ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/sectucsi.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Tune CSIv2</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h3><a name="sectucsi"></a>Tune CSIv2</h3>

<p>To tune the Common Security Interoperability Version 2 (CSIv2) authentication protocol, consider the following tasks:</p>

<ol>
<li><p>If you send a large amount of data that is not very sensitive, reduce the strength of your ciphers. A strong cipher takes longer to encrypt data in bulk. If the data is not sensitive, processing with 128-bit ciphers may not be worth the effort.</p></li>

<li><p>Consider putting just an asterisk (*) in the trusted server ID list (this means that all servers are trusted) when you use Identity Assertion for downstream delegation. Use SSL mutual authentication between servers to provide this trust. Adding this extra step in the SSL handshake performs better than having to fully authenticate the upstream server and check the trusted list. When an asterisk is used, the identify token is trusted. The SSL connection trusts the server by way of client certificate authentication.</p></li>

<li><p>Ensure that stateful sessions are enabled for CSIv2. This is the default, but it only requires authentication on the first request and on any subsequent token expirations.</p></li>

<li><p>If you are only communicating with WebSphere Application Server Version 5 servers, specify only <strong>CSI</strong> rather than <strong>CSI and SAS</strong> for the <strong>Active Authentication Protocol</strong> setting. This action removes an interceptor invocation for every request on both the client and server sides.</p></li>
</ol> 

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Tune CSIv2</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h3><a name="sectucsi"></a>Tune CSIv2</h3>`

			`<p>To tune the Common Security Interoperability Version 2 (CSIv2) authentication protocol, consider the following tasks:</p>`

			`<ol>`
			`<li><p>If you send a large amount of data that is not very sensitive, reduce the strength of your ciphers. A strong cipher takes longer to encrypt data in bulk. If the data is not sensitive, processing with 128-bit ciphers may not be worth the effort.</p></li>`

			<li><p>Consider putting just an asterisk (*) in the trusted server ID list (this means that all servers are trusted) when you use Identity Assertion for downstream delegation. Use SSL mutual authentication between servers to provide this trust. Adding this extra step in the SSL handshake performs better than having to fully authenticate the upstream server and check the trusted list. When an asterisk is used, the identify token is trusted. The SSL connection trusts the server by way of client certificate authentication.</p></li>

			`<li><p>Ensure that stateful sessions are enabled for CSIv2. This is the default, but it only requires authentication on the first request and on any subsequent token expirations.</p></li>`

			`<li><p>If you are only communicating with WebSphere Application Server Version 5 servers, specify only <strong>CSI</strong> rather than <strong>CSI and SAS</strong> for the <strong>Active Authentication Protocol</strong> setting. This action removes an interceptor invocation for every request on both the client and server sides.</p></li>`
			`</ol>`

			`</body>`
			`</html>`