XML Digital Signatures POST and Artifact Single Sign-On Profiles
25.3.5 OPSS PDP Service Tuning Parameters
Table 25–2 provides OPSS tuning parameters for policy store: Table 25–1 Authorization Properties Java System Properties Default Value Valid Values Notes -Djps.combiner.optimize=true True True False This system property is used to cache the protection domains for a given subject. Setting -Djps.combiner.optimize=tr ue can improve Java authorization performance. -Djps.combiner.optimize.lazy eval=true True True False This system property is used to evaluate a subjects protection domain when a checkPermission occurs. Setting -Djps.combiner.optimize.la zyeval=true can improve Java authorization performance. -Djps.policystore.hybrid.mod e=false False True False This hybrid mode property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider. The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml.Hybrid mode can be disabled by setting the system property jps.policystore.hybrid.mod e to false when starting the WebLogic Server. Setting -Djps.policystore.hybrid.m ode=false can reduce runtime overhead. -Djps.authz=ACC ACC ACC SM Delegates the call to JDK API AccessController.checkPerm ission which can reduce the performance impact at run time or while debugging. ACC: delegate to AccessController.checkPerm ission SM: delegate to SecurityManager if SecurityManager is set. Oracle Fusion Middleware Security Performance Tuning 25-5 Table 25–2 OPSS PDP Service Tuning Parameters Parameter Default Value Valid Values Notes oracle.security.jps.policysto re.rolemember.cache.type STATIC STATIC, SOFT, WEAK This parameter specifies the type of role member cache.Valid only in Java EE applications. Valid values: ■ STATIC: Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type. ■ SOFT: The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch. ■ WEAK: The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.rolemember.cache.strategy FIFO FIFO NONE The type of strategy used in the role member cache. Valid only in Java EE applications. Valid values: ■ FIFO: The cache implements the first-in-first-out strategy. ■ NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.rolemember.cache.size 1000 The size of the role member cache. The role being referred to is the enterprise role group. You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario. oracle.security.jps.policysto re.policy.lazy.load.enable True True False Enables or disables the policy lazy loading. If this parameter is set to false, the server initial startup time will take longer - especially in a large policy store. For faster start-up time, the recommended value is true. 25-6 Oracle Fusion Middleware Performance and Tuning Guide25.4 Oracle Web Services Security Tuning
Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. This oracle.security.jps.policysto re.policy.cache.strategy PERMISSION_ FIFO PERMISSION_ FIFO NONE The type of strategy used in the permission cache. Valid only in Java EE applications. Valid Values: ■ PERMISSION_FIFO: The cache implements the first-in-first-out strategy. ■ NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Consider using the default value for the best performance. oracle.security.jps.policysto re.policy.cache.size 1000 The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants. oracle.security.jps.policysto re.cache.updatable True True False This property is used for refresh enabling. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.refresh.enable True True False This property is used for refresh enabling. Consider maintaining the default value for performance. oracle.security.jps.policysto re.refresh.purge.timeout 43200000 The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance. oracle.security.jps.ldap.poli cystore.refresh.interval 600000 10 minutes The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Java EE and J2SE applications. oracle.security.jps.policysto re.rolemember.cache.warmup.en able False True False This property controls the way the ApplicationRole membership cache is created. If set to True, the cache is created at server startup; otherwise, it is created on demand lazy loading. Set to True when the number of users and groups is significantly higher than the number of application roles; set to False otherwise, that is, when the number of application roles is very high. Table 25–2 Cont. OPSS PDP Service Tuning Parameters Parameter Default Value Valid Values Notes Oracle Fusion Middleware Security Performance Tuning 25-7 section provides information on factors that might affect performance of the web service. ■ Choosing the Right Policy ■ Policy Manager ■ Configuring the Log Assertion to Record SOAP Messages ■ Monitoring the Performance of Web Services25.4.1 Choosing the Right Policy
Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security SSL is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security. See Configuring Policies in Oracle Fusion Middleware Security and Administrators Guide for Web Services to determine which security policies are required for a deployment.25.4.2 Policy Manager
There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the polling frequency of the agent to the database.25.4.3 Configuring the Log Assertion to Record SOAP Messages
The request and response pipelines of the default policy include a log assertion that causes policy enforcement points PEP to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment. The following logging levels can be configured in the log step: ■ Header - Only the SOAP header is recorded. ■ Body - Only the message content body is recorded. ■ Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded. ■ All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself. Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.25.4.4 Monitoring the Performance of Web Services
You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control: ■ Endpoint Enabled Metrics such as:Parts
» Oracle Fusion Middleware Online Documentation Library
» Document Scope and Audience Guide to this Document
» Related Documentation Oracle Fusion Middleware Online Documentation Library
» About Identifying Top Performance Areas
» Ensure the Hardware Resources are Sufficient
» Selecting a Garbage Collection Scheme
» Disabling Explicit Garbage Collection
» Logging Low Memory Conditions
» Monitoring and Profiling the JVM
» Initialization Parameters for Oracle 10g
» Initialization Parameters for Oracle 11g
» Tuning Redo Logs Location and Sizing
» Automatic Segment-Space Management ASSM
» Reuse Database Connections Oracle Fusion Middleware Online Documentation Library
» Enable Data Source Statement Caching
» MaxClientsThreadsPerChild HTTP Connection Limits
» Setting the Maximum Number of Connections for Data Sources Tuning the WebLogic Sever Thread Pool
» Tuning Oracle WebCenter Concurrency
» Tuning BPEL Concurrency Control Concurrency
» Set Logging Levels Oracle Fusion Middleware Online Documentation Library
» About Oracle Fusion Middleware Performance Planning
» Define Operational Requirements Identify Performance Goals
» Understand User Expectations Define Your Performance Objectives
» Conduct Performance Evaluations Define Your Performance Objectives
» Design Applications for Performance and Scalability
» Monitor and Measure Your Performance Metrics
» Measuring Your Performance Metrics
» Viewing Performance Metrics Using Fusion Middleware Control
» Oracle WebLogic Server Administration Console
» WebLogic Diagnostics Framework WLDF
» Viewing Performance Metrics Using the Spy Servlet
» Oracle Process Manager and Notification Server Oracle Enterprise Manager 11g Grid Control
» Native Operating System Performance Commands Network Performance Monitoring Tools
» How Persistent Connections Can Reduce Httpd Process Availability
» Access Logging Oracle HTTP Server Logging Options
» Configuring the HostNameLookups Directive
» Error logging Oracle HTTP Server Logging Options
» Oracle HTTP Server SSL Caching
» SSL Application Level Data Encryption SSL Performance Recommendations
» Oracle HTTP Server Port Tunneling Performance Issues
» Analyze Static Versus Dynamic Requests
» Beware of a Single Data Point Yielding Misleading Results
» Beware of Having More Modules
» Monitoring Oracle HTTP Server
» DMS Nouns Common DMS Terms and Concepts
» DMS Sensors Common DMS Terms and Concepts
» DMS Availability Oracle Fusion Middleware Online Documentation Library
» DMS Architecture Overview Oracle Fusion Middleware Online Documentation Library
» Viewing Metrics Using the Spy Servlet
» Viewing metrics with JConsole
» Accessing DMS Metrics with WLDF
» DMS Execution Requests and Sub-Tasks
» DMS Execution Context Communication
» Adding and Editing Destinations
» Adding and Editing Event Routes
» Compound Operations Configuring the DMS Event System
» MBean Creator Destination HTTP Request Tracker Destination JRockit Flight Recorder Destination
