As a general rule, two things happen when you increase security: the cost per transaction increases and throughput decreases. Consider the following security information when you configure WebSphere® Application Server.
When a SAF (RACF® or equivalent) class is active, the number of profiles in a class will affect the overall performance of the check. Placing these profiles in a (RACLISTed) memory table will improve the performance of the access checks. Audit controls on access checks also affect performance. Usually, you audit failures and not successes. Audit events are logged to DASD and will increase the overhead of the access check. Because all of the security authorization checks are done with SAF (RACF or equivalent), you can choose to enable and disable SAF classes to control security. A disabled class will cost a negligible amount of overhead.
Additionally, if a SAF class is not RACLISTed, you must restart the application server to pick up any changes made to profiles in the class.
Use a minimum number of EJBROLEs on methods. If you are using EJBROLEs, specifying more roles on a method will lead to more access checks that need to be executed and a slower overall method dispatch. If you are not using EJBROLEs, do not activate the class.
If you do not need Java 2 security, disable it. For instructions on how to disable Java 2 security, refer to Protecting system resources and APIs (Java 2 security) for developing applications.
If using Secure Sockets Layer (SSL), select the lowest level of encryption consistent with your security requirements. WebSphere Application Server enables you to select which cipher suites you use. The cipher suites dictate the encryption strength of the connection. The higher the encryption strength, the greater the impact on performance.
Follow these guidelines for RACF tuning:
RACLIST (CBIND, EJBROLE, SERVER, STARTED, FACILITY, SURROGAT)
RDEFINE FACILITY BPX.SAFFASTPATH UACC(NONE)
********************************* Top of Data ********************. . CLASS NAME(IRRGMAP) EMAJ(GMAP) CLASS NAME(IRRUMAP) EMAJ(UMAP) CLASS NAME(IRRGTS) EMAJ(GTS) CLASS NAME(IRRACEE) EMAJ(ACEE) . ******************************** Bottom of Data ******************To avoid a costly scan of the RACF databases, make sure all HFS files have valid GIDs and UIDs.