ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Refresh Security performance impact

Post new topic  Reply to topic
 Refresh Security performance impact « View previous topic :: View next topic » 
Author Message
bobbee
PostPosted: Mon Oct 26, 2020 5:34 am    Post subject: Refresh Security performance impact Reply with quote

Knight

Joined: 20 Sep 2001
Posts: 541
Location: Tampa

Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?
Back to top
View user's profile Send private message Send e-mail AIM Address
bruce2359
PostPosted: Mon Oct 26, 2020 6:18 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Some worse than others. When you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running SSL channels are stopped and restarted. Sometimes SSL channels can take a long time to shut down and this means that the refresh operation takes some time to complete.

Most other are merely cache memory to memory moves.

IMHO, REFRESH SECURITY is like any other maintenance, and should be scheduled for least impact on production environment.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 26, 2020 8:13 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

I thought it did not affect existing connections, only new connections.
This would mean that in order for the qmgr to recognize that somebody is no longer authorized you might have to forcibly terminate his connection...
Now this works for channels and qmgr connect authorization...

For MQ object access, it would probably apply to the next MQOPEN command, like when the user next issues the MQOpen command for a queue..., or tries the next MQGET or MQPUT operation...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Mon Oct 26, 2020 9:29 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Read here https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q086490_.htm

Quote:
In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.

_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Oct 26, 2020 2:20 pm    Post subject: Re: Refresh Security performance impact Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr.
_________________
Glenn
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 26, 2020 5:07 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

bruce2359 wrote:
Read here https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q086490_.htm

Quote:
In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.

Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Mon Oct 26, 2020 5:20 pm    Post subject: Re: Refresh Security performance impact Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

fjb_saper wrote:
Bobee was not specifying TYPE(SSL). What if he only wanted to pickup a change in group membership?

She was asking for performance impact. SSL imposes one, the others are memory to memory.

gbaddeley wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

As mentioned in the knowledgecenter, refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulated its cache of OS information as needed. I have never noticed any adverse performance issues when doing these types of refresh, and would have little hesitation running them on a busy production qmgr.

The entire cached view of AUTHSERV and CONNAUTH will be removed (flushed), AND refreshed - in its entirety.
Quote:
[UNIX, Linux, Windows, IBM i]AUTHSERV
The list of authorizations held internally by the authorization services component is refreshed.
This is the default value.

Quote:
CONNAUTH
Refreshes the cached view of the configuration for connection authentication.

CLASSES is a z/OS (zed) thing. Individual Classes will be refreshed as needed.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Oct 26, 2020 9:07 pm    Post subject: Re: Refresh Security performance impact Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Tue Oct 27, 2020 1:19 pm    Post subject: Re: Refresh Security performance impact Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

hughson wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag

If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Oct 27, 2020 2:40 pm    Post subject: Re: Refresh Security performance impact Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

bruce2359 wrote:
hughson wrote:
bobbee wrote:
Generally asking, How expensive to performance is a REFRESH SECURITY for OS groups and IDs on a Queue Manager when run?

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. How expensive that question is will depend on where the group memberships are stored (local OS versus remote LDAP or somewhere in between). The impact on the system will also depend on whether all these new lookups happen at exactly the same time, say 9am Monday morning, or whether they trickle in through the day.

Short answer: it depends

Cheers,
Morag

If REFRESH only discards held MQ cache, then all future individual requests for an authorization will cause an individual call to the OS/LDAP. My understanding has been that REFRESH causes cache to be discarded, followed immediately by a request to OS/LDAP for all knowledge about MQ and its object permissions in order to repopulate cache.

The cache in question is the memberships that OS/LDAP user IDs have in groups. The cache in question contains nothing about MQ objects or their permissions. There is no need to REFRESH SECURITY TYPE(AUTHSERV) if you have just added a new MQ authorisation to the OAM.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Refresh Security performance impact
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.