» Understanding DMS Event Output
» Understanding DMS Event Actions
» DMS Best Practices Oracle Fusion Middleware Online Documentation Library
» About Oracle Metadata Services MDS
» Reclaim Disk Space Monitor the Database Performance
» Using Database Polling Interval for Change Detection
» Document Cache Tuning Cache Configuration
» Analyzing Performance Impact from Customization
» Understanding DMS metrics and Characteristics
» About Oracle ADF Oracle Fusion Middleware Online Documentation Library
» Oracle ADF Faces Configuration and Profiling
» Performance Considerations for ADF Faces
» Tuning ADF Faces Component Attributes
» Performance Considerations for Table and Tree Components
» Performance Considerations for autoSuggest
» Data Delivery - Lazy versus Immediate
» Performance Considerations for DVT Components
» Creating View Objects View Objects Tuning
» Configuring View Object Data Fetching
» Additional View Object Configurations
» Batch Processing ADF Server Performance
» General AM Pool Configurations
» AM Pool Sizing Configurations
» AM Pool Resource Cleanup Configurations
» ADFc: Region Usage ADF Server Performance
» Reusing Static Data ADF Server Performance
» Conditional Validations ADF Server Performance
» About Oracle TopLink and EclipseLink
» Entity Relationships Query Parameter Tuning
» Cache Refreshing Scenarios Cache Configuration Tuning
» Locking Modes Cache Configuration Tuning
» Coherence Integration Oracle Fusion Middleware Online Documentation Library
» Mapping and Descriptor Configurations
» Analyzing EclipseLink JPA Entity Performance
» Hardware Resources Optimizing Hardware Resources
» Configuring WebCache Memory Memory Configuration
» Network Bandwidth Optimizing Network Connections
» Network Connections Optimizing Network Connections
» Network-Related Parameters Optimizing Network Connections
» Optimizing Response Time Oracle Fusion Middleware Online Documentation Library
» Optimizing Performance with Oracle ADF
» About SOA Suite Configuration Properties
» Configuring Data Sources for SOA Weblogic Server Performance Tuning
» Modifying SOA Configuration Parameters JVM Tuning Parameters About Oracle Business Rules
» Use Java Beans Basic Tuning Considerations
» Assert Child Facts instead of Multiple Dereferences
» Avoid Side Affects in Rule Conditions
» Avoid Expensive Operations in Rule Conditions
» Consider Pattern Ordering Basic Tuning Considerations
» Consider the Ordering of Tests in Rule Conditions
» Use Functions Instead of AssertXPath and Supports XPath
» Dispatcher Invoke Threads BPEL Threading Model
» Dispatcher Engine Threads BPEL Threading Model
» Dispatcher System Threads BPEL Threading Model
» Dispatcher Maximum Request Depth
» Audit Level Basic Tuning Considerations
» AuditDetailThreshold Basic Tuning Considerations
» LargeDocumentThreshold Basic Tuning Considerations
» Validate XML Basic Tuning Considerations
» SyncMaxWaitTime Basic Tuning Considerations
» InstanceKeyBlockSize Basic Tuning Considerations
» Tables Impacted By Instance Data Growth
» About Oracle Mediator Oracle Fusion Middleware Online Documentation Library
» metricsLevel Basic Tuning Considerations
» Domain-Value Maps Basic Tuning Considerations
» Deferred Routing Rules Basic Tuning Considerations
» Resequencer Basic Tuning Considerations
» Audit Level LargeDocumentThreshold Basic Tuning Considerations
» Dispatcher Engine Threads Basic Tuning Considerations
» Dispatcher Invoke Threads Basic Tuning Considerations
» Process Measurement Tuning Process Analytics
» Tuning Process Cubes Tuning Process Analytics
» Minimize Client Response Time
» Choose the Right Workflow Service Client
» Narrow Qualifying Tasks Using Precise Filters
» Retrieve Subset of Qualifying Tasks Paging
» Fetch Only the Information That Is Needed for a Qualifying Task
» Reduce the Number of Return Query Columns Use the Aggregate API for Charting Task Statistics
» Use the Count API Methods for Counting the Number of Tasks
» Create Indexes On Demand for Flexfields
» Use the doesTaskExist Method
» Archive Completed Instances Periodically
» Select the Appropriate Workflow Callback Functionality
» Minimize Performance Impacts from Notification
» Deploy Clustered Nodes Improving Server Performance
» Use Workflow Reports to Monitor Progress
» Specify Escalation Rules Completing Workflows Faster
» Specify User and Group Rules for Automated Assignment
» Use Task Views to Prioritize Work
