Table of Contents
Advertisement
Security cache timeout
WebSphere Application Server caches security information related to each authenticated
user to save, repeating subsequent User-Registry lookups when a user's security credential
expires. This setting controls how long, in seconds, that information is retained before being
discarded. As User-Registry lookups ultimately impact performance, we typically recommend
that the security cache timeout be increased from the default value. The only exception to this
rule might be when modifications to the underlying User-Registry are made, such as
invalidating a user after several failed login attempts. In which case, the security cache has
the potential to become stale and invalid.
To view or modify the Global Security Settings from the WebSphere Application Server
Administrative Console, select Security → Global Security. Table 5-8 shows the default and
recommended values.
Table 5-8 Global security settings
Parameter
Cache Timeout
LTPA settings
Successfully authenticated users receive a Lightweight Third-Party Authentication (LTPA)
token containing a credential that can be delegated in the form of an encrypted transient
cookie. This cookie is only valid for the duration of a user's browser session and is used
through the embedded LTPA token to honor subsequent requests that would otherwise
require reauthentication. However, the LTPA token is in itself subject to expiry even if a user's
browser session is maintained. Effectively, the LTPA token starts to time out immediately upon
creation.
As it is envisaged that users will log in to the Portal at the beginning of the day and maintain a
degree of interaction with the system throughout the day, we suggest that the LTPA Timeout
be modified to reflect this period. The validity of the LTPA token is also of concern for
environments implementing single sign-on (SSO).
To view or modify the LTPA Settings from the WebSphere Application Server Administrative
Console, select Security → Global Security → Authentication → Authentication
mechanisms → LTPA. Table 5-9 shows the default and recommended values.
Table 5-9 LTPA settings
Parameter
LTPA Timeout
LDAP Search Timeout
LDAP Reuse Connection
a. Dependant on the period of authentication validity required.
One very important parameter with regards to performance and security is the ability to reuse
the connection that WebSphere Application Server establishes to the chosen LDAP Directory
Server. By default, this parameter "Reuse connection" is enabled.
Consideration: In addition to the LTPA Timeout (absolute), the value defined for the
HttpSession Timeout (relative) can impact the behavior of the Portal.
Default value
600
Default value
120
120
Enabled
Chapter 5. WebSphere Portal runtime and services
Recommended value
6000
Recommended value
a
480
120
Enabled
151
Advertisement
Table of Contents
Troubleshooting
