25-4 Oracle Fusion Middleware Performance and Tuning Guide

25.3.5 OPSS PDP Service Tuning Parameters

Table 25–2 provides OPSS tuning parameters for policy store: Table 25–1 Authorization Properties Java System Properties Default Value Valid Values Notes -Djps.combiner.optimize=true True True False This system property is used to cache the protection domains for a given subject. Setting -Djps.combiner.optimize=tr ue can improve Java authorization performance. -Djps.combiner.optimize.lazy eval=true True True False This system property is used to evaluate a subjects protection domain when a checkPermission occurs. Setting -Djps.combiner.optimize.la zyeval=true can improve Java authorization performance. -Djps.policystore.hybrid.mod e=false False True False This hybrid mode property is used to facilitate transition from SUN java.security.Policy to OPSS Java Policy Provider. The OPSS Java Policy Provider reads from both java.policy and system-jazn-data.xml.Hybrid mode can be disabled by setting the system property jps.policystore.hybrid.mod e to false when starting the WebLogic Server. Setting -Djps.policystore.hybrid.m ode=false can reduce runtime overhead. -Djps.authz=ACC ACC ACC SM Delegates the call to JDK API AccessController.checkPerm ission which can reduce the performance impact at run time or while debugging. ACC: delegate to AccessController.checkPerm ission SM: delegate to SecurityManager if SecurityManager is set. Oracle Fusion Middleware Security Performance Tuning 25-5 Table 25–2 OPSS PDP Service Tuning Parameters Parameter Default Value Valid Values Notes oracle.security.jps.policysto re.rolemember.cache.type STATIC STATIC, SOFT, WEAK This parameter specifies the type of role member cache.Valid only in Java EE applications. Valid values: ■ STATIC: Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type. ■ SOFT: The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch. ■ WEAK: The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.rolemember.cache.strategy FIFO FIFO NONE The type of strategy used in the role member cache. Valid only in Java EE applications. Valid values: ■ FIFO: The cache implements the first-in-first-out strategy. ■ NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.rolemember.cache.size 1000 The size of the role member cache. The role being referred to is the enterprise role group. You can find out the number of the groups you have in your ID store first. Then, based on your performance requirement, you can set this number to the number of the groups - full cache scenario. Or you can change to a certain percentage of the number of the groups - partial group cache scenario. oracle.security.jps.policysto re.policy.lazy.load.enable True True False Enables or disables the policy lazy loading. If this parameter is set to false, the server initial startup time will take longer - especially in a large policy store. For faster start-up time, the recommended value is true. 25-6 Oracle Fusion Middleware Performance and Tuning Guide

25.4 Oracle Web Services Security Tuning

Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages. This oracle.security.jps.policysto re.policy.cache.strategy PERMISSION_ FIFO PERMISSION_ FIFO NONE The type of strategy used in the permission cache. Valid only in Java EE applications. Valid Values: ■ PERMISSION_FIFO: The cache implements the first-in-first-out strategy. ■ NONE: All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Consider using the default value for the best performance. oracle.security.jps.policysto re.policy.cache.size 1000 The size of the permission cache. If you cache all policies, then you can set this value to the total number of grants. oracle.security.jps.policysto re.cache.updatable True True False This property is used for refresh enabling. Consider maintaining the default value for the best performance. oracle.security.jps.policysto re.refresh.enable True True False This property is used for refresh enabling. Consider maintaining the default value for performance. oracle.security.jps.policysto re.refresh.purge.timeout 43200000 The time, in milliseconds, after which the policy store is refreshed. Consider maintaining the default value for the best performance. oracle.security.jps.ldap.poli cystore.refresh.interval 600000 10 minutes The interval, in milliseconds, at which the policy store is polled for changes. Consider maintaining the default value for the best performance. This property is valid in Java EE and J2SE applications. oracle.security.jps.policysto re.rolemember.cache.warmup.en able False True False This property controls the way the ApplicationRole membership cache is created. If set to True, the cache is created at server startup; otherwise, it is created on demand lazy loading. Set to True when the number of users and groups is significantly higher than the number of application roles; set to False otherwise, that is, when the number of application roles is very high. Table 25–2 Cont. OPSS PDP Service Tuning Parameters Parameter Default Value Valid Values Notes Oracle Fusion Middleware Security Performance Tuning 25-7 section provides information on factors that might affect performance of the web service. ■ Choosing the Right Policy ■ Policy Manager ■ Configuring the Log Assertion to Record SOAP Messages ■ Monitoring the Performance of Web Services

25.4.1 Choosing the Right Policy

Oracle Web Services Security supports many policies and the appropriate policies must be implemented based on the security need of the deployment. Careful consideration should be given to performance, since each additional policy can impact performance. For example Transport level security SSL is faster than Application level security, but transport level security can be vulnerable in multi-step transactions. Application level security has more performance implications, but provides end-to-end security. See Configuring Policies in Oracle Fusion Middleware Security and Administrators Guide for Web Services to determine which security policies are required for a deployment.

25.4.2 Policy Manager

There is an inherent performance impact when using the database-based policy enforcement. When database policy enforcement is chosen, careful consideration must be given to the polling frequency of the agent to the database.

25.4.3 Configuring the Log Assertion to Record SOAP Messages

The request and response pipelines of the default policy include a log assertion that causes policy enforcement points PEP to record SOAP messages to either a database or a component-specific local file. There can be potential performance impacts to the logging level. To prevent performance issues, consider using the lowest logging level that is appropriate for your deployment. The following logging levels can be configured in the log step: ■ Header - Only the SOAP header is recorded. ■ Body - Only the message content body is recorded. ■ Envelope - The entire SOAP envelope, which includes both the header and the body, is recorded. Any attachments are not recorded. ■ All - The full message is recorded. This includes the SOAP header, the body, and all attachments, which might be URLs existing outside the SOAP message itself. Note: Typically, system performance improves when log files are located in topological proximity to the enforcement component. If possible, use multiple distributed logs in a highly distributed environment.

25.4.4 Monitoring the Performance of Web Services

You can monitor the performance on the following Oracle Web Services through the Web Services home page of Oracle Fusion Middleware Control: ■ Endpoint Enabled Metrics such as: