ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportRefresh Security performance impact

Post new topicReply to topic
Refresh Security performance impact View previous topic :: View next topic
Author Message
bobbee
PostPosted: Mon Oct 26, 2020 5:34 am Post subject: Refresh Security performance impact Reply with quote

Chevalier

Joined: 20 Sep 2001
Posts: 463
Location: Tampa

Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?
Back to top
View user's profile Send private message Send e-mail AIM Address
bruce2359
PostPosted: Mon Oct 26, 2020 6:18 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8820
Location: US: west coast, almost. Otherwise, enroute.

Some worse than others. When you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running SSL channels are stopped and restarted. Sometimes SSL channels can take a long time to shut down and this means that the refresh operation takes some time to complete.

Most other are merely cache memory to memory moves.

IMHO, REFRESH SECURITY is like any other maintenance, and should be scheduled for least impact on production environment.
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 26, 2020 8:13 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20421
Location: LI,NY

I thought it did not affect existing connections, only new connections.
This would mean that in order for the qmgr to recognize that somebody is no longer authorized you might have to forcibly terminate his connection...
Now this works for channels and qmgr connect authorization...

For MQ object access, it would probably apply to the next MQOPEN command, like when the user next issues the MQOpen command for a queue..., or tries the next MQGET or MQPUT operation...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Mon Oct 26, 2020 9:29 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8820
Location: US: west coast, almost. Otherwise, enroute.

Read here https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q086490_.htm

Quote:
In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.

_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Oct 26, 2020 2:20 pm Post subject: Re: Refresh Security performance impact Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2192
Location: Melbourne, Australia

bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr.
_________________
Glenn
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 26, 2020 5:07 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20421
Location: LI,NY

bruce2359 wrote:
Read here https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q086490_.htm

Quote:
In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.

Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Mon Oct 26, 2020 5:20 pm Post subject: Re: Refresh Security performance impact Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8820
Location: US: west coast, almost. Otherwise, enroute.

fjb_saper wrote:
Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership?

She was asking for performance impact. SSL imposes one, the others are memory to memory.

gbaddeley wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr.

The entire cached view of AUTHSERV and CONNAUTH will be removed (flushed), AND refreshed - in its entirety.
Quote:
[UNIX, Linux, Windows, IBM i]AUTHSERV
The list of authorizations held internally by the authorization services component is refreshed.
This is the default value.

Quote:
CONNAUTH
Refreshes the cached view of the configuration for connection authentication.

CLASSES is a z/OS (zed) thing. Individual Classes will be refreshed as needed.
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Oct 26, 2020 9:07 pm Post subject: Re: Refresh Security performance impact Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1512
Location: Bay of Plenty, New Zealand

bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Tue Oct 27, 2020 1:19 pm Post subject: Re: Refresh Security performance impact Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8820
Location: US: west coast, almost. Otherwise, enroute.

hughson wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag

If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache.
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Oct 27, 2020 2:40 pm Post subject: Re: Refresh Security performance impact Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1512
Location: Bay of Plenty, New Zealand

bruce2359 wrote:
hughson wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag

If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache.

The cache in question is the memberships that OS/LDAP user IDs have in groups. The cache in question contains nothing about MQ objects or their permissions. There is no need to REFRESH SECURITY TYPE(AUTHSERV) if you have just added a new MQ authorisation to the OAM.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportRefresh Security performance impact
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.