Speed up your SSL operation for IBM HTTP Server on Ultra SPARC T2 systems
Sometime back we have published a Sun Blueprint (Accelerating IBM HTTP Server Cryptographic Operations Using Sun Servers with CoolThreads Technology) detailing the steps needed to get your IBM HTTP Server use the on-chip crypto processor on Ultra SPARC T2 based system for SSL operation. This will give a free SSL operation boost without buying additional hardware for such operations.
The documentation lists all the steps needed to get your IBM HTTP Server and GSKit working with this on-chip crypto module on Ultra SPARC T2 processor. In addition to how to configure it, it also has results from some of the performance testing that has been done to measure the performance gain. Your milegae may vary depending on your type of workload but if you are making lot of new client connection and serving "HTTPS" traffic then this would something that is available to you free you want to consider. It wil help you take care of your SSL handshakes operations.
Another important aspect of this is that GSKit is a common library that has been used by IBM in lot of products. And as its evident from the name, Global Security Kit, it is security related implementation to be used across different products such as PKCS#11 or so. Some more details can be found at my prior blog about GSKit. This implies that if you want to hookup with PKCS#11 provider and take advantage of on-chip cryptography for other products that can be done too. You must note that this integration has happened at certain level of IBM HTTP Server so it requires certain version of GSKit embedded with the product for which you will try to take advantage.
If you should get a chance to refresh the Document about IBM HTTP SERVER + UltraSparc, there are a few clarifications that might help:
1) after creating the new (non-nobody) userid/group, configure the User and Group directives in $IHSROOT/conf/httpd.conf. Without this, the webserver child processes can't access the soft-token files.
2) The "Sun Metaslot" must be enabled on the system via "cryptoadm enable metaslot"
3) all *.kdb references should be "secondary.kdb" -- some "key.kdb" references snuck in (default filename)
Posted by Eric Covener on July 09, 2009 at 06:18 AM PDT #
Dileep,
As we tested, the IHS Server using GSKit implementation for accessing Niagara crypto does'nt address complete SSL operation. GSkit is limited to RSA operation and it ignores the bulk encryption and hashing. I spoke to my IHS contact, he suggests there is a limitation with previous releases of GSKit. They updated GSKit to include newer algorithms in Websphere 7.0 and up, but I did'nt see that your document captures those changes ?
Thanks in advance.
Posted by Mukund Srinivasan on October 26, 2009 at 08:22 PM PDT #