IBM Support

PK43270: IMPROVE J2SE AND J2EE SECURITY PERFORMANCE.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The overhead of J2SE and J2EE security has increased in the 6.1
    release.  This APAR will be used to reduce this overhead.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: IBM WebSphere Application Server version 6.1 *
    *                 users using Java 2 and Java 2 Enterprise     *
    *                 Edition (J2EE) security.                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: While running applications with Java 2  *
    *                      and J2EE security enabled on WebSphere  *
    *                      Application Server, there is a          *
    *                      significant performance overhead        *
    *                      resulting in higher response times.     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    First, due to internal class loader changes, each access of the
    context class loader by the runtime incurred a Java 2 security
    check.
    Second, Java 2 Connector (J2C) repeatedly recreated many Subject
    objects even when a large number of databse connections are
    using the same credentials.
    Third, there is a large overhead associated with both J2EE
    security and the overhead of caller lists with Security
    Attribute Propagation (SAP).
    

Problem conclusion

  • First, enhancements were made to the runtime to avoid the
    overhead of accessing the context class loader.
    Second, a new system property was added:
    com.ibm.websphere.security.auth.j2c.
    cacheReadOnlyAuthDataSubjects
    
    When set to true, J2C will make Subject objects read-only and
    store them in a cache based on principal and auth data alias.
    This property must not be set if the Subject needs to be
    modified after being retrieved from a login module.
    Third, two new system properties were created to reduce the
    overhead of Security Attribute Propagation:
        com.ibm.CSI.disablePropagationCallerList
        com.ibm.CSI.propagateFirstCallerOnly
    Both should be set to true to avoid the costs associated with
    caller lists.
    
    With this fix, Java 2 and J2EE security performance is
    significantly improved.
    
    The fix for this APAR is currently targeted for inclusion in
    fixpak 6.1.0.9.
    Please refer to the recommended updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK43270

  • Reported component name

    WEBSPH APP SERV

  • Reported component ID

    5724J0800

  • Reported release

    61A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-04-13

  • Closed date

    2007-04-26

  • Last modified date

    2007-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • SECURITY RUNTIME
    

Fix information

  • Fixed component name

    WEBSPH APP SERV

  • Fixed component ID

    5724J0800

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 6.1

Reference #: PK43270

Modified date: 26 April 2007


Translate this page: