IBM BS029ML - WebSphere Portal Server, Самоучитель

Страница: 165 / 242

Chapter 5. WebSphere Portal runtime and services
151
Security cache timeout
WebSphere Application Server caches security information related to each authenticated
user to save, repeating subsequent User-Registry lookups when a user’s security credential
expires. This setting controls how long, in seconds, that information is retained before being
discarded. As User-Registry lookups ultimately impact performance, we typically recommend
that the security cache timeout be increased from the default value. The only exception to this
rule might be when modifications to the underlying User-Registry are made, such as
invalidating a user after several failed login attempts. In which case, the security cache has
the potential to become stale and invalid.
To view or modify the Global Security Settings from the WebSphere Application Server
Administrative Console, select
Security
→
Global Security . Table 5-8 shows the default and
recommended values.
Table 5-8 Global security settings
LTPA settings
Successfully authenticated users receive a Lightweight Third-Party Authentication (LTPA)
token containing a credential that can be delegated in the form of an encrypted transient
cookie. This cookie is only valid for the duration of a user’s browser session and is used
through the embedded LTPA token to honor subsequent requests that would otherwise
require reauthentication. However, the LTPA token is in itself subject to expiry even if a user’s
browser session is maintained. Effectively, the LTPA token starts to time out immediately upon
creation.
As it is envisaged that users will log in to the Portal at the beginning of the day and maintain a
degree of interaction with the system throughout the day, we suggest that the LTPA Timeout
be modified to reflect this period. The validity of the LTPA token is also of concern for
environments implementing single sign-on (SSO).
To view or modify the LTPA Settings from the WebSphere Application Server Administrative
Console, select
Security
→
Global Security
→
Authentication
→
Authentication
mechanisms
→
LTPA . Table 5-9 shows the default and recommended values.
Table 5-9 LTPA settings
One very important parameter with regards to performance and security is the ability to reuse
the connection that WebSphere Application Server establishes to the chosen LDAP Directory
Server. By default, this parameter
“ Reuse connection” is enabled.
Parameter Default value Recommended value
Cache Timeout 600 6000
Parameter Default value Recommended value
LTPA Timeout 120 480
a
a. Dependant on the period of authentication validity required.
LDAP Search Timeout 120 120
LDAP Reuse Connection Enabled Enabled
Consideration: In addition to the LTPA Timeout (absolute), the value defined for the
HttpSession Timeout (relative) can impact the behavior of the Portal.