IBM Support

Increased encryption and decryption overhead with a default SSL cipher

Troubleshooting


Problem

WebSphere Application Server users will experience performance degradation with a default SSL cipher. Vulnerable RC4 ciphers are now removed from the default SSL cipher list, where AES and 3DES ciphers remain.  Hence, encryption and decryption overhead increases as stronger default ciphers are used.

Symptom

Lower throughput and higher CPU utilization will occur due to higher overhead from stronger default SSL ciphers.
In addition, highest encryption and decryption overhead will be experienced on hardware which lacks instructions sets optimized for encryption algorithms like AES.

Cause

Increased encryption and decryption overhead derives from using a stronger default SSL cipher.

Environment

WebSphere Application Server users who use a default SSL cipher.

Diagnosing The Problem

Throughput and CPU utilization measurements will help determine that SSL has a higher overhead.  Also, a JVM profile can show that such overhead is confined to SSL message encryption and decryption calls.

Resolving The Problem

Higher overhead is a necessary trade-off for using stronger encryption algorithms.  RC4 ciphers are considered to be vulnerable.  Thus, we recommend that WebSphere Application Server users employ secure ciphers, like those available in the default SSL cipher list.

Also, WebSphere Application Server users can verify whether their hardware processors support instruction sets which improve the speed of stronger encryption algorithms like AES.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Performance and High CPU Utilization","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.6;8.0.0.11;7.0.0.39","Edition":""}]

Document Information

Modified date:
15 June 2018

UID

swg21957774