Oracle Fusion Middleware security services enable you to secure critical applications and sensitive data. This chapter describes how you can configure security services for optimal performance.
This chapter contains the following topics:
Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.
Oracle Platform Security Services
Oracle Platform Services is a key component of Oracle Fusion Middleware. It offers an integrated suite of security services and is easily integrated with Java SE and Java EE applications that use the Java security model. Security Services includes features that implement user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications.
Using Oracle Platform Security for Java, applications can enforce fine-grained access control upon resource users. The three key steps are:
Configure and invoke a login module, as appropriate. You can use provided login modules, or you can use custom login modules.
Authenticate the user attempting to log in, which is the role of the identity store service.
Authorize the user by checking permissions for any roles the user belongs to for whatever the user is attempting to accomplish, which is the role of the policy store service.
Oracle Web Services Security
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages.
Note:
The information in this chapter assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. For more information, see the Oracle Fusion Middleware Security and Administrator's Guide for Web Services before tuning any security parameters.This section offers some general guidelines on how to identify a performance bottleneck and how to approach addressing such problems.
If you discover a performance bottleneck, you should first verify that you have addressed the expected traffic load throughout your Web services deployment. If there is a system in the critical path that is at 100% CPU usage, you may simply need to add one or more computers to the cluster.
If there is a bottleneck in your deployment, it is likely to be within one of the following:
Traffic through a slow connection with an agent
Latency in connections to third-party queuing systems like JMS
For any of these problems, check the following potential sources:
Problems with policy assertions that include connections to outside resources, especially the following types:
Database Repositories
LDAP Repositories
Secured Resources
Proprietary Security Systems
Problems with database performance
If you identify one of these as the cause of a bottleneck, you may need to change how you manage your database or LDAP connections or how you secure resources.
This section provides the following basic tuning configurations for Oracle Platform Security Services (OPSS):
Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At run time, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Section 2.4, "Tune Java Virtual Machines (JVMs)".
This section covers Lightweight Directory Access Protocol (LDAP) tuning. Oracle supports the management of policies in file-based repositories: Oracle Internet Directory and Oracle Virtual Directory.
If you encounter increased CPU usage due to high SQL execution times, see the following chapters for basic tuning configurations for large deployments:
Oracle Internet Directory configuration settings can impact performance. For more information, see Chapter 17, "Oracle Internet Directory Performance Tuning".
In addition to being configured as a LDAP server, Oracle Virtual Directory can also be configured as a local storage adapter (LSA). See Chapter 18, "Oracle Virtual Directory Performance Tuning".
For OPSS Authentication tuning, see "Improving the Performance of WebLogic and LDAP Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server guide at the Oracle Technology Network http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1199087
.
The following parameters can be used to optimize Authorization:
Table 20-1 Authorization Parameters
Parameter | Value | Notes |
---|---|---|
|
Default: True |
This system property is used to cache the protection domains for a given subject. |
|
Default: True |
This system property is used to evaluate a subject's protection domain when a checkpermission occurs. |
|
Default: False |
This 'hybrid mode' property is used to facilitate transition from SUN RI of java.security.Policy to OPSS Java Policy Provider.The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml."Hybrid" mode can be disabled by setting system property "jps.policystore.hybrid.mode" to "false" when starting the WebLogic Server. |
|
Default: ACC |
Delegates the call to JDK API AccessController.checkPermission which reduces the performance impact at run time or while debugging. |
Table 20-2 provides OPSS Tuning parameters for LDAP Policy Store:
Table 20-2 OPSS Tuning Parameters for LDAP Policy Store
Parameter | Value | Notes |
---|---|---|
|
Default: STATIC |
Role Member Cache Type. Consider maintaining the default value for performance. |
|
Default: FIFO |
Role Member Cache Strategy. Consider maintaining the default value for performance. |
|
Default: 1000 |
Role Member Cache Size. If performance is an issue, consider increasing the size to 5000 (if appropriate for your deployment). |
|
Default: TRUE |
Enable Policy Lazy Load. Consider maintaining the default value for performance. |
|
Default: PERMISSION_FIFO |
Permission Cache Strategy. Consider maintaining the default value for performance. |
|
Default: 1000 |
Permission Cache Size. If performance is an issue, consider increasing the size to 4000 (if appropriate for your deployment). |
|
Default: TRUE |
If TRUE, policy cache is incrementally updated for management operations. Consider maintaining the default value for performance. |
|
Default: TRUE |
This property is used for refresh enabling. Consider maintaining the default value for performance. |
|
Default: 43200000 |
Forced policy store refresh time in milliseconds. Consider maintaining the default value for performance. |
|
Default: 600000 |
Policy store refresh polling time in milliseconds for changes. Consider maintaining the default value for performance. |
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. This section provides information on factors that might affect performance of the web service.
Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security (SSL) is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security.
See "Configuring Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services to determine which security policies are required for a deployment.
By default, the Oracle Web Service policies have timestamp turned ON
. Consider the following when setting your timestamp: there may be security implications when the timestamp is OFF
and there may be performance implications when the timestamp is ON
. Review the implications of these settings before making a change.
Refer to the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for more information.
There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the "polling" frequency of the agent to the database.
The request and response pipelines of the default policy include a log assertion that causes policy enforcement points (PEP) to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment.
The following logging levels can be configured in the log step:
Header - Only the SOAP header is recorded.
Body - Only the message content (body) is recorded.
Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded.
All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself.
Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.
You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control:
Endpoint Enabled Metrics such as:
Policy Reference Status
Total Violations
Security Violations
Invocations Completed
Response Time, in seconds
Policy Violations such as:
Total Violations
Authentication Violations
Authorization Violations
Confidentiality Violations
Integrity Violations
Total Faults
For general information on monitoring Oracle Fusion Middleware components, see Chapter 4, "Monitoring Oracle Fusion Middleware".
For detailed information on using Oracle Fusion Middleware Control to monitor Oracle Web Services, see "Monitoring the Performance of Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.