Hi - hope someone can help me with the following questions, a year or so ago I had all manner of issues setting up cryptographic offloading up on our SPARC servers with the T1 / T2 chips - I spent weeks getting this right and is well documented on this forum. However since many months have passed I'm now unsure of a couple of things:
1) without offloading we saw a dramatic increase in server load, usual load avg <2, without offloading >60. We have a mixture of sites that use EV SSL certs and just standard SSL certs. I'm sure that only the EV SSL certs caused the very high server load - is that correct?
2) we have some new SPARC servers with the T4 chip - do these also require the cryptographic offloading to be setup or was this something unique to the T1 / T2 chips?
And finally I've amassed several very useful procedures for dealing with this setup on SPARC T1 / T2 servers that has proved to be invaluable, when I first started to look at this all that seemed to exist was a single Sun Blueprint document. If anyone would like these then please just let me know.
Thanks - Julian.
Pinned topic SSL Cryptographic offloading on Sun SPARC servers
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-01-18T21:01:40Z at 2013-01-18T21:01:40Z by SystemAdmin
SystemAdmin 110000D4XK3903 Posts
Re: SSL Cryptographic offloading on Sun SPARC servers2013-01-18T13:07:31ZThis is the accepted answer. This is the accepted answer.
- rsa keysize matters, "EV" doesn't matter directly. Your CA may require large keys for EV.
- AFAIK t4 is like t1/t2 in that you need to configure the PKCS11 offload.
I vaguely recall the T4, or maybe a planned successor, may have non-PKCS11 crypto support, which means special machine code instructions that optimize RSA and AES related stuff, but it's not anything the IBM security library can exploit.
IBM HTTP Server and Apache Development
H2DQ_Julian_Grunnell 270003H2DQ24 Posts
Re: SSL Cryptographic offloading on Sun SPARC servers2013-01-18T14:20:40ZThis is the accepted answer. This is the accepted answer.Thanks Eric - wondered if you would reply! So regardless of whether the certs are standard Verisign or Verisign with Extended Validation etc., it's more to do with the KeySize as it appears in the ikeyman keystore? If so then these are all now 2048 in our environment, some were 1024 but not any more.
I'm also trying to remember why this actually affected these servers, I've found the original link to a Sun blueprint on this matter but alas it no longer exists, do you happen to know the reason why this was all necessary in the first place?
Thanks again - Julian.
SystemAdmin 110000D4XK3903 Posts
Re: SSL Cryptographic offloading on Sun SPARC servers2013-01-18T21:01:40ZThis is the accepted answer. This is the accepted answer.
- H2DQ_Julian_Grunnell 270003H2DQ
- The T* are designed with many lightweight general cores to run lots of threads simultaneously. They compensated for the "light" nature of each core by adding dedicated crypto accel on the platform. Unfortunately, you have go through PKCS11 to access it.
- Optimizations for "traditional" pre- @Tx sparc are n/a to current stuff, and can even be detrimental.
V8K4_Chandrasekar_Ramalingam 270004V8K41 Post
Re: SSL Cryptographic offloading on Sun SPARC servers2013-08-06T06:12:40ZThis is the accepted answer. This is the accepted answer.
AttachmentsUpdated on 2013-08-06T06:14:24Z at 2013-08-06T06:14:24Z by V8K4_Chandrasekar_Ramalingam