1. Tuning Performance Guide
  2. Core Components
  3. Tuning Oracle Fusion Middleware Security

7 Tuning Oracle Fusion Middleware Security

You can tune Oracle Fusion Middleware security services to optimize the performance of security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.

  • About Security Services
    Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.
  • Basic Tuning Considerations
    Tuning considerations might improve the performance of the Oracle Fusion Middleware security services.
  • Tuning Oracle Platform Security Services
    Oracle Platform Security Services (OPSS) includes the following basic tuning configurations.
  • Oracle Web Services Security Tuning
    Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service by using XML-based messages. There are several factors that may affect performance of the web service.

Parent topic: Core Components

About Security Services

Oracle Fusion Middleware provides security services through Oracle Platform Security Services (OPSS) and Oracle Web Services.

  • Oracle Platform Security Services

    Oracle Platform Security Services is a key component of Oracle Fusion Middleware. It offers an integrated suite of security services and is easily integrated with Java SE and Jakarta EE applications that use the Java security model. Security Services includes features that implement user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications.

    Using Oracle Platform Security for Java, applications can enforce fine-grained access control upon resource users. The three key steps are:

    1. Configure and invoke a login module, as appropriate. You can use provided login modules, or you can use custom login modules.

    2. Authenticate the user attempting to log in, which is the role of the identity store service.

    3. Authorize the user by checking permissions for that role.

  • Oracle Web Services Security

    Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service by using XML-based messages.

Note:

The information here assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. See, Administering Web Services before you tune any security parameters.

Parent topic: Tuning Oracle Fusion Middleware Security

Basic Tuning Considerations

Tuning considerations might improve the performance of the Oracle Fusion Middleware security services.

If you discover a performance bottleneck, you must first verify that you have addressed the expected traffic load throughout your web services deployment. If there is a system in the critical path that is at 100% CPU usage, add one or more computers to the cluster.

If there is a bottleneck in your deployment, it is likely to be within one of the following:

  • Traffic through a slow connection with an agent

  • Latency in connections to third-party queuing systems like JMS

For any of these problems, check the following potential sources:

  • Problems with policy assertions that include connections to outside resources, especially the following types:

    • Database Repositories

    • LDAP Repositories

    • Secured Resources

    • Proprietary Security Systems

  • Problems with database performance

If you identify one of these as the cause of a bottleneck, you might need to change how you manage your database or LDAP connections or how you secure the resources.

Parent topic: Tuning Oracle Fusion Middleware Security

Tuning Oracle Platform Security Services

Oracle Platform Security Services (OPSS) includes the following basic tuning configurations.

Parent topic: Tuning Oracle Fusion Middleware Security

JVM Tuning Parameters

Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At runtime, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Tuning Java Virtual Machines (JVMs).

Parent topic: Tuning Oracle Platform Security Services

JDK Tuning Parameters

Starting with Java Development Kit 7 (JDK 7), the default keystore size is now 2048 bits. JDK 6 and earlier had a default size of 1024 bits.

When you use the Java keytool to generate keystores, the -keysize parameter can be used to control the keystore size. Larger keystores provide stronger security, though at the cost of decreased security performance. Consider your environment's use case scenarios to determine if increasing the keystores would negatively impact your security or performance thresholds.

See the JDK 7 release notes at http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html

Parent topic: Tuning Oracle Platform Security Services

Authentication Tuning Parameters

For OPSS Authentication tuning, see "Improving the Performance of WebLogic and LDAP Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server guide on the Oracle Technology Network http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1199087.

Parent topic: Tuning Oracle Platform Security Services

Authorization Tuning Properties

The following Java system properties can be used to optimize authorization:

Table 7-1 Authorization Properties

Java System Properties Default Value Valid Values Notes

-Djps.subject.cache.key

4

3

4

5

JPS uses a Subject Resolver to convert a platform subject to a JpsSubject, which contains the user/enterprise-role information, as well as the ApplicationRole information. This information is represented as principals in the subject.