» Tuning Identity Provider Oracle Fusion Middleware Online Documentation Library
» Tuning the Database Oracle Fusion Middleware Online Documentation Library
» About Oracle Adapters Oracle Fusion Middleware Online Documentation Library
» Inbound Throttling Best Practices
» Outbound Throttling Best Practices
» Outbound Performance Best Practices
» JCA Adapter Basic Tuning Considerations
» Existence Checking Oracle JCA Adapter for Database Tuning
» adapter.jms.receive.threads Property
» Oracle Socket Adapter Tuning Oracle MQ Adapter Tuning
» Tune the Active Data Retrieval Interval
» Message Batching Enterprise Message Source Tuning
» About Oracle Business Activity Monitoring About Oracle User Messaging Services
» SMPP Driver Performance Tuning
» Email Driver Polling Frequency
» Database Tuning for Optimal Throughput
» MDS Cache Size Oracle Fusion Middleware Online Documentation Library
» Number of Threads Oracle Fusion Middleware Online Documentation Library
» JMS Multiple Out Queues Setting
» Design Time Considerations for Proxy Applications
» Design Considerations for XQuery Tuning
» About Oracle Internet Directory
» Introduction to Tuning Oracle Internet Directory
» Database Parameters Basic Tuning Considerations
» LDAP Server Attributes Basic Tuning Considerations
» Database Statistics Basic Tuning Considerations
» Replication or Oracle Directory Integration Platform Replication Server Configuration
» Garbage Collection Configuration Advanced Configurations
» Oracle Internet Directory with Oracle RAC Database
» Password Policies and Verifier Profiles
» Values for Configuring the Entry Cache
» Tuning Security Event Tracking
» Number of Entries to be Returned by a Search
» Timeout for Write Operations
» Bulk Load Operation Specific Use Cases
» Bulk Delete Operation Specific Use Cases
» High LDAP Write Operations Load
» Entry Cache Enabled Configuration
» Entry Cache Disabled Configuration.
» Optimizing Searches for Skewed Attributes
» Optimizing Performance of Complex Search Filters
» Updating Database Statistics by Using oidstats.sql
» Setting Performance-Related Replication Configuration Attributes
» Modifying Instance-Specific Attributes by Using Fusion Middleware Control
» Modifying Shared Attributes by Using Fusion Middleware Control
» Modifying Performance-Related Instance-Specific Configuration Entry Attributes
» About Oracle Virtual Directory Basic Tuning Considerations
» Database Adapters Advanced Tuning Configurations
» Join Adapters Advanced Tuning Configurations
» General Filter Tuning Advanced Tuning Configurations
» Load Balancer Local Store Adapter Tuning
» Cache Hit Logic Cache Plug-In Tuning
» Cache Plug-in Memory Management
» LDAP Listener Tuning Advanced Tuning Configurations
» Server Tuning Advanced Tuning Configurations
» Connection Pool Settings Connection Settings Federation Data Store Settings
» RDBMS Compression Database Tuning
» About Oracle Identity Federation Oracle HTTP Server Tuning
» SOAP Connections SAML Protocol Tuning
» XML Digital Signatures POST and Artifact Single Sign-On Profiles
» About Security Services Oracle Fusion Middleware Online Documentation Library
» OPSS PDP Service Tuning Parameters
» Policy Manager Oracle Web Services Security Tuning
» Configuring the Log Assertion to Record SOAP Messages
» Monitoring the Performance of Web Services
» Setting System Limit Setting JDBC Data Source
» Setting JRockit Virtual Machine JVM Arguments Using Content Compression to Reduce Downloads
» Setting HTTP Session Timeout Setting JSP Page Timeout
» Setting ADF Client State Token
» Setting ADF View State Compression
» Setting MDS Cache Size and Purge Rate Configuring Concurrency Management
» Tuning Performance of the Announcements Service
» Tuning Performance of the Discussions Service
» Tuning Performance of the Portlet Service
» Enabling Java Object Cache for WSRP Producers
» Suppressing Optimistic Rendering for WSRP Portlets
» Tuning Performance of Oracle PDK-Java Producers
» Setting ExcludedActionScopeRequestAttributes for Portlets
» Setting DefaultServedResourceRequiresWsrpRewrite for WSRP Portlets
» Setting DefaultProxiedResourceRequiresWsrpRewrite for WSRP Portlets
» Importing Consumer CSS Files in IFrame Portlets
» Configuring Portlet Timeout Tuning Portlet Configuration
» Tuning Performance of OmniPortlet
» Segregation of Network Traffic Segregation of Processes and Hardware Interrupt Handlers
» CPU Requirements Memory Requirements
Show more