cpacfstats - Monitor CPACF cryptographic activity
Use the cpacfstats command to display the number of cryptographic operations that are performed by the Central Processor Assist for Cryptographic Function (CPACF). You can display and enable, disable, or reset specific hardware counters for AES, DES, ECC, TDES, SHA, and pseudo random functions.
CPACF performance counters are available on LPARs only.
All counters are initially disabled and must be enabled in the LPAR activation profile on the SE or HMC to measure CPACF activities. There is a slight performance penalty with CPACF counters enabled.
- On the HMC or SE, authorize the LPAR for each counter set you want to use. Customize the LPAR
activation profile and modify the Counter Facility Security Options. You need to activate the
Crypto activity counter set authorization controlcheckbox.
- The cpacfstatsd daemon must be running. Check the syslog for the message:
cpacfstatsd: Running. To start the daemon, issue:
The daemon requires root privileges to open and work with the perf kernel API functions. Issue man cpacfstatsd for more information about the daemon.
Setting up the cpacfstats group
- Create the group cpacfstats:
# groupadd cpacfstats
- Add all users who are allowed to run the cpacfstats client application to the
usermod -a -G cpacfstats <user>
- -e or --enable <counter>
- enables one or all CPACF performance counters. The optional counter argument can be one of:
- counts all AES-related cipher message CPACF instructions.
- counts all DES- and 3DES-related cipher message CPACF instructions.
- counts all ECC (elliptic curve cryptography) related CPACF instructions.
- counts all pseudo-random related CPACF instructions.
- counts all message digest (that is, SHA-1 through SHA-512) related CPACF instructions.
- counts all CPACF instructions.
- -d or --disable <counter>
- disables one or all CPACF performance counters. If you omit the counter, all performance counters are disabled. Disabling a counter does not reset it. The counter value is preserved when a counter is disabled, and counting resumes with the preserved value when the counter is re-enabled.
- -r or --reset <counter>
- resets one or all CPACF performance counters. If you omit the counter, all performance counters are reset to 0.
- -p or --print <counter>
- displays the value of one or all CPACF performance counters. If you omit the counter, all performance counters are displayed.
- -h or --help
- displays help information for the command. To view the command man page, enter man cpacfstats.
- -v or --version
- displays version information for cpacfstats.
- To print status and values of all CPACF performance counters:
# cpacfstats des counter: disabled aes counter: disabled sha counter: disabled rng counter: disabled
- To enable the AES CPACF performance counter:
# cpacfstats --enable aes aes counter: 0
- To enable all CPACF performance
For the already enabled aes counter, the value is not reset.
# cpacfstats -e des counter: 0 aes counter: 192 sha counter: 0 rng counter: 0