This conversion can be CPU intensive, especially if the subject's principal set has a large population. To improve performance, JPS code caches the conversion between the Platform subject and the JpsSubject. Two subjects could be confusing when their contents are the same, but the case of the principals' name is different.

The following settings can be used to configure the cache key:

  • 3: Use the platform subject directly as the key. Note: On WLS, if the principalEqualCaseinsensitive flag is enabled, two subjects could be confusing if their contents are the same, but the case of the principals is different.

  • 4: This setting is similar to 3but overcomes the case-sensitive issue. This is the ready—to—use setting.

  • 5: Instead of using the whole subject as the key, this setting uses a subset of the principal set inside the subject as the key (actually use principals of the WLSUSerImpl type).

    This setting accelerates the cache retrieval operation if the subject has a large principal set. On a non-WLS platform such as WAS and JBOSS, this reverts back to case 4, so this setting is for WLS only. For this case, there is also a Time To Live setting (TTL) flag, which controls how long the cache is valid, as explained.

-Djps.subject.cache.ttl

60000ms

  

Cache's Time To Live (TTL) for case 5(above). This system property controls how long the cache is valid. When the time has expired, the cached value is dumped. The setting is controlled by the -Djps.subject.cache.ttl=xxxxflag, where xxxis the duration in milliseconds.

Consider setting the duration of this TTL setting to the same value as the value used for the group and user cache TTL in WLS LDAP authenticator.

-Djps.combiner.optimize=true

True

True

False

This system property is used to cache the protection domains for a given subject. Setting the flag -Djps.combiner.optimize=true can improve the Java authorization performance.

-Djps.combiner.optimize.lazyeval=true

True

True

False

This system property is used to evaluate a subject's protection domain when a checkPermission occurs. Setting the flag -Djps.combiner.optimize.lazyeval=true can improve the Java authorization performance.

-Djps.policystore.hybrid.mode=true

True

True

False

This hybrid mode property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider.

The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml. When starting the Weblogic server, the Hybrid mode can be disabled by setting the system property jps.policystore.hybrid.mode to false . Setting -Djps.policystore.hybrid.mode=false can reduce the runtime overhead.

-Djps.authz=ACC

ACC

ACC

SM

Delegates the call to JDK API AccessController.checkPermission, which can reduce the performance impact at runtime or while debugging.

ACC: Delegate the call to AccessController.checkPermission.

SM: If SecurityManager is set, delegate the call to SecurityManager .

Parent topic: Tuning Oracle Platform Security Services

OPSS PDP Service Tuning Parameters

Table 7-2 describes OPSS tuning parameters for policy store:

Table 7-2 OPSS PDP Service Tuning Parameters

Parameter Default Value Valid Values Notes

oracle.security.jps.policystore.rolemember.cache.type

STATIC

STATIC, SOFT, WEAK

This parameter specifies the type of role member cache.Valid only in Jakarta EE applications.

Valid values:

  • STATIC: Cache objects are statically cached and can be cleaned explicitly only according to the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type.

  • SOFT: The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch.

  • WEAK: The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently.

Consider maintaining the default value for best performance.

oracle.security.jps.policystore.rolemember.cache.strategy

FIFO

FIFO

NONE

The type of strategy used in the role member cache. Valid only in Jakarta EE applications.

Valid values:

  • FIFO: The cache implements the first-in-first-out strategy.

  • NONE: All entries in the cache grow until a refresh or reboot occurs. There is no control over the size of the cache; not recommended but typically efficient when the policy footprint is small.

Consider maintaining the default value for best performance.

oracle.security.jps.policystore.rolemember.cache.size

1000

  

The size of the role member cache. The role being referred to is the enterprise role (group). You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario.

oracle.security.jps.policystore.policy.lazy.load.enable

True

True

False

Enables or disables the policy lazy loading. If this parameter is set to False, the server initial startup time takes longer - especially in a large policy store. For faster start-up time, the recommended value is True.

oracle.security.jps.policystore.policy.cache.strategy

PERMISSION_FIFO

PERMISSION_FIFO

NONE

The type of strategy used in the permission cache. Valid only in Jakarta EE applications.

