Topic
4 replies Latest Post - ‏2013-08-06T06:12:40Z by V8K4_Chandrasekar_Ramalingam
H2DQ_Julian_Grunnell
22 Posts
ACCEPTED ANSWER

Pinned topic SSL Cryptographic offloading on Sun SPARC servers

‏2013-01-18T08:12:40Z |
Hi - hope someone can help me with the following questions, a year or so ago I had all manner of issues setting up cryptographic offloading up on our SPARC servers with the T1 / T2 chips - I spent weeks getting this right and is well documented on this forum. However since many months have passed I'm now unsure of a couple of things:

1) without offloading we saw a dramatic increase in server load, usual load avg <2, without offloading >60. We have a mixture of sites that use EV SSL certs and just standard SSL certs. I'm sure that only the EV SSL certs caused the very high server load - is that correct?

2) we have some new SPARC servers with the T4 chip - do these also require the cryptographic offloading to be setup or was this something unique to the T1 / T2 chips?
And finally I've amassed several very useful procedures for dealing with this setup on SPARC T1 / T2 servers that has proved to be invaluable, when I first started to look at this all that seemed to exist was a single Sun Blueprint document. If anyone would like these then please just let me know.

Thanks - Julian.
Updated on 2013-01-18T21:01:40Z at 2013-01-18T21:01:40Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: SSL Cryptographic offloading on Sun SPARC servers

    ‏2013-01-18T13:07:31Z  in response to H2DQ_Julian_Grunnell
    • rsa keysize matters, "EV" doesn't matter directly. Your CA may require large keys for EV.
    • AFAIK t4 is like t1/t2 in that you need to configure the PKCS11 offload.

    I vaguely recall the T4, or maybe a planned successor, may have non-PKCS11 crypto support, which means special machine code instructions that optimize RSA and AES related stuff, but it's not anything the IBM security library can exploit.

    --
    Eric Covener
    IBM HTTP Server and Apache Development
  • H2DQ_Julian_Grunnell
    22 Posts
    ACCEPTED ANSWER

    Re: SSL Cryptographic offloading on Sun SPARC servers

    ‏2013-01-18T14:20:40Z  in response to H2DQ_Julian_Grunnell
    Thanks Eric - wondered if you would reply! So regardless of whether the certs are standard Verisign or Verisign with Extended Validation etc., it's more to do with the KeySize as it appears in the ikeyman keystore? If so then these are all now 2048 in our environment, some were 1024 but not any more.

    I'm also trying to remember why this actually affected these servers, I've found the original link to a Sun blueprint on this matter but alas it no longer exists, do you happen to know the reason why this was all necessary in the first place?

    Thanks again - Julian.
    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: SSL Cryptographic offloading on Sun SPARC servers

      ‏2013-01-18T21:01:40Z  in response to H2DQ_Julian_Grunnell
      I think there's two parts. My uninformed 2c:

      • The T* are designed with many lightweight general cores to run lots of threads simultaneously. They compensated for the "light" nature of each core by adding dedicated crypto accel on the platform. Unfortunately, you have go through PKCS11 to access it.
      • Optimizations for "traditional" pre- @Tx sparc are n/a to current stuff, and can even be detrimental.