third-party queuing systems like JMS
For any of these problems, check the following potential sources:
Problems with policy assertions that include connections to outside resources, especially the following types:
Database Repositories
LDAP Repositories
Secured Resources
Proprietary Security Systems
Problems with database performance
If you identify one of these as the cause of a bottleneck, you may need to change how you manage your database or LDAP connections or how you secure resources.
This section provides the following basic tuning configurations for Oracle Platform Security Services (OPSS):
Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At run time, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Section 2.4, "Tuning Java Virtual Machines (JVMs)".
This section covers Lightweight Directory Access Protocol (LDAP) tuning. Oracle supports the management of policies in file-based repositories: Oracle Internet Directory and Oracle Virtual Directory.
If you encounter increased CPU usage due to high SQL execution times, see the following chapters for basic tuning configurations for large deployments:
Oracle Internet Directory configuration settings can impact performance. For more information, see Chapter 23, "Oracle Internet Directory Performance Tuning".
In addition to being configured as a LDAP server, Oracle Virtual Directory can also be configured as a local storage adapter (LSA). See Chapter 24, "Oracle Virtual Directory Performance Tuning".
For OPSS Authentication tuning, see "Improving the Performance of WebLogic and LDAP Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server guide at the Oracle Technology Network http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1199087.
The following Java system properties can be used to optimize authorization:
Table 29-1 Authorization Properties
| Java System Properties | Default Value | Valid Values | Notes |
|---|---|---|---|
|
|
4 |
3 4 5 |
JPS uses a Subject Resolver to convert a platform subject to JpsSubject which contains user/enterprise-role information, as well as ApplicationRole information. This information is represented as principals in the subject. This conversion can be CPU intensive, especially if the subject's principal set has a large population. To improve performance, JPS code caches the conversion between Platform subject and JpsSubject. Note that two subjects could be confused if their contents are the same, but the case of the principals' name is different. The following settings can be used to configure the cache key:
|
|
|
60000ms |
Cache's Time To Live (TTL) for case '5' (above). This system property controls how long the cache is valid. When the time expired, the cahed value is dumped. The setting can be controlled by the flag of Consider setting the duration of this TTL setting to the same value as the value used for the group and user cache TTL in WLS LDAP authenticator. |
|
|
|
True |
True False |
This system property is used to cache the protection domains for a given subject. Setting |
|
|
True |
True False |
This system property is used to evaluate a subject's protection domain when a checkPermission occurs. Setting |
|
|
True |
True False |
This 'hybrid mode' property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider. The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml."Hybrid" mode can be disabled by setting the system property |
|
|
ACC |
ACC SM |
Delegates the call to JDK API ACC: delegate to SM: delegate to |
Table 29-2 provides OPSS tuning parameters for policy store:
Table 29-2 OPSS PDP Service Tuning Parameters
| Parameter | Default Value | Valid Values | Notes |
|---|---|---|---|
|
|
STATIC |
STATIC, SOFT, WEAK |
This parameter specifies the type of role member cache.Valid only in Java EE applications. Valid values:
Consider maintaining the default value for the best performance. |
|
|
FIFO |
FIFO NONE |
The type of strategy used in the role member cache. Valid only in Java EE applications. Valid values:
Consider maintaining the default value for the best performance. |
|
|
1000 |
The size of the role member cache. The role being referred to is the enterprise role (group). You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario. |
|
|
|
True |
True False |
Enables or disables the policy lazy loading. If this parameter is set to false, the server initial startup time will take longer - especially in a large policy store. For faster start-up time, the recommended value is true. |
|
|
PERMISSION_FIFO |
PERMISSION_FIFO NONE |
The type of strategy used in the permission cache. Valid only in Java EE applications. Valid Values:
Consider using the default value for the best performance. |
|
|
1000 |
The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants. |
|
|
|
True |
True False |
This property is used for refresh enabling. Consider maintaining the default value for the best performance. |
|
|
True |
True False |
This property is used for refresh enabling. Consider maintaining the default value for performance. |
|
|
43200000 |
The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance. |
|
|
|
600000 (10 minutes) |
The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Java EE and J2SE applications. |
|
|
|
False |
True False |
This property controls the way the ApplicationRole membership cache is created. If set to True, the cache is created at server startup; otherwise, it is created on demand (lazy loading). Set to True when the number of users and groups is significantly higher than the number of application roles; set to False otherwise, that is, when the number of application roles is very high. |
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. This section provides information on factors that might affect performance of the web service.
Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security (SSL) is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security.
See "Configuring Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services to determine which security policies are required for a deployment.
There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the "polling" frequency of the agent to the database.
The request and response pipelines of the default policy include a log assertion that causes policy enforcement points (PEP) to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment.
The following logging levels can be configured in the log step:
Header - Only the SOAP header is recorded.
Body - Only the message content (body) is recorded.
Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded.
All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself.
Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.
When you request that a Context instance use connection pooling by using the "com.sun.jndi.ldap.connect.pool" environment property, the connection that is used might or might not be pooled. The default rule is that plain (non-SSL) connections that use simple or no authentication are allowed to be pooled. You can change this default to include SSL connections and the DIGEST-MD5 authentication type by using system properties. To allow both plain and SSL connections to be pooled, set the "com.sun.jndi.ldap.connect.pool.protocol" system property to the string "plain ssl" as shown below:
”-Dcom.sun.jndi.ldap.connect.pool.protocol=”plain ssl”
You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control:
Endpoint Enabled Metrics such as:
Policy Reference Status
Total Violations
Security Violations
Invocations Completed
Response Time, in seconds
Policy Violations such as:
Total Violations
Authentication Violations
Authorization Violations
Confidentiality Violations
Integrity Violations
Total Faults
For general information on monitoring Oracle Fusion Middleware components, see Chapter 4, "Monitoring Oracle Fusion Middleware".
For detailed information on using Oracle Fusion Middleware Control to monitor Oracle Web Services, see "Monitoring the Performance of Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.