Introduction

Edit online

This study measures performance and throughput for the Java™ Secure Socket Extension (JSSE) on Linux® for IBM® System z® with Java 2 Platform, Enterprise Edition, and the IBM JSSE2 provider.

The name 'JSSE study' is used throughout this document in place of the full name: Exploiting IBM System z cryptographic hardware using Java Secure Socket Extension.

Data encryption is an important feature to ensure privacy and integrity of data sent using any type of network. But data encryption is a processor-intensive activity, causing additional processor load when done using software. The IBM System z architecture provides two hardware features, the IBM Crypto Express2 feature (which is a PCI card) and the Central Processor Assist for Cryptographic Function (CPACF). The CPACF is part of the IBM System z processor, used to offload the heavy workload of data encryption to specialized hardware. Use of these hardware features frees processor cycles from the main processor, speeds up the processing, and increases the throughput. These hardware features are intended to help create a secure environment, with the lowest impact on the executed workload.

The IBM JSSE2 is a Java package, enabling secure network communications. The extension implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, providing functions for data encryption, message integrity, and server and client authentication.

For these tests, a workload that heavily exercises SSL socket creation and handshakes was chosen. The handshakes are the protocol used by the client and server to negotiate the authentication and manage the cryptographic keys used for a session. For this workload, new SSL socket connections are created continuously in each thread, with twenty server and client threads, until a time limit is reached. During each handshake, new encryption keys are generated, which are used to encrypt the data exchanged between a client and a server thread.

Data packets of varying sizes are encrypted and decrypted, using both hardware and software encryption. Four different cipher suites are compared, using hashing algorithms to ensure data integrity over the network. The number of packets transmitted for the test interval is used to measure throughput. Processor utilization is also measured during the test.¹

¹ This paper is intended to provide information regarding performance of Java classes using the IBMPKCS11Impl security provider to use the cryptographic hardware on IBM System z. This paper discusses findings based on configurations that were created and tested under laboratory conditions. These findings may not be realized in all customer environments, and implementation in such environments may require additional steps, configurations, and performance analysis. The information herein is provided 'AS IS' with no warranties, express, or implied. This information does not constitute a specification or form part of the warranty for any IBM products.