ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/sectugen.htm

33 lines
3.1 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>General security tuning tips</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h3><a name="sectugen"></a>General security tuning tips</h3>
<p>The following are some general tuning tips for WebSphere security configurations:</p>
<ol>
<li><p>Consider disabling the Java 2 Security Manager, if you know exactly what code is put onto your server and you do not need to protect process resources. Remember that in doing so you are putting your local resources at some risk.</p></li>
<li><p>If you feel your environment is secure enough, consider increasing the cache and token time-out settings. (These settings are available as general properties on the Global Security panel in the WebSphere administrative console.) By doing so, re-authentication is less frequently required. This action allows subsequent requests to more frequently reuse the credentials that are already created. The downside of increasing the token time-out is the exposure of having a token highjacked. The higher time-out setting provides the highjacker more time to hack into the system before the token expires. You can use security cache properties to determine the initial size of the primary and secondary Hashtable caches, which affect the frequency of rehashing and the distribution of the hash algorithms. See <a href="seccache.htm">Security cache properties</a> for a list of these properties.</p></li>
<li><p>Consider changing your administrative connector from Simple Object Access Protocol (SOAP) to Remote Method Invocation (RMI). RMI uses stateful connections while SOAP is completely stateless. Run a benchmark test to determine if the performance has been improved in your environment. This control only affects the performance of the administrative application.</p></li>
<li><p>Use the wsadmin script to complete the access IDs for all the users and or groups to speed up the application startup. Complete this action if applications contain many users and or groups or if applications are stopped and started frequently. For more information, see <a href="../admin/wsa.htm">The wsadmin administrative tool</a> in the <em>Administration</em> topic.</p></li>
<li><p>Consider whether you really need SSL to be enabled for connections that are used by the Web server plug-in. These are long-lived connections, while those used to connect browsers to the Web server are typically short lived. Hence, enabling SSL for connections that are used by the Web server plug-in generally has a smaller impact on performance than enabling SSL for connections between browsers and the Web server. However, SSL protection for your plug-in connections may not be required if sufficient security is already provided. For example, you may decide plug-in connections are sufficiently secure if the Web server and application server are protected by a firewall.</p></li>
</ol>
</body>
</html>