000020060 - Optimizing RSA ClearTrust 5.0 performance

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000020060
Applies ToSun Solaris
Microsoft Windows
IssueOptimizing RSA ClearTrust 5.0 performance
CauseThe extent to which RSA ClearTrust performance can be improved depends largely on your IT infrastructure and security policies. The aim of this solution is to discuss some of the configuration options that can be adjusted to optimize ClearTrust Performance. Given that anecdotal evidence shows the performance of ClearTrust 5.0 to be better than that of its predecessors, this solution will focus in this later version.
ResolutionBefore proceeding, review your current IT and Security infrastructure and your security policies, given they will directly impact which of (and how) the following optimization options can be used in your environment.

1. The Authorization Server caches in memory the requests it receives from the RSA ClearTrust Agents (see also next point). You can improve performance by increasing the amount of memory used for the cache, e.g. increasing the Java heap size as described in pages 116-118 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide".

2. The Authorization Server has several Cache Parameters configurable in aserver.conf. Consult pages 243-248 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide" for further details.

For additional information about the internal operations of the ClearTrust cache, review the following solutions:

 a. What is the behavior when the cache limit is met (before time_to_live has been reached)? Will the cache automatically overwrite the oldest entry with the new one  or will an exception be raised?

 b. Is memory allocated only as the objects in the database are cached? Or is it allocated at startup  based on the cache settings defined in aserver.conf?

3. An Apache Web Server (UNIX only) spawns several child processes to handle requests. Given that each child will receive its own instance of the ClearTrust Web Agent, it will also have a socket opened to the ClearTrust backend servers. If you have a Firewall located between the ClearTrust server and Agent, and this type of Firewall blocks sockets instead of closing them properly, the performance of ClearTrust will be degraded. Checkpoint Firewall-1 has this behavior.

If this is the case, consult the solution titled "RSA ClearTrust Authentication servers stop responding to requests after a period of Agent inactivity" This solution also applies to ClearTrust 5.0.

4. The Entitlements Server provides several Cache Management Parameters configurable in eserver.conf. For more information, consult pages 235-236 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide".

5. Review the solution titled "How to improve search performance in RSA ClearTrust Entitlements Manager (Admin GUI)" for performance information about the ClearTrust Entitlements Manager Web interface.

6. The performance of the Data Repository - i.e. the LDAP Directory Server (iPlanet, Active Directory) or the RDBMS (Oracle, Sybase) - will directly affect the performance of ClearTrust.

 a. Pages 78 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide" provide references to relevant iPlanet and Active Directory optimization information.

 b. Consult with your DBA and/or your RDBMS manuals to identify possible performance optimizations for your DBMS.

 c. Verify you are using the latest JDBC drivers provided by your RDBMS vendor. The drivers tested by RSA Security are v5.5 for Sybase and v9i for Oracle (for both Oracle 9i and 8.1.7).

7. ClearTrust, by default, uses an LDAP bind operation to check a user's password. Retrieving the user?s password, instead of using the bind operation, can increase performance. If you are using iPlanet, with the option to retrieve users' password enabled, set the "cleartrust.data.ldap.user.password.validate_with_connect" parameter in LDAP.CONF to false. ClearTrust will then fetch the user password from LDAP instead of binding to the LDAP directory. See page 208 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide" for additional information. NOTE: This cannot be done with Active Directory.

8. Several ClearTrust performance issues have been solved with hot fixes. Contact RSA Security Support to obtain the latest cumulative hot fix for both the ClearTrust back-end servers and Agents. NOTE: Please test the hot fix in your lab before installing it in production machines.

9. Use a high-performance Java Virtual Machine (JVM). For example, you can try BEA WebLogic JRockit.

10. Edit the JSP or ASP pages used by the CT Agent (located in the Agent's /htdocs subdirectory) to minimize the amount of information that has to be downloaded. For instance, take out unnecessary text and the logos (GIF files); this step applies mainly to proof-of-concept/performance-analysis scenarios.

11. Finally, SSL (Secure Socket Layer) authentication and encryption imposes an important CPU burden, typical of encryption operations.

 a. In test environments, you should expect the best performance by doing the following:
        - Disabling CT inter-component security (no encryption). This is NOT recommended for production                 
          environments given the security risks
        - Not activating server-side SSL in the ClearTrust-protected Web Server or Application Server
        - Not using SSL between the ClearTrust backend servers and the LDAP server

 b. In production environments, you will have to make a trade-off between security and performance. Decide which of the following options is best for your particular situation:
        - ClearTrust inter-component security (listed from the least to the most CPU-intensive) with anonymous SSL
          server-authenticated SSL        mutually-authenticated SSL
        - LDAP over SSL to connect to the LDAP directory server
        - ClearTrust-protected Web server or Application Server (listed from the least to the most CPU-intensive) with
          no encryption at all, server-side SSL, or mutually-authenticated SSL

 c. Pages 128-143 of the "RSA ClearTrust 5.0 - Server Installation and Configuration Guide" provides additional details

NOTE: With all proposed performance enhancements, full testing must be done to assess their reliability and improvement value before deployment in a production environment
Legacy Article IDa14121