Monday Apr 18, 2016

IBM Software Products and SPARC Hardware Encryption: Update

Last December, we told you about IBM's GSKit and how it now allows several popular IBM products seamless access to Oracle SPARC hardware encryption capabilities. We thought we'd create a quick Springtime update of that information for our partners and customers.

Obtaining The Proper Version of GSKit

GSKit is bundled with each product that makes use of it; over time, new product releases will incorporate GSKit v8 by default. Until then, the latest GSKit v8 for SPARC/Solaris is available on IBM Fix Central, for download and upgrade into existing products. Installation instructions can be found here.

The support described above is available in GSKit v8.0.50.52 and later. As of April, 2016, the latest GSKit v8.0.50.59 is available for download from Fix Central.

IBM Products that currently make use of GSKit v8 on Solaris (and therefore could take advantage of SPARC on-chip data encryption automatically) include (but are not limited to):

 Product Versions w/bundled GSKit v8.0.50.52 or later Versions requiring manual update of GSKit
DB2 v9.7 FP11, v10.1 FP5, v10.5 FP7
HTTP Server iFix available for v8.0 and v8.5
Security Directory Server (fka Tivoli Directory Server)
v6.3 and later certified with GSKit 8.0.50.59
Informix IDS v11.70 and v12.10 fix available which updates to GSKit 8.0.50.57
Cognos BI Server v10.2.2 IF008 and later
Spectrum Protect (fka Tivoli Storage Manager) v7.1.5 and later
WebSphere MQ v8 Fix Pack 8.0.0.4 and later

Determining Current GSKit Version

  • $ /opt/ibm/gsk8/bin/gsk8ver # 32-bit version
  • $ /opt/ibm/gsk8_64/bin/gsk8ver_64 # 64-bit version

Wednesday Feb 03, 2016

IBM Java Applications Taking Advantage of SPARC Hardware Encryption

We’ve been talking recently about IBM’s GSKit, through which many IBM applications can automatically take advantage of SPARC Hardware Encryption (including the latest SPARC M7-based systems). We’ve since been asked whether this was also possible for Java-based IBM applications (such as WebSphere Application Server) or other applications written against IBM’s SDK Java Technology Edition to take similar advantage. This post is written to help answer those questions.

What is the IBM SDK?
IBM has traditionally licensed Oracle’s Java Runtime Environment and Java Developer Kit, modified it slightly, and released it as the IBM SDK. This combination of Java Runtime and Developer Kit is designed to support many IBM products, and can also be used for new development (although the recommended Java platform on Solaris is Oracle’s own Java Runtime Environment and Java Developer Kit). Oracle Solaris ships with both Java 7 and Java 8, but most IBM apps include the Java 7 version of their SDK.

What is the Advantage of Using Hardware Cryptography on SPARC?
Sometimes quite a bit, depending on the size of the chunks of data being encrypted and decrypted. Take this simple Java program, which does an adequate (if somewhat artificial) job at demonstrating the use of Hardware Crypto from Java:


This code simply creates an array of random data of size specified at runtime, and then encrypts using the common AES128 cypher. This algorithm happens to be one of the many accelerated by recent SPARC CPUs. When run on out-of-the-box Oracle and IBM implementations of Java 7 on SPARC, we can see the advantage to the code taking advantage of SPARC hardware crypto:



Figure 1: AES128 Encryption on SPARC M7 (no workaround)

Again, this is a very artificial test case used to make a point.The benefit from hardware acceleration will vary by workload and use case, but the key point to keep in mind is that this hardware assist is always available on SPARC M7 (the differences are proportional on SPARC T4 and T5). In those cases where it makes a difference, one should make an effort to take advantage of it.

Whither WebSphere Application Server?

IBM WebSphere Application Server v8, like other J2EE application servers, is written in Java, and could therefore in theory take advantage of the workaround described in the next section. But you don’t have to go with an unsupported solution for WAS, because Best Practice is usually to stand up the IBM’s included HTTP Server in front of WAS, and HTTP Server is built with GSKit 8. Check to see that the version of HTTP Server you use with WAS v8 supports SPARC hardware encryption – if so, you’re good to go!

