IBM MQ for z/OS: V9.0.1 performance improvements for AMS
tonySharkey 060000E7M1 Comments (2) Visits (2589)
For the continuous delivery (CD) release of IBM MQ for z/OS version 9.0.1, we wanted to continue the theme of reducing the cost to queues protected by Advanced Message Security (AMS) policies that started in MQ version 9.0.0, particularly with the Confidential quality of service.
One of the performance highlights of AMS on V9.0.0 was that queues protected using AMS Confidentiality policies with a key reuse count of 32 could achieve transaction cost parity with a request/reply workload using SSL channels with secret key negotiation at 1MB intervals when using 32KB messages.
For V9.0.1, the target we set was to lower the cost of AMS Confidentiality sufficiently to achieve parity with an SSL workload with secret key negotiation of 10MB. This would mean that AMS Confidential would be changing its secret key every 32 messages, compared with the SSL workload renegotiating every 320 messages.
We achieved this target and more, such that AMS Confidentiality can offer a viable alternative to SSL channels particularly for a streaming-type workload.
This blog demonstrates some of the reduction in costs we have achieved in the V9.0.1 release with 2 specific configurations:
As part of these improvements, we have also reduced the cost of queues protected using AMS Integrity and Privacy policies. For more information on this CPU reduction, please see the mqperf repository on github, and in particular document V901.pdf
The remainder of this blog entry discusses the performance enhancements made to AMS Confidentiality relative to channels protected using SSL ciphers.
A simple request / reply workload comparison between queues protected by AMS Confidential policies with channels protected using SSL ciphers
For a request/reply workload using 32KB messages, we measure the transaction cost of a number of different configurations.
The measurements were run on a multi-LPAR SYSPLEX running on a z13 (2964-NE1) with a CryptoExpress5 card configured to allow significant proportion of the key negotiation costs to be offloaded.
The SSL transaction cost decreases as the SSL secret key negotiation value is changed to allow more data to flow between negotiations, until at the lowest cost, the overhead of SSL encryption is an additional 78% on top of the baseline cost.
The V9.0.1 AMS Confidential policy adds 75% on top of the baseline cost, despite the secret key being negotiated every megabyte of data being put to the queues.
A chart comparing the costs is shown below.
Streaming messages between queue managers
The second example configuration is a good use of the AMS Confidential quality of protection, where data is moved between data centres such as seen in an IBM InfoSphere Data Replication queue replication scenario. These are particularly apt as they typically use one putting (capture) task and one getting (apply) task.
The channels defined between the queue managers in the data centre(s) may be protected using SSL ciphers but it can be less expensive to encrypt the messages using AMS Confidential-type policies. Of course key negotiation is performed at a different level of granularity for AMS than for SSL channels and the message size may have an impact on the cost of either configuration. For example, setting SSLRKEYC(32MB) would allow 32 messages of 1MB to flow between key negotiations OR 978 messages of 10KB. In the case of AMS, a key reuse of 32 means 32 messages whether of size 1 byte or 100MB.
Streaming small messages
The following chart represents the transaction costs of queue replication workloads using 10KB persistent messages.
In each case there is a single putting task that puts messages in batches of 200 for sending to the remote queue manager, where the message is processed.
For comparison purposes, the measurements include multiple configurations:
When using these smaller messages with channels protected by SSL ciphers with key negotiation at 1MB intervals, will flow nearly 100 messages between key negotiations. By contrast, AMS Confidential polices where the key reuse count is set to 32, just 320KB of message are put between key negotiations, which means the key is negotiated 3 times more frequently for the AMS configuration. Despite this disparity, the AMS measurement has a total transaction cost that is 23% lower than the SSL measurement.
Indeed, the AMS measurements are comparable with the SSL measurements that change the secret key much less frequently e.g. AMS Confidential with key reuse count 32 shows similar cost to channels protected by SSL ciphers with SSLRKEYC(32MB).
Notes on chart:
Streaming large messages
The following chart compares the impact of AMS Confidential with key reuse 32, against channels protected with SSL ciphers that negotiate the secret key every 10 or 32MB.
Where similar number of messages flow between key negotiations, namely AMS Confidential with key reuse 32 and SSL channels with SSLRKEYC(32MB), the AMS measurement has a total transaction cost of approximately 15% less.
Where to look for more information:
For an overview of AMS, the IBM MQ V9.0 Knowledge Center is a good place to start!
For V9.0.1 perf
The V9.0.0 performance report (MP1K) is similarly available on the mqperf repository and contains information on both AMS and base MQ performance, which is relevant to all MQ V9.0 releases.