TCP/IP for z/VM
SSL Server - Background and Performance Analysis Information
Some basic historical information about the z/VM SSL server pool implementation (initially provided with z/VM 540) is provided herein, with links to other relevant SSL server topics provided, where applicable.
Following the introduction of the CMS-based SSL server with z/VM 540, and its functional enablement via the PTF for APAR PK65850, IBM recognized and acknowledged several performance and scalability limitations with this implementation (these are discussed in the initial CMS-Based SSL Server z/VM Performance Report).
The SSL sever implementation was updated at the z/VM 540 and 610 levels with this set of APARS (which collectively comprised the "SSL Server Performance and Scalability Enhancements" SPE):
- PK97437: SSLADMIN, TCPRUN and Related Packaging Changes
- PK97438: SSLSERV Module Updates
- PK75662: TCPIP Module Updates
Note that these APARS, and the pertinent capabilities and functions (described next) are incorporated in all currently supported z/VM levels.
Updates provided by the aforementioned "SSL Server Performance and Scalability Enhancements" SPE included:
- Improved scalability, with respect to the number of concurrent secure connections allowed per TCP/IP stack
- Increased secure connection "back-up" capability, through the use of multiple SSL pool servers with a given TCP/IP stack server. While true failover support for secure connections is not possible, the failure of a given SSL pool server will not disrupt future connectