IBM BS029ML Self Help Guide - Page 165
Security cache timeout, LTPA settings, Security, Global Security, Authentication, mechanisms
View all IBM BS029ML manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 165 highlights
Security cache timeout WebSphere Application Server caches security information related to each authenticated user to save, repeating subsequent User-Registry lookups when a user's security credential expires. This setting controls how long, in seconds, that information is retained before being discarded. As User-Registry lookups ultimately impact performance, we typically recommend that the security cache timeout be increased from the default value. The only exception to this rule might be when modifications to the underlying User-Registry are made, such as invalidating a user after several failed login attempts. In which case, the security cache has the potential to become stale and invalid. To view or modify the Global Security Settings from the WebSphere Application Server Administrative Console, select Security → Global Security. Table 5-8 shows the default and recommended values. Table 5-8 Global security settings Parameter Cache Timeout Default value 600 Recommended value 6000 LTPA settings Successfully authenticated users receive a Lightweight Third-Party Authentication (LTPA) token containing a credential that can be delegated in the form of an encrypted transient cookie. This cookie is only valid for the duration of a user's browser session and is used through the embedded LTPA token to honor subsequent requests that would otherwise require reauthentication. However, the LTPA token is in itself subject to expiry even if a user's browser session is maintained. Effectively, the LTPA token starts to time out immediately upon creation. As it is envisaged that users will log in to the Portal at the beginning of the day and maintain a degree of interaction with the system throughout the day, we suggest that the LTPA Timeout be modified to reflect this period. The validity of the LTPA token is also of concern for environments implementing single sign-on (SSO). To view or modify the LTPA Settings from the WebSphere Application Server Administrative Console, select Security → Global Security → Authentication → Authentication mechanisms → LTPA. Table 5-9 shows the default and recommended values. Table 5-9 LTPA settings Parameter Default value LTPA Timeout 120 LDAP Search Timeout 120 LDAP Reuse Connection Enabled a. Dependant on the period of authentication validity required. Recommended value 480a 120 Enabled One very important parameter with regards to performance and security is the ability to reuse the connection that WebSphere Application Server establishes to the chosen LDAP Directory Server. By default, this parameter "Reuse connection" is enabled. Consideration: In addition to the LTPA Timeout (absolute), the value defined for the HttpSession Timeout (relative) can impact the behavior of the Portal. Chapter 5. WebSphere Portal runtime and services 151