Valid Values:

  • PERMISSION_FIFO: The cache implements the first-in-first-out strategy.

  • NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is small.

Consider using the default value for the best performance.

oracle.security.jps.policystore.policy.cache.size

1000

  

The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants.

oracle.security.jps.policystore.cache.updatable

True

True

False

This property is used to enable refresh. Consider maintaining the default value for the best performance.

oracle.security.jps.policystore.refresh.enable

True

True

False

This property is used to enable refresh. Consider maintaining the default value for performance.

oracle.security.jps.policystore.refresh.purge.timeout

43200000

  

The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance.

oracle.security.jps.ldap.policystore.refresh.interval

600000 (10 minutes)

 

The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Jakarta EE and J2SE applications.

oracle.security.jps.policystore.rolemember.cache.warmup.enable

False

True

False

This property controls the way the ApplicationRole membership cache is created. If set to True, the cache is created at server startup; otherwise, it is created on demand (lazy loading).

Set to True when the number of users and groups are higher than the number of application roles set to True; set to False otherwise, that is, when the number of application roles are high.

Parent topic: Tuning Oracle Platform Security Services

Oracle Web Services Security Tuning

Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service by using XML-based messages. There are several factors that may affect performance of the web service.

Parent topic: Tuning Oracle Fusion Middleware Security

Choosing the Right Policy

Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example, Transport-level security (SSL) is faster than Application-level security, but Transport-level security can be vulnerable in multistep transactions. Application-level security has more performance implications, but provides end-to-end security.

See Determining Which Predefined Policies to Use in Securing Web Services and Managing Policies with Oracle Web Services Manager to determine which security policies are required for a deployment.

Parent topic: Oracle Web Services Security Tuning

Policy Manager

There is an inherent performance impact when you use the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the pollingfrequency of the agent to the database.

Parent topic: Oracle Web Services Security Tuning

Configuring the Log Assertion to Record SOAP Messages

The request and response pipelines of the default policy include a log assertion that causes policy enforcement points (PEP) to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment.

The following logging levels can be configured in the log step:

  • Header: Only the SOAP header is recorded.

  • Body: Only the message content (body) is recorded.

  • Envelope: The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded.

  • All: The full message is recorded. It includes the SOAP header, the body, and all attachments, probably the URLs existing outside the SOAP message itself.

Note:

Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.

Parent topic: Oracle Web Services Security Tuning

Configuring Connection Pooling

When you request that a Context instance use connection pooling by using the com.sun.jndi.ldap.connect.pool environment property, the connection that is used might or might not be pooled. The default rule is that plain (non-SSL) connections that use simple or no authentication are allowed to be pooled. You can change this default to include SSL connections and the DIGEST-MD5 authentication type by using system properties. To allow both plain and SSL connections to be pooled, set the com.sun.jndi.ldap.connect.pool.protocol system property to the string plain ssl as shown below: 

"-Dcom.sun.jndi.ldap.connect.pool.protocol="plain ssl"

Parent topic: Oracle Web Services Security Tuning

Monitoring the Performance of Web Services

You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control:

  • Endpoint Enabled Metrics such as:

    • Policy Reference Status

    • Total Violations

    • Security Violations

  • Invocations Completed

  • Response Time, in seconds

  • Policy Violations such as:

    • Total Violations

    • Authentication Violations

    • Authorization Violations

    • Confidentiality Violations

    • Integrity Violations

  • Total Faults

For general information on monitoring Oracle Fusion Middleware components, see .

For detailed information on using Oracle Fusion Middleware Control to monitor Oracle Web Services, see Overview of Performance Monitoring, Auditing, and Tuning in Administering Web Services.

Parent topic: Oracle Web Services Security Tuning