APAR status
Closed as program error.
Error description
IBM WebSphere Datapower SOA appliance. Firmware version: 3.8.0.3 Performance test with WCF (Windows communications foundation) clients showed unexpected results. The WCF client receives the WSDL including the policy of the WebService Proxy and the STS from a MEX service implemented on DataPower. The WCF clients running on Intel machines, the Web Service Proxies on one DataPower XI50, Backend WebService implemented in CICS on z/OS. We used a policy which enforces message security (complete message signed and encrypted). The WebService Proxy on the request does the policy enforcement (decrypt, verify) , AAA (one LDAP Search), Logging (File System and Syslog on notice level), removes the security header, creates a new SAML for the backend and signs it. On the response, just logging and the policy enforcement (crypt, sign). In all our test cases (different message sizes and message complexity) we had similar round-trip times (about 50ms). Looking at the stylesheet statistics we saw that decrypt takes about 20ms and verify about 30ms (again independent of the message size and complexity). DataPower was only able to handle about 100 requests per second until reaching 90- 100% CPU load. The strange thing about this result is not the number itself, but the fact that this load could easily be generated from a single WCF client running on a dual core Intel machine (about 30% CPU load). Everybody expected DataPower to be much more efficient than the client. Both sides have to do similar work on request and response. To have a comparison we also tested an mixed security (transport security for payload and signed/encrypted SAML assertion in the WS- Security header). Here verify and decrypt (just the SAML token, not the message) only takes about 10ms. So policy enforcement seems to be very inefficient from a performance perspective. We would expect seeing different processing times for different message sizes. Encrypt and Sign (within document crypto map) shows execution times of 0 ms.
Local fix
Problem summary
A number of inefficiencies were identified in WS Security Policy enforcement.
Problem conclusion
Improved performance of policy enforcement during WS Security Policy verify and decrypt actions.
Temporary fix
Comments
APAR Information
APAR number
IC69673
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
370
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-07-06
Closed date
2010-08-09
Last modified date
2010-08-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R380 PSY
UP
R381 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"370","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022