Skip Headers
Oracle® Fusion Middleware Performance and Tuning Guide
11g Release 1 (11.1.1.7.0)

Part Number E10108-13
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

27 Oracle Fusion Middleware Security Performance Tuning

Oracle Fusion Middleware security services enable you to secure critical applications and sensitive data. This chapter describes how you can configure security services for optimal performance.

This chapter contains the following topics:

27.1 About Security Services

Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.

Note:

The information in this chapter assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. For more information, see the Oracle Fusion Middleware Security and Administrator's Guide for Web Services before tuning any security parameters.

27.2 Basic Tuning Considerations

This section offers some general guidelines on how to identify a performance bottleneck and how to approach addressing such problems.

If you discover a performance bottleneck, you should first verify that you have addressed the expected traffic load throughout your Web services deployment. If there is a system in the critical path that is at 100% CPU usage, you may simply need to add one or more computers to the cluster.

If there is a bottleneck in your deployment, it is likely to be within one of the following:

For any of these problems, check the following potential sources:

If you identify one of these as the cause of a bottleneck, you may need to change how you manage your database or LDAP connections or how you secure resources.

27.3 Tuning Oracle Platform Security Services

This section provides the following basic tuning configurations for Oracle Platform Security Services (OPSS):

27.3.1 JVM Tuning Parameters

Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At run time, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Section 2.4, "Tuning Java Virtual Machines (JVMs)".

27.3.2 JDK Tuning Parameters

Starting with Java Development Kit 7 (JDK 7), the default keystore size is now 2048 bits. JDK 6 and earlier had a default size of 1024 bits.

When using the Java keytool to generate keystores, the -keysize parameter can be used to control the keystore size. Larger keystores provide stronger security, though at the cost of decreased security performance. Consider your envinronment's use case scenarios to determine if increasing the keystores would negatively impact your security or performance thresholds.

For more information see the JDK 7 release notes at http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html

27.3.3 LDAP Tuning Parameters

This section covers Lightweight Directory Access Protocol (LDAP) tuning. Oracle supports the management of policies in file-based repositories: Oracle Internet Directory and Oracle Virtual Directory.

If you encounter increased CPU usage due to high SQL execution times, see the following chapters for basic tuning configurations for large deployments:

27.3.4 Authentication Tuning Parameters

For OPSS Authentication tuning, see "Improving the Performance of WebLogic and LDAP Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server guide at the Oracle Technology Network http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1199087.

27.3.5 Authorization Tuning Properties

The following Java system properties can be used to optimize authorization:

Table 27-1 Authorization Properties

Java System Properties Default Value Valid Values Notes

-Djps.subject.cache.key

4

3

4

5

JPS uses a Subject Resolver to convert a platform subject to JpsSubject which contains user/enterprise-role information, as well as ApplicationRole information. This information is represented as principals in the subject.

This conversion can be CPU intensive, especially if the subject's principal set has a large population. To improve performance, JPS code caches the conversion between Platform subject and JpsSubject. Note that two subjects could be confused if their contents are the same, but the case of the principals' name is different.

The following settings can be used to configure the cache key:

  • 3: Use the platform subject directly as the key. Note: On WLS if the principalEqualCaseinsensitive flag is enabled, two subjects could confused if their contents are the same, but the case of the principals is different.

  • 4: This setting is similar to '3' but overcomes the case-sensitive issue. This is the out-of-the-box setting.

  • 5: Instead of using the whole subject as the key, this settings uses a subset of the principal set inside the subject as the key (actually use principals of WLSUSerImpl type).

    This setting will accelerate the cache retrieval operation if the subject has a large principal set. On a non WLS platform (such as WAS and JBOSS, this reverts back to case '4'), so this setting is for WLS only. For this case, there is also a Time To Live setting (TTL) flag which controls how long the cache is valid, as explained below.

-Djps.subject.cache.ttl

60000ms

 

Cache's Time To Live (TTL) for case '5' (above). This system property controls how long the cache is valid. When the time expired, the cahed value is dumped. The setting can be controlled by the flag of -Djps.subject.cache.ttl=xxxx, where 'xxx' is the duration in milliseconds.

Consider setting the duration of this TTL setting to the same value as the value used for the group and user cache TTL in WLS LDAP authenticator.

-Djps.combiner.optimize=true

True

True

False

This system property is used to cache the protection domains for a given subject. Setting -Djps.combiner.optimize=true can improve Java authorization performance.

-Djps.combiner.optimize.lazyeval=true

True

True

False

This system property is used to evaluate a subject's protection domain when a checkPermission occurs. Setting -Djps.combiner.optimize.lazyeval=true can improve Java authorization performance.

-Djps.policystore.hybrid.mode=true

True

True

False

This 'hybrid mode' property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider.

