Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.
Oracle Platform Security Services
Oracle Platform Services is a key component of Oracle Fusion Middleware. It offers an integrated suite of security services and is easily integrated with Java SE and Java EE applications that use the Java security model. Security Services includes features that implement user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications.
Using Oracle Platform Security for Java, applications can enforce fine-grained access control upon resource users. The three key steps are:
Configure and invoke a login module, as appropriate. You can use provided login modules, or you can use custom login modules.
Authenticate the user attempting to log in, which is the role of the identity store service.
Authorize the user by checking permissions for any roles the user belongs to for whatever the user is attempting to accomplish, which is the role of the policy store service.
Oracle Web Services Security
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages.
Note:
The information here assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. For more information, see Administering Web Services before tuning any security parameters.
If you discover a performance bottleneck, you should first verify that you have addressed the expected traffic load throughout your Web services deployment. If there is a system in the critical path that is at 100% CPU usage, you may simply need to add one or more computers to the cluster.
If there is a bottleneck in your deployment, it is likely to be within one of the following:
Traffic through a slow connection with an agent
Latency in connections to third-party queuing systems like JMS
For any of these problems, check the following potential sources:
Problems with policy assertions that include connections to outside resources, especially the following types:
Database Repositories
LDAP Repositories
Secured Resources
Proprietary Security Systems
Problems with database performance
If you identify one of these as the cause of a bottleneck, you may need to change how you manage your database or LDAP connections or how you secure resources.
Oracle Platform Security Services (OPSS) includes basic tuning configurations.
Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At run time, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Tuning Java Virtual Machines (JVMs).
Starting with Java Development Kit 7 (JDK 7), the default keystore size is now 2048 bits. JDK 6 and earlier had a default size of 1024 bits.
When using the Java keytool to generate keystores, the -keysize parameter can be used to control the keystore size. Larger keystores provide stronger security, though at the cost of decreased security performance. Consider your environment's use case scenarios to determine if increasing the keystores would negatively impact your security or performance thresholds.
For more information, see the JDK 7 release notes at http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html
For OPSS Authentication tuning, see "Improving the Performance of WebLogic and LDAP Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server guide on the Oracle Technology Network http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1199087.
The following Java system properties can be used to optimize authorization:
Table 8-1 Authorization Properties
| Java System Properties | Default Value | Valid Values | Notes |
|---|---|---|---|
|
|
|
|
JPS uses a Subject Resolver to This conversion can be CPU intensive, especially if the subject's principal set has a large population. To improve performance, JPS code caches the conversion The following settings can be used to configure the cache key:
|
|
|
|
Cache's Time To Live (TTL) for case '5' (above). This system property controls how long the cache is valid. When the time expired, the cached value is dumped. The setting can be controlled by the flag of Consider setting the duration of this TTL setting to the same value as the value used for the group and user cache TTL in WLS LDAP authenticator. |
|
|
|
|
|
This system property is used to cache the protection domains for a given subject. Setting |
|
|
|
|
This system property is used to evaluate a subject's protection domain when a checkPermission occurs. Setting |
|
|
|
|
This 'hybrid mode' property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider. The OPSS Java Policy Provider reads from both |
|
|
|
|
Delegates the call to JDK API ACC: delegate to SM: delegate to |
Table 8-2 provides OPSS tuning parameters for policy store:
Table 8-2 OPSS PDP Service Tuning Parameters
| Parameter | Default Value | Valid Values | Notes |
|---|---|---|---|
|
|
|
|
This parameter specifies the type of role member cache.Valid only in Java EE applications. Valid values:
Consider maintaining the default value for the best performance. |
|
|
|
|
The type of strategy used in the role member cache. Valid only in Java EE applications. Valid values:
Consider maintaining the default value for the best performance. |
|
|
|
The size of the role member cache. The role being referred to is the enterprise role (group). You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario. |
|
|
|
|
|
Enables or disables the policy lazy loading. If this parameter is set to false, the server initial startup time will take longer - especially in a large policy store. For faster start-up time, the recommended value is true. |
|
|
|
|
The type of strategy used in the permission cache. Valid only in Java EE applications. Valid Values:
Consider using the default value for the best performance. |
|
|
|
The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants. |
|
|
|
|
|
This property is used for refresh enabling. Consider maintaining the default value for the best performance. |
|
|
|
|
This property is used for refresh enabling. Consider maintaining the default value for performance. |
|
|
|
The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance. |
|
|
|
|
The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Java EE and J2SE applications. |
|
|
|
|
|
This property controls the way the Set to True when the number of users and groups is significantly higher than the number of application roles; set to False otherwise, that is, when the number of application roles is very high. |
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. There a several factors that may affect performance of the web service.
Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security (SSL) is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security.
See Determining Which Predefined Policies to Use in Securing Web Services and Managing Policies with Oracle Web Services Manager to determine which security policies are required for a deployment.
There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the "polling" frequency of the agent to the database.
The request and response pipelines of the default policy include a log assertion that causes policy enforcement points (PEP) to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment.
The following logging levels can be configured in the log step:
Header - Only the SOAP header is recorded.
Body - Only the message content (body) is recorded.
Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded.
All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself.
Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.
When you request that a Context instance use connection pooling by using the com.sun.jndi.ldap.connect.pool environment property, the connection that is used might or might not be pooled. The default rule is that plain (non-SSL) connections that use simple or no authentication are allowed to be pooled. You can change this default to include SSL connections and the DIGEST-MD5 authentication type by using system properties. To allow both plain and SSL connections to be pooled, set the com.sun.jndi.ldap.connect.pool.protocol system property to the string plain ssl as shown below:
"-Dcom.sun.jndi.ldap.connect.pool.protocol="plain ssl"
You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control:
Endpoint Enabled Metrics such as:
Policy Reference Status
Total Violations
Security Violations
Invocations Completed
Response Time, in seconds
Policy Violations such as:
Total Violations
Authentication Violations
Authorization Violations
Confidentiality Violations
Integrity Violations
Total Faults
For general information on monitoring Oracle Fusion Middleware components, see Monitoring.
For detailed information on using Oracle Fusion Middleware Control to monitor Oracle Web Services, see Overview of Performance Monitoring, Auditing, and Tuning in Administering Web Services.