SPARC T3 Provides High Performance Security for Oracle Weblogic Applications
By 11111 on Sep 24, 2010
In this study, Oracle's SPARC T3-1 server was used to evaluate both SSL and overall application performance.
- Enabling on-chip acceleration for SSL scenarios solidly delivered between 200% - 300% overall application performance gain including SSL operations in comparison with Weblogic SSL running with no acceleration.
- More importantly, using Oracle Solaris KSSL as an SSL proxy provided an additional performance gain of about 25-30% outperforming WebLogic server SSL configured using SunPKCS11 provider for enabling cryptographic acceleration
- The results showed only a minor difference in overhead between the unsecured application versus onchip cryptographic accelerated solution, which yielded tangible, immediate and cost-efficient results in the form of faster transactions and better response - all without adding any equipment costs, changes in power usage profiles or elaborate system configurations.
- Additionally, the results clarify the massive burden un-accelerated cryptographic workloads can have on a server.
As security has taken unprecedented importance in all facets of the IT industry, today organizations are proactively adopting to cryptographic mechanisms to protect their business information from unauthorized access and ensure its confidentiality and integrity during transit and storage.
Cryptographic operations are heavily compute-intensive which burdens the host system with additional CPU cycles and network bandwidth resulting significant degradation of overall throughput of the system and its hosted applications.
Oracle's T-series systems based on the Oracle's SPARC T3 processor provide the industry's fastest on-chip hardware cryptographic capabilities to accelerate the following cyphers.
- AES (ECB, CBC, CTR, CCM, CGM, CFB)
- RSA, DSA
- Diffie Helman (key pair gen, derive)
- Elliptic Curve (ECDH, ECDSA, key pair gen)
- MD5, SHA1, SHA256, SHA384, SHA512
- Hardware RNG
- "The Intel AES-NI consists of seven instructions. Six of them offer full hardware support for AES. Four instructions support AES encryption and decryption, and the other two instructions support AES key expansion. The seventh aids in carry-less multiplication. The AES instructions have the flexibility to support all usages of AES, including all standard key lengths, standard modes of operation, and even some nonstandard or future variants." Reference
- Further, Westmere's AES-NI instructions are \*not\* hypervisor aware, VM Guests do not use the feature when given workloads, and Java Cryptography Extensions do not provide an AES-NI library.
The following graph represents the SSL operations performance characteristics of the following WebLogic SSL scenarios.
- Use KSSL as SSL proxy and Sun Software PKCS#11 Softtoken based keystore. By default on Oracle T-series servers, KSSL automatically uses NCP and N2CP for cryptographic acceleration.
- WebLogic Managed Server SSL listener configured with JKS keystore and use SunPKCS11 provider for enabling T-series systems based cryptographic acceleration.
- WebLogic Managed Server configured to use SSL (With no SunPKCS11 provider for cryptographic acceleration)
The following graph represents the overall performance characteristics of after and before using T-series systems based cryptographic acceleration and demonstrate the effect of cryptographic overheads on the application. The tests ran the existing setup described in Scenario 1 above.
Results and Configuration Summary
Oracle WebLogic server 10.3.3
HP Loadrunner was used as the load driver for deriving SSL performance, simulating from 100 to 1000 concurrent users for this test. The tests ran a Java EE/JAX-WS Web Services using a 500k XML payload (sample application bundled with WebLogic 10.3.3) deployed on Oracle WebLogic server 10.3.3 running on the SPARC T3-1 server.
The tests ran using the existing setup described in Scenario 1. Apache JMeter was used as the load driver for driving the workload, simulating 1000 concurrent users ramped up in increments of 10 users per minute until reaching 1000 users. Each user queried the web application as many times as possible per minute, clearing caches in between. Once 1000 concurrent users were reached, the workload was sustained for 10 minutes. The load test run captured numbers for three key aspects of any web transaction: Throughput (or Peak Transfer), Hits per second and Tests per minute. This Jmeter load test was not intended to push the upper limits of the server but rather to demonstrate the overheads of cryptography at a reasonable load and the effects of using hardware assisted cryptographic acceleration.
Another New AES Attack (blog discussing tradeoffs between AES-128 and AES-256)
Copyright 2010, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Results as of 9/20/2010.