How To Make Use of SPARC Hardware Crypto from IBM Java
Central to the Java Cryptography Architecture is the notion of JCA Providers, which allow developers to create and ship security mechanisms which can ‘plug-in’ to a Java Runtime via well-defined APIs. All Java runtimes ship with a default set of providers, usually found in the instance’s java.security file. Since Java 7, the OracleUcrypto provider has been provided in Solaris releases of Java, specifically to interface with the underlying Solaris Ucrypto library (part of the Solaris Cryptographic Framework). On platforms based on SPARC T4, T5, M5, M6 and M7 CPUs, the Ucrypto library automatically takes advantage of any available underlying SPARC hardware cryptography features.

Those developing Java applications on Solaris with Oracle’s implementation of Java will find that this functionality is available by default on SPARC; in fact, the OracleUcrypto provider has the highest priority in the instance’s java.security file. Here’s an excerpt from the default java.security file in Oracle JDK 1.7:



As mentioned above, Oracle’s Java implementations are recommended on Solaris, but for those developers who must make use of the IBM SDK, you’ll notice that the IBM version of the
java.security file is not quite the same as that above. In fact, it is missing the OracleUcrypto provider:



What, then, can a developer do to reproduce the desired functionality?

1) The Officially-Supported Solution

Build and deploy against Solaris 11’s built-in Oracle JDK and JRE.

2) The Currently-Unsupported Solution

As you might have already surmised, Java’s Security Provider mechanism allows for quick and easy addition or substitution of additional Crypto providers (in the cases of third-party cryptographic hardware modules. By adding the UcryptoProvider to IBM’s java.security file, Java executables will get that provider and the advantage it gives. Note: these instructions are correct for Java 7/SDK 7, but have not been tested on other major releases of Java:

Step 1: Add ucrypto-solaris.cfg to lib/security
Copy the ucrypto-solaris.cfg file from the Oracle Java 7 instance (in jre/lib/security) to the lib/security directory in the IBM SDK instance.

Step 2: Add UcryptoProvider as the first entry in the IBM lib/security/java.security file
Assuming
you add to the top of the list, and keep the existing providers, the file above would end up looking as follows:


3) The (Hopefully) Future-Supported Solution

The above workaround does indeed work, but it’s not yet supported by IBM. That’s not to say we’ve not asked for it – we’ve submitted a feature request with IBM, and the good news is that any IBM customer who would also like to see this (perhaps you?) can upvote it now!


[Link to Java code snippet above] 

Tuesday Dec 08, 2015

IBM GSKit Supports SPARC M7 Hardware Encryption

Oracle and IBM have a very close working relationship running IBM software on Oracle hardware. One of the recent results of this collaboration is the announcement by IBM that its GSKit v8 now supports SPARC M7 hardware encryption (as well as SPARC T4 and T5 processors). This, in turn, means that several IBM software products can now make use of on-chip SPARC hardware encryption today, automatically, without significant performance impact

What Is GSKit?

The IBM Global Security Kit (aka GSKit) is not a product offering in itself, but instead a security framework used by many IBM software products for its cryptographic and SSL/TLS capabilities. Example IBM products making use of GSKit today include DB2, Informix, IBM HTTP Server and WebSphere MQ. This latest version of GSKit ( aka "IBM Crypto for C" ), version 8, was validated as a FIPS 140-2 Cryptographic Module within the past earlier this year.

Obtaining The Proper Version of GSKit

GSKit is bundled with each product that makes use of it; over time, new product releases will incorporate GSKit v8 by default. Until then, the latest GSKit v8 for SPARC/Solaris is available on IBM Fix Central, for download and upgrade into existing products. Installation instructions can be found here.

The support described above is available in GSKit v8.0.50.52 and later. As of this writing, the latest GSKit v8.0.50.55 is available for download from Fix Central.

IBM Products that currently make use of GSKit v8 on Solaris (and therefore could take advantage of SPARC on-chip data encryption automatically) include (but are not limited to):

Determining Current GSKit Version

  • $ /opt/ibm/gsk8/bin/gsk8ver # 32-bit version
  • $ /opt/ibm/gsk8_64/bin/gsk8ver_64 # 64-bit version

What This Means

In many cases (such as SSL/TLS over-the-wire communication), products using the proper version of GSKit on Solaris/SPARC will automatically take advantage of hardware encryption. Situations with larger client-server packets will benefit more than those with small packet sizes.  