The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml."Hybrid" mode can be disabled by setting the system property jps.policystore.hybrid.mode to false when starting the WebLogic Server. Setting -Djps.policystore.hybrid.mode=false can reduce runtime overhead.

-Djps.authz=ACC

ACC

ACC

SM

Delegates the call to JDK API AccessController.checkPermission which can reduce the performance impact at run time or while debugging.

ACC: delegate to AccessController.checkPermission

SM: delegate to SecurityManager if SecurityManager is set.


27.3.6 OPSS PDP Service Tuning Parameters

Table 27-2 provides OPSS tuning parameters for policy store:

Table 27-2 OPSS PDP Service Tuning Parameters

Parameter Default Value Valid Values Notes

oracle.security.jps.policystore.rolemember.cache.type

STATIC

STATIC, SOFT, WEAK

This parameter specifies the type of role member cache.Valid only in Java EE applications.

Valid values:

  • STATIC: Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type.

  • SOFT: The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch.

  • WEAK: The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently.

Consider maintaining the default value for the best performance.

oracle.security.jps.policystore.rolemember.cache.strategy

FIFO

FIFO

NONE

The type of strategy used in the role member cache. Valid only in Java EE applications.

Valid values:

  • FIFO: The cache implements the first-in-first-out strategy.

  • NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.

Consider maintaining the default value for the best performance.

oracle.security.jps.policystore.rolemember.cache.size

1000

 

The size of the role member cache. The role being referred to is the enterprise role (group). You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario.

oracle.security.jps.policystore.policy.lazy.load.enable

True

True

False

Enables or disables the policy lazy loading. If this parameter is set to false, the server initial startup time will take longer - especially in a large policy store. For faster start-up time, the recommended value is true.

oracle.security.jps.policystore.policy.cache.strategy

PERMISSION_FIFO

PERMISSION_FIFO

NONE

The type of strategy used in the permission cache. Valid only in Java EE applications.

Valid Values:

  • PERMISSION_FIFO: The cache implements the first-in-first-out strategy.

  • NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.

Consider using the default value for the best performance.

oracle.security.jps.policystore.policy.cache.size

1000

 

The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants.

oracle.security.jps.policystore.cache.updatable

True

True

False

This property is used for refresh enabling. Consider maintaining the default value for the best performance.

oracle.security.jps.policystore.refresh.enable

True

True

False

This property is used for refresh enabling. Consider maintaining the default value for performance.

oracle.security.jps.policystore.refresh.purge.timeout

43200000

 

The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance.

oracle.security.jps.ldap.policystore.refresh.interval

600000 (10 minutes)

 

The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Java EE and J2SE applications.

oracle.security.jps.policystore.rolemember.cache.warmup.enable

False

True

False

This property controls the way the ApplicationRole membership cache is created. If set to True, the cache is created at server startup; otherwise, it is created on demand (lazy loading).

Set to True when the number of users and groups is significantly higher than the number of application roles; set to False otherwise, that is, when the number of application roles is very high.


27.4 Oracle Web Services Security Tuning

Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. This section provides information on factors that might affect performance of the web service.

27.4.1 Choosing the Right Policy

Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security (SSL) is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security.

See "Configuring Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services to determine which security policies are required for a deployment.

27.4.2 Policy Manager

There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the "polling" frequency of the agent to the database.

27.4.3 Configuring the Log Assertion to Record SOAP Messages

The request and response pipelines of the default policy include a log assertion that causes policy enforcement points (PEP) to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment.

The following logging levels can be configured in the log step:

  • Header - Only the SOAP header is recorded.

  • Body - Only the message content (body) is recorded.

  • Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded.

  • All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself.

Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.

27.4.4 Configuring Connection Pooling

When you request that a Context instance use connection pooling by using the "com.sun.jndi.ldap.connect.pool" environment property, the connection that is used might or might not be pooled. The default rule is that plain (non-SSL) connections that use simple or no authentication are allowed to be pooled. You can change this default to include SSL connections and the DIGEST-MD5 authentication type by using system properties. To allow both plain and SSL connections to be pooled, set the "com.sun.jndi.ldap.connect.pool.protocol" system property to the string "plain ssl" as shown below:

”-Dcom.sun.jndi.ldap.connect.pool.protocol=”plain ssl”

27.4.5 Monitoring the Performance of Web Services

You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control:

  • Endpoint Enabled Metrics such as:

    • Policy Reference Status

    • Total Violations

    • Security Violations

  • Invocations Completed

  • Response Time, in seconds

  • Policy Violations such as:

    • Total Violations

    • Authentication Violations

    • Authorization Violations

    • Confidentiality Violations

    • Integrity Violations

  • Total Faults

For general information on monitoring Oracle Fusion Middleware components, see Chapter 4, "Monitoring Oracle Fusion Middleware".

For detailed information on using Oracle Fusion Middleware Control to monitor Oracle Web Services, see "Monitoring the Performance of Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.