[z/OS]

Security tuning tips

Generally, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere® Application Server.

SAF class

When a SAF (RACF® or equivalent) class is active, the number of profiles in a class affects the overall performance of the check. Placing these profiles in a (RACLISTed) memory table improves the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and increases the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), you can choose to enable and disable SAF classes to control security. A disabled class costs a negligible amount of overhead.

Additionally, if a SAF class is not RACLISTed, you must restart the application server to pick up any changes that are made to profiles in the class.

Avoid trouble Avoid trouble: Enabling all auditing on classes that control access to objects in the UNIX System Services file system, such as RACF DIRACC, DIRSRCH, FSOBJ and FSSEC, or their equivalent in other SAF security managers, severely degrades performance.gotcha

EJBROLEs on methods

Use a minimum number of EJBROLEs on methods. If you are using EJBROLEs, specifying more roles on a method leads to more access checks that must be executed and a slower overall method dispatch. If you are not using EJBROLEs, do not activate the class.

Java 2 Security

If you do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.

Level of authorization

Use the lowest level of authorization consistent with your security needs. You have the following options when dealing with authentication:
  • Local authentication: Local authentication is the fastest type because it is highly optimized.
  • UserID and password authentication: Authentication that uses a user ID and password has a high first-call cost and a lower cost with each subsequent call.
  • Kerberos security authentication: We have not adequately characterized the cost of Kerberos security yet.
  • SSL security authentication: SSL security is notorious in the industry for its performance overhead. Luckily, there is many assists available from hardware to make this reasonable on z/OS®.

Level of encryption with SSL

If using Secure Sockets Layer (SSL), select the lowest level of encryption consistent with your security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.

RACF tuning

Follow these guidelines for RACF tuning:

Reference topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rprf_tunezsec
File name: rprf_tunezsec.html