Generally, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere® Application Server.
When a SAF (RACF® or equivalent) class is active, the number of profiles in a class affects the overall performance of the check. Placing these profiles in a (RACLISTed) memory table improves the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and increases the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), you can choose to enable and disable SAF classes to control security. A disabled class costs a negligible amount of overhead.
Additionally, if a SAF class is not RACLISTed, you must restart the application server to pick up any changes that are made to profiles in the class.
Use a minimum number of EJBROLEs on methods. If you are using EJBROLEs, specifying more roles on a method leads to more access checks that must be executed and a slower overall method dispatch. If you are not using EJBROLEs, do not activate the class.
If you do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.
If using Secure Sockets Layer (SSL), select the lowest level of encryption consistent with your security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.
Follow these guidelines for RACF tuning:
RACLIST (CBIND, EJBROLE, SERVER, STARTED, FACILITY, SURROGAT)
RDEFINE FACILITY BPX.SAFFASTPATH UACC(NONE)
********************************* Top of Data ********************. . CLASS NAME(IRRGMAP) EMAJ(GMAP) CLASS NAME(IRRUMAP) EMAJ(UMAP) CLASS NAME(IRRGTS) EMAJ(GTS) CLASS NAME(IRRACEE) EMAJ(ACEE) . ******************************** Bottom of Data ******************To avoid a costly scan of the RACF databases, make sure that all HFS files have valid GIDs and UIDs.