| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Refresh Security performance impact |
« View previous topic :: View next topic » |
| Author |
Message
|
| bobbee |
 Posted: Mon Oct 26, 2020 5:34 am Post subject: Refresh Security performance impact |
 |
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Mon Oct 26, 2020 6:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Some worse than others. When you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running SSL channels are stopped and restarted. Sometimes SSL channels can take a long time to shut down and this means that the refresh operation takes some time to complete.
Most other are merely cache memory to memory moves.
IMHO, REFRESH SECURITY is like any other maintenance, and should be scheduled for least impact on production environment.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 26, 2020 8:13 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I thought it did not affect existing connections, only new connections.
This would mean that in order for the qmgr to recognize that somebody is no longer authorized you might have to forcibly terminate his connection...
Now this works for channels and qmgr connect authorization...
For MQ object access, it would probably apply to the next MQOPEN command, like when the user next issues the MQOpen command for a queue..., or tries the next MQGET or MQPUT operation... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 26, 2020 9:29 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Oct 26, 2020 2:20 pm Post subject: Re: Refresh Security performance impact |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| bobbee wrote: |
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr.
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 26, 2020 5:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 26, 2020 5:20 pm Post subject: Re: Refresh Security performance impact |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| fjb_saper wrote: |
| Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership? |
She was asking for performance impact. SSL imposes one, the others are memory to memory.
| gbaddeley wrote: |
| bobbee wrote: |
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr. |
The entire cached view of AUTHSERV and CONNAUTH will be removed (flushed), AND refreshed - in its entirety.
| Quote: |
[UNIX, Linux, Windows, IBM i]AUTHSERV
The list of authorizations held internally by the authorization services component is refreshed.
This is the default value. |
| Quote: |
CONNAUTH
Refreshes the cached view of the configuration for connection authentication.
|
CLASSES is a z/OS (zed) thing. Individual Classes will be refreshed as needed.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Oct 26, 2020 9:07 pm Post subject: Re: Refresh Security performance impact |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bobbee wrote: |
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.
What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.
Short answer: it depends 
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 27, 2020 1:19 pm Post subject: Re: Refresh Security performance impact |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| hughson wrote: |
| bobbee wrote: |
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.
What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.
Short answer: it depends
Cheers,
Morag |
If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Oct 27, 2020 2:40 pm Post subject: Re: Refresh Security performance impact |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bruce2359 wrote: |
| hughson wrote: |
| bobbee wrote: |
| Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run? |
The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.
What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.
Short answer: it depends
Cheers,
Morag |
If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache. |
The cache in question is the memberships that OS/LDAP user IDs have in groups. The cache in question contains nothing about MQ objects or their permissions. There is no need to REFRESH SECURITY TYPE(AUTHSERV) if you have just added a new MQ authorisation to the OAM.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