This will allow these products to make use of the increased security that encryption offers with extremely low performance overhead (something that is not possible with software-only crypto or hardware crypto on other platforms).

Because each of these IBM products has specific use cases, we'll cover more details for each in future blogs.

Monday Oct 26, 2015

New SAP-SD 2-Tier 1-node Benchmark Record on SPARC T7-2

Today Oracle announced an all-new family of SPARC systems with new dramatic advancements in memory protection, encryption acceleration, and in-memory database processing.

A new record result of 30,800 SAP-SD users for the SAP Sales and Distribution (SD) Standard Application benchmark has been published for one of the small servers in this family, the SPARC T7-2 server with 2 processors / 64 cores / 512 threads, SPARC M7 4.133 GHz, 16 KB (D) and 16 KB (I) L1 cache per core, 256 KB (D) L2 cache per 2 cores and 256KB (I) per 4 cores, 64 MB L3 cache per processor, and 1024 GB main memory. 

Comparing this result to other SAP SD results* shows the new SPARC M7 to be:

  • SPARC M7 1.9x faster per chip than x86 E5 v3 (Haswell)
  • 2-chip SPARC M7 nearly same performance as 4-chip x68 E7 v3
  • SPARC M7 2.9x faster per chip than IBM Power8 (6c)

The SAP SD benchmark results can be found here.    

* Results as of Oct. 26, 2015. Source: SAP, www.sap.com/benchmark.  The following two-tier SAP Sales and Distribution (SD) application benchmarks have been certified with SAP enhancement package 5 for SAP ERP 6.0: SPARC T7-2, 2 processors / 64 cores / 512 threads, SPARC M7 4.133 GHz, 30,800 SD users, 168,600 SAPS, Solaris 11, Oracle 12c, 1 TB main memory. Certification Number: 2015050. Dell PowerEdge R730, 2 Processors / 36 Cores / 72 Threads, Intel Xeon Processor E5-2699 v3, 2.3 GHz, 16500 SD Users, 90120 SAPS, Red Hat Enterprise Linux 7, SAP ASE 16, 262 GByte main memory. Certification Number: 2014033. IBM Power System S824, 4 Processors / 24 Cores / 192 Threads, POWER8, 3.52 GHz, 21212 SD Users, 115870 SAPS, AIX 7.1, DB2 10.5, 524 Gbyte main memory. Certification Number: 2014045


Friday May 22, 2015

Tivoli Storage Manager Supports Solaris 11.2


IBM recently announced support for Tivoli Storage Manager on Solaris 11.2. TSM Client is supported on both SPARC and X86, while TSM Server is supported only on SPARC.

This support is available in v7.1.1.200 of the product.

Tuesday Oct 14, 2014

DB2 v10.5 Now Supports Solaris 11 (SPARC)

IBM has released a fixpack for DB2 v10.5 which provides Solaris 11 support on SPARC-based servers.

D
B2 Cancun Release 10.5.0.4 (also known as v10.5 fixpack 4) is now available for Solaris users via all supported distribution channels from IBM.

Monday Jun 09, 2014

DB2 v10.1 Now Supports Solaris 11 (SPARC)

IBM has just released a fixpack for DB2 v10.1 which provides Solaris 11 support. Per the IBM DB2 support statement for Solaris:

Support for Oracle Solaris 11.1 was added as of DB2 v10.1 fixpack 4, released May 23rd, 2014. The DB2 v10.1 Information Centre does not yet reflect this change. Plans for DB2 v10.5 will be announced at a later date.

DB2 on Solaris 11 is supported on SPARC only. At this time there are no announced plans to support Solaris 11 for x64 platforms, or versions of DB2 prior to v10.1.

This fixpack is now available for Solaris users via all supported distribution channels from IBM.

