ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere DataPower » Datapower - Performance Tuning for SSL

Post new topic  Reply to topic
 Datapower - Performance Tuning for SSL « View previous topic :: View next topic » 
Author Message
vishBroker
PostPosted: Sat Aug 11, 2012 4:36 pm    Post subject: Datapower - Performance Tuning for SSL Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Hi,

This is for performance tuning of MultiProtocol gateway - with HTTPS frontside handler.
1. When we hit the backend service directly we get average response time of 0.123 seconds over 1 hour period.
2. When we hit same backend service through DataPower without any security (simple HTTP )- we get response time of 0.04 seconds (we have persistence connections enabled).

3. BUT when we hit same service through Datapower with HTTPS as frontSideHanlder - the response time increases. It is almost 0.3 seconds

We have AAA cache set to 460 minutes - the tests run for only 1 hour.

We are hitting with same request and same certificate for 1 hour.



Some more info -
For SSL PRoxy Profile, used in HTTPS FSH -
1. We are using Server-side Session Cache Timeout = 300 sec
2. Server-side Session Caching - ON
3. Server-side Session Cache size = 20.

We are using same client for load test and same certificate.


Kindly suggest how to increase performance.
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Thu Aug 30, 2012 7:24 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

What firmware version are you on? There are known issues with the SSL FSH code in versions prior to 4.0.2.1. Putting explicit IP translations in your hosts file on your client side (non-DataPower side) that match the domain names of the entries in your certificates and root certificate authorities will also reduce latency. For each domain name in those, the SSL handshake must look up the IP address associated. If there are twelve entries between the domains in the certificate chain, then there are twelve lookups so its easy to see where your additional 300 ms is coming from.

http://www.semicomplete.com/blog/geekery/ssl-latency.html

http://www-01.ibm.com/support/docview.wss?uid=swg21512411

Code:
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#


The problem with a high number here is exposure to DOS attacks.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
rekarm01
PostPosted: Mon Sep 03, 2012 3:05 pm    Post subject: Re: Datapower - Performance Tuning for SSL Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1415

vishBroker wrote:
2. When we hit same backend service through DataPower without any security (simple HTTP )- we get response time of 0.04 seconds (we have persistence connections enabled).

Where are persistent connections enabled? On the client and DataPower FSH and MPGW? What are the persistent connection timeouts set to? What about the backside?

vishBroker wrote:
3. BUT when we hit same service through Datapower with HTTPS as frontSideHanlder - the response time increases. It is almost 0.3 seconds

Examine the latency stats in the DataPower logs, or run a TCP packet trace, to help narrow down where any delays might occur.

lancelotlinc wrote:
There are known issues with the SSL FSH code in versions prior to 4.0.2.1.

What known issues? Anything relevant?
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Thu Sep 06, 2012 7:25 am    Post subject: Re: Datapower - Performance Tuning for SSL Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

rekarm01 wrote:
lancelotlinc wrote:
There are known issues with the SSL FSH code in versions prior to 4.0.2.1.

What known issues? Anything relevant?


Some that could be relavant, but without the ability to actually try it out in the OP's environment, I'm not sure how relevant:

When the Datapower appliance is configured to use SSLProxy to
handle traffic, having slow DNS responses may cause the
appliance to restart.

http://www-01.ibm.com/support/docview.wss?uid=swg1IC83166


Some faulty SSL clients may not send an SSL closure Alert even
after receiving a closure Alert from DataPower. In such cases
DataPower tends to wait forever, before closing the connection.

http://www-01.ibm.com/support/docview.wss?uid=swg1IC80393



The bottom line, my philosophy is to update the product to latest available binary then verify if problem still exists. If so, and relatively quick troubleshooting steps cannot solve the problem, then open a PMR.

My earlier comment about enabling fast domain lookups I think may still help the OP. It the domains are deep enough to have multiple DNS resolutions per request, making the DNS resolutions faster would reduce the SSL handshake times.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere DataPower » Datapower - Performance Tuning for SSL
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.