Donnerstag Mai 24, 2012

OVM Server for SPARC 2.2 released!

The long awaited new version 2.2 of Oracle VM Server for SPARC has been released!  Without repeating all the things mentioned elsewhere, here the main points:

There's a good summary at the Oracle Virtualization Blog. And of course, there's the official documentation:

Happy virtualizing!

Montag Mai 14, 2012

Benchware Test of T4

There's a rather thorough performance comparison between an M5000 and a T4-2 that I can only recommend to anyone still wondering if those TPC-H world records are really possible:

Find the test report on the Benchware website - look for T4 in the "Benchmark" section.

And of course, check out the TPC-H results, too.  Look for 1000GB and 3000GB ;-)

(No, I didn't transfer to marketing.  I just think this test is worth being mentioned on a blog that's about performance, among other things.)

Donnerstag Mai 10, 2012

T4 Crypto Cheat Sheet

In an earlier post, I already mentioned what's needed to make use of T4 crypto acceleration for Oracle TDE.  This hasn't changed - the patch for Solaris 10 is still under development.  However, there are of course other usecases for hardware crypto on T4.  Since the code path to this functionality has changed considerably from earlier CPUs, there have also been some changes in how it's used and observed.  Here's a short summary of these changes.

Using it:

 Feature / Software consumer
 T3 and before*
 T4 / Solaris 10
T4 / Solaris 11
 SSH

Automatically enabled with Solaris 10 5/09 and later.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Requires patch 147707-01

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Automatically enabled.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

 Java / JCE

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

 ZFS Crypto
Not available
Not available
HW crypto automatically enabled if dataset encrypted.
 IPsec

Automatically enabled. 

Automatically enabled. 

Automatically enabled. 

OpenSSL

Use "-engine pkcs11"

Requires patch 147707-01

Use "-engine pkcs11"

The engine "t4" is automatically used.  Optionally use "-engine pkcs11".

pkcs11 recommended for RSA/DSA at this time.

KSSL (Kernel SSL proxy)

Automatically enabled. 

Automatically enabled. 

Automatically enabled. 

Oracle TDE

Not supported

Pending patch

Automatically enabled with Oracle DB 11.2.0.3 and ASO

Apache SSL
Configure with "SSLCryptoDevice pkcs11"
Configure with "SSLCryptoDevice pkcs11"
Configure with "SSLCryptoDevice pkcs11"
Logical Domains
Assign crypto units to domains.
Functionality always available, no configuration required.
Functionality always available, no configuration required.

* T1 CPUs do not support symetric ciphers like AES.  Consumers like SSH will therefore use software crypto on T1.

Observability:
  • Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto hardware with kstats or cryptoadm.  
  • T4 does provide hardware counters for crypto operations.  You can see these using cpustat:
    cpustat -c pic0=Instr_FGU_crypto 5
    
  • You can check the availability of the openssl engine with the command "openssl engine", and the general crypto support of the hardware and OS with the command "isainfo -v".
  • Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm.   For the same reason, there are no "crypto units" visible in LDoms Manager.  In LDoms, the functionality is always available and does not need to be configured separately.  Note that you should have the latest LDoms Manager Patch 147507 installed.
Additional Reading:
About

Neuigkeiten, Tipps und Wissenswertes rund um SPARC, CMT, Performance und ihre Analyse sowie Erfahrungen mit Solaris auf dem Server und dem Laptop.

This is a bilingual blog (most of the time). Please select your prefered language:
.
The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« May 2012 »
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
11
12
13
15
16
17
18
19
20
21
22
23
25
26
27
28
29
30
31
   
       
Today