Oracle Identity Federation Performance Tuning 24-7 transport layer is providing the authenticity and the integrity of the message, and the XML Digital Signature on the SAML Response and Assertion can be optional. If no XML Digital Signature is present on the message, then the audited message that is archived does not contain any data that proves the authenticity and integrity of the message. Note: Since the Artifact profile involves additional communication flow between the Service Provider and the Identity Provider, performance may be slower when using the Artifact profile. 24-8 Oracle Fusion Middleware Performance and Tuning Guide 25 Oracle Fusion Middleware Security Performance Tuning 25-1 25 Oracle Fusion Middleware Security Performance Tuning Oracle Fusion Middleware security services enable you to secure critical applications and sensitive data. This chapter describes how you can configure security services for optimal performance. This chapter contains the following topics: ■ Section 25.1, About Security Services ■ Section 25.2, Detecting General Performance Issues ■ Section 25.3, Oracle Platform Security Services Tuning ■ Section 25.4, Oracle Web Services Security Tuning

25.1 About Security Services

Oracle Fusion Middleware provides security services through Oracle Platform Security Services OPSS and Oracle Web Services. ■ Oracle Platform Security Services Oracle Platform Services is a key component of Oracle Fusion Middleware. It offers an integrated suite of security services and is easily integrated with Java SE and Java EE applications that use the Java security model. Security Services includes features that implement user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications. Using Oracle Platform Security for Java, applications can enforce fine-grained access control upon resource users. The three key steps are: – Configure and invoke a login module, as appropriate. You can use provided login modules, or you can use custom login modules. – Authenticate the user attempting to log in, which is the role of the identity store service. – Authorize the user by checking permissions for any roles the user belongs to for whatever the user is attempting to accomplish, which is the role of the policy store service. ■ Oracle Web Services Security 25-2 Oracle Fusion Middleware Performance and Tuning Guide Oracle Web Services Security provides a framework of authorization and authentication for interacting with a web service using XML-based messages.

25.2 Detecting General Performance Issues

This section offers some general guidelines on how to identify a performance bottleneck and how to approach addressing such problems. If you discover a performance bottleneck, you should first verify that you have addressed the expected traffic load throughout your Web services deployment. If there is a system in the critical path that is at 100 CPU usage, you may simply need to add one or more computers to the cluster. If there is a bottleneck in your deployment, it is likely to be within one of the following: ■ Traffic through a slow connection with an agent ■ Latency in connections to third-party queuing systems like JMS For any of these problems, check the following potential sources: ■ Problems with policy assertions that include connections to outside resources, especially the following types: – Database Repositories – LDAP Repositories – Secured Resources – Proprietary Security Systems ■ Problems with database performance If you identify one of these as the cause of a bottleneck, you may need to change how you manage your database or LDAP connections or how you secure resources.

25.3 Oracle Platform Security Services Tuning

This section provides the following basic tuning configurations for Oracle Platform Security Services OPSS: ■ JVM Tuning Parameters ■ LDAP Tuning Parameters ■ Authentication Tuning Parameters ■ Authorization Tuning Properties ■ OPSS PDP Service Tuning Parameters Note: The information in this chapter assumes that you have reviewed and understand the concepts and administration information for Oracle Fusion Middleware Security Services. For more information, see the Oracle Fusion Middleware Security and Administrators Guide for Web Services before tuning any security parameters. Oracle Fusion Middleware Security Performance Tuning 25-3

25.3.1 JVM Tuning Parameters

Tuning the JVM parameters can greatly improve performance. For example, the JVM Heap size should be tuned depending upon the number of roles and permissions in the store. At run time, all roles and permissions are stored in the in-memory cache. For more JVM tuning information, see Section 2.4, Tune Java Virtual Machines JVMs .

25.3.2 LDAP Tuning Parameters

This section covers Lightweight Directory Access Protocol LDAP tuning. Oracle supports the management of policies in file-based repositories: Oracle Internet Directory and Oracle Virtual Directory. If you encounter increased CPU usage due to high SQL execution times, see the following chapters for basic tuning configurations for large deployments: ■ Oracle Internet Directory configuration settings can impact performance. For more information, see Chapter 22, Oracle Internet Directory Performance Tuning . ■ In addition to being configured as a LDAP server, Oracle Virtual Directory can also be configured as a local storage adapter LSA. See Chapter 23, Oracle Virtual Directory Performance Tuning .

25.3.3 Authentication Tuning Parameters

For OPSS Authentication tuning, see Improving the Performance of WebLogic and LDAP Authentication Providers in the Oracle Fusion Middleware Securing Oracle WebLogic Server guide at the Oracle Technology Network http:download.oracle.comdocscdE12840_ 01wlsdocs103secmanageatn.htmlwp1199087 .

25.3.4 Authorization Tuning Properties

The following Java system properties can be used to optimize authorization: