Speed up your SSL operation for IBM HTTP Server on Ultra SPARC T2 systems

Sometime back we have published a Sun Blueprint (Accelerating IBM HTTP Server Cryptographic Operations Using Sun Servers with CoolThreads Technology) detailing the steps needed to get your IBM HTTP Server use the on-chip crypto processor on Ultra SPARC T2 based system for SSL operation. This will give a free SSL operation boost without buying additional hardware for such operations.
The documentation lists all the steps needed to get your IBM HTTP Server and GSKit working  with this on-chip crypto module on Ultra SPARC T2 processor.  In addition to how to configure it, it also has results from some of the performance testing that has been done to measure the performance gain. Your milegae may vary depending on your type of workload but if you are making lot of new client connection and serving "HTTPS" traffic then this would something that is available to you free you want to consider. It wil help you take care of your SSL handshakes operations.
Another important aspect of this is that GSKit is a common library that has been used by IBM in lot of products. And as its evident from the name, Global Security Kit, it is security related implementation to be used across different products such as PKCS#11 or so. Some more details can be found at my prior blog about GSKit. This implies that if you want to hookup with PKCS#11 provider and take advantage of on-chip cryptography for other products that can be done too. You must note that this integration has happened at certain level of IBM HTTP Server so it requires certain version of GSKit embedded with the product for which you will try to take advantage.


Comments:

If you should get a chance to refresh the Document about IBM HTTP SERVER + UltraSparc, there are a few clarifications that might help:

1) after creating the new (non-nobody) userid/group, configure the User and Group directives in $IHSROOT/conf/httpd.conf. Without this, the webserver child processes can't access the soft-token files.

2) The "Sun Metaslot" must be enabled on the system via "cryptoadm enable metaslot"

3) all \*.kdb references should be "secondary.kdb" -- some "key.kdb" references snuck in (default filename)

Posted by Eric Covener on July 08, 2009 at 11:18 PM PDT #

Dileep,

As we tested, the IHS Server using GSKit implementation for accessing Niagara crypto does'nt address complete SSL operation. GSkit is limited to RSA operation and it ignores the bulk encryption and hashing. I spoke to my IHS contact, he suggests there is a limitation with previous releases of GSKit. They updated GSKit to include newer algorithms in Websphere 7.0 and up, but I did'nt see that your document captures those changes ?

Thanks in advance.

Posted by Mukund Srinivasan on October 26, 2009 at 01:22 PM PDT #

When you turn on your PC or restart it, your computer completes a series of steps to initiate the system and its components. Some of the steps include reading the BIOS, loading the Windows Boot.ini file, starting background services, and automatically starting certain programs.

Posted by kollagen on December 08, 2009 at 01:37 AM PST #

Some of the steps include reading the BIOS, loading the Windows Boot.ini file, starting

Posted by Louis Vuitton bags on January 26, 2010 at 05:30 PM PST #

We offer <b><a href=http://www.replica-bags-sale.com/>Louis Vuitton bags</a></b> here you <b><a href=http://www.replica-bags-sale.com/>Louis Vuitton replica bags</a></b> can get <b><a href=http://www.replica-bags-sale.com/>Discount Louis Vuitton bags</a></b>from us <b><a href=http://www.replica-bags-sale.com/>louis vuitton bags sale</a></b>

Posted by Louis Vuitton bags on January 27, 2010 at 09:51 AM PST #

Dileep,

Please note, SSL also includes operations requiring session-key based encryption and hashing. As I followed your docs, the GSKit/IHS config did not delegate those symmetric-key operations. Besides RSA, you did not delegate AES and SHA-1 operations of SSL. This means 50% of SSL operations are performed buy GSkit libraries.

Have you figured out the alternative ?

Michael

Posted by Michael Watkins on March 13, 2010 at 11:22 AM PST #

Michael Watkins did you get any responses????

Posted by Tony McDougal on April 05, 2010 at 10:23 PM PDT #

Please note, SSL also includes operations requiring session-key based encryption and hashing. As I followed your docs, the GSKit/IHS config did not delegate those symmetric-key operations. Besides RSA, you did not delegate AES and SHA-1 operations of SSL. This means 50% of SSL operations are performed buy GSkit libraries.

Posted by louisvuitton handbags on May 27, 2010 at 01:31 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

dkumar

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today