Friday Apr 04, 2014

IBM Supports Websphere Message Broker 8 on Solaris 11 (SPARC, x86)

IBM supports Websphere Message Broker 8.0.0.4 on Solaris 11 (SPARC, x64).  See         

IBM Software Product Compatibility Report for details.



New World Records for SAP SD benchmarks on Oracle SPARC/Solaris


Oracle SPARC Servers have produced amazing results setting a new 32-processor systems world record for the SAP SD benchmark. These results attest to the power of the SPARC architecture and the unique scalability of Oracle Solaris. Customers running SAP on Oracle servers can leverage such performance to consolidate workloads and dramatically reduce data center costs.

The SAP SD Standard Application Benchmark is a two-tier ERP business test that is indicative of full business workloads of complete order processing and invoice processing, and demonstrates the ability to run both the application and database software on a single system. It represents the critical tasks performed in real-world ERP business environments and it's the benchmark most widely used by SAP customers.

World Record for 32 processors:

Oracle's SPARC M6-32 server produced a world record result for 32 processors beating the IBM Power 795 32-chip system results.
  • The SPARC M6-32 server with 32 processors, 384 cores, and 3,072 threads achieved two-tier results of 793,390 SAPs with 140,000 users on the SAP Standard Application (SD) Benchmark using SAP enhancement package 5 for SAP ERP 6.0 running on Oracle Solaris 11 and Oracle Database 11g.
  • 15% faster than the IBM Power 795 32-chip results (32/256/1024)
  • 14% more SAP users per chip than the Fujitsu M10-4s 40-chip results (40/640/1280)
  • Details here

For more information about SAP on Oracle SPARC/Solaris see:

Oracle IT infrastructure Solutions for SAP
SAP Community Network: SAP on Oracle Solaris

Disclosure Statement
Two-tier SAP Sales and Distribution (SD) standard application benchmarks, SAP Enhancement Package 5 for SAP ERP 6.0 as of 3/26/14:
SPARC M6-32 (32 processors, 384 cores, 3072 threads) 140,000 SAP SD users, 32 x 3.6 GHz SPARC M6, 16 TB memory, Oracle Database 11g, Oracle Solaris 11, Cert# 2014008.
Fujitsu SPARC M10-4S (40 processors, 640 cores, 1280 threads) 153,000 SAP SD users, 40 x 3.0 GHz SPARC65 X, 10 TB memory, Oracle Database 11g, Oracle Solaris 11, Cert# 2013014.
Two-tier SAP Sales and Distribution (SD) standard application benchmarks, SAP Enhancement Package 4 for SAP ERP 6.0:
IBM Power 795 (32 processors, 256 cores, 1024 threads) 126,063 SAP SD users, 32 x 4 GHz IBM POWER7, 4 TB memory, DB2 9.7, AIX7.1, Cert#2010046.
SAP, R/3, reg TM of SAP AG in Germany and other countries. More info www.sap.com/benchmark

Thursday May 16, 2013

All IBM Products which support Oracle Solaris 11 on SPARC

IBM maintains an excellent page (click here) with all products which are available on Oracle Solaris 11 (SPARC).

Tuesday Apr 16, 2013

IBM releases Websphere 8.0 on Solaris 11 (SPARC)

IBM released Websphere 8.0 on Oracle Solaris 11 for SPARC. See IBM Product Compatibility Report

Monday Feb 25, 2013

IBM releases Websphere MQ 7.0, 7.01 on Solaris 11 (SPARC, x64)

IBM released Websphere MQ V7.0, 7.0.1 on Oracle Solaris 11 for SPARC and x64. See IBM software requirements for SPARC and x64

Monday Nov 05, 2012

IBM releases Informix 11.70FC6 on Solaris 11 (SPARC, x86)

IBM supports Informix Server 11.70FC6 on Solaris 11 (SPARC, x86). Check the IBM Support Portal page for more details.

Friday Oct 19, 2012

IBM releases ILOG CPLEX 12.4 on Solaris 11 (SPARC)

IBM released ILOG CPLEX Studio 12.4

on Solaris 11 (SPARC). 

[Read More]
About

Application tuning, sizing, monitoring, porting on Solaris 11

Search

Categories
Archives
« May 2016
SunMonTueWedThuFriSat
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today