Wednesday Apr 24, 2013

Solaris 11 and Payment Card Industry (PCI) security compliance

See Lynn Rorher's blog about Oracle's newly published white paper discussing how Solaris 11 enabled security for the payment card industry.

Tuesday Apr 23, 2013

Solaris 11 outperforms RHEL 6 on 2 socket Intel servers

As a long time Sun employee, I've often heard the term "Slow-laris" applied to Oracle's premier Unix operating system.  Most frequently this was in comparison to the Linux OS running on small two socket servers.  I will admit that in the Solaris 8 and 9 timeframe engineering decisions were made to benefit scalability to 64 sockets that sometimes penalized smaller servers.  In addition, because of Solaris long history and derivation from ATT and BSD Unix code, there was undoubtedly a bit of code labeled, "if it ain't broke, don't fix it."  With the advent of Solaris 10 and Dynamic Tracing, (DTrace) we actually hunted down and killed a number of those legacy code segments using a new philosophy labeled internally, "If Solaris is slower than Linux on the same hardware, it's a bug."

As a result, Solaris 11 provides higher performance than Red Hat Enterprise Linux 6.3 on basically identical 2 socket hardware as measured by the SPECjbb benchmark.  According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community.

Java is one of the predominant enterprise programming environments for mission critical applications and many of Oracle's products are written in Java.

This chart from the SPECjbb site shows the performance of our X3-2 Intel based server with 16 cores and 128 GB of RAM running Solaris 11.1.  The X3-2 tested features the Intel E5-2690 CPU @ 2.9 Ghz.

X3-2 Chart

By comparison, an HP ML350P with the identical Intel chip and clock speed running RHEL 6.3 produces this chart.  Clearly, Solaris 11 produce a smoother response curve with higher numbers for both MaxjOPS and Critical jOPS.  In addition, the X3-2 system requires only 1 rack unit vs. 4 rack units for the HP model reducing data center requirements. 

HP Chart

 To summarize, Solaris is faster than RHEL 6 on small servers and more scalable and responsive on large servers including our SPARC T5 servers.

At the same time, it provides virtualization, security and availability features unavailable on RHEL including:

  • Solaris zones
  • Network virtualization
  • ZFS file system
  • Dynamic Tracing
  • Predictive self-healing
  • Service Management Facility
  • Trusted Extensions 
  • Image packaging system

See more at:

  • Jeff Victor's blog
  • Oracle's Performance Blog
  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.


Solaris 11 provides smooth, scalable performance on SPECjbb 2013

Oracle released SPEC Benchmark results for the T5-2 and X2-4 processor using the SPECjbb 2013 benchmark. Who would be interested in SPECjbb performance? According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community. 

Jeff Victor has posted an excellent comparison of the T5 SPECjbb performance to our competitors on a per core basis.  To me, the charts tell the biggest part of the story,  Oracle's Solaris 11 on both SPARC and X86 shows smooth scaling with excellent response times over a wide range of transaction counts.

First, let's look at the results for the SPARC T5-2 server with 2 CPU sockets and 32 cores.  The vertical access marks "response time" so a lower number is better.  The horizontal axis is the number of Java operations being performed.  The blue dots indicate the median response time at each level of operations being processed.  Notice how Solaris 11 and the SPARC hardware provide smooth, predictable performance up through 60,000 jOPS.

(Note: You may not be able to see the full chart width on this page.  Right-click and open image in new tab to see the full chart.) 

T5-2 Chart

 Now let's look at Oracle's X2-4 Intel based system also running Solaris 11.  The X2-4 has 4 CPU chips with 40 total cores.  Here Solaris 11 also provides smooth scaling of performance.

X2-4 chart

For comparison, I've also selected HP's most powerful Intel based server the DL980 with 8 CPUs and 80 cores.  This system, however is running Red Hat Enterprise Linux 6.3.  On this chart you will see that RHEL 6 takes a dive in median response time shortly after 27,000 jOPS. Response time drops from 10 milliseconds to 100 milliseconds at around 27,000 jOPS.  Oracle's T5-2 stays below 100 milliseconds all the way to about 62,000 jOPS. Also note how the minimum response times fall apart at around 20,000 jOPS where the T5-2 stays consistent through 57,000 jOPS.

While admittedly, the 80 core DL980 reaches a higher total MaxjOPS throughput number than the 32 core T5-2, the Solaris 11 based system provides smoother scalability in a 2 socket system that requires only three rack units of space.  If that's not enough horsepower, we also offer a T5-4 and T5-8 system.  Need more?  Our M5-32 data center server scales to 32 sockets, 192 cores and 1536 threads. The M5-32 also supports up to 32 TB of RAM. All support our no cost Logical Domains virtualization capability.

HP DL980 Chart

Summary:

 If you want a proven, enterprise class, scalable OS for SPARC (from Oracle or Fujitsu) or X86 based platforms (from Oracle or many third party vendors), choose Solaris 11.  Predictability in response time is important to your enterprise customers.

All Oracle servers under Premier Support for systems include:

  • 7 x 24 on-site hardware support
  • Solaris (SPARC or X86), Oracle Linux (x86 only) and Oracle VM support (SPARC or X86)
  • Integrated Lights out Management
  • Oracle Enterprise Manager Ops Center support 

For more information on recent SPARC T5 world records, see https://blogs.oracle.com/BestPerf/.

  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.

Monday Apr 15, 2013

DoD customer receives authority to operate SparcSupercluster

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

  • A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
  • A set of scripts that can be used to configure the most common security settings.  This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

  • A DISA STIG is not required to complete accreditation.
  • Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD  
  • Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
  • Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
  • Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.

Please contact me: jim dot laurent at oracle dot com for additional information.

FAQ: Is Solaris 11 "approved for use" in the US DoD?

Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.

  • Is Oracle XYZ server or operating system on the DISA approved products list?

MYTH

There is a single organization in the Government/DoD that approves products for use.

REALITY

Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category.  This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."

Each customer or funded program goes through its own approval and accreditation process.  There is no single approver.  A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of  the entire program.  This includes reviewing the policies, people, products and procedures (4P) that are put in place.  This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does.  This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing.  An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.

I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD. 

Why you should care.

Many government contractors or employees believe that they can't use a product unless it's on some approved list.  In most cases products can be used if sufficient rigor is  applied and the DAA can be convinced that the system is secure.  Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.


About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2013 »
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
25
26
27
28
29
30
    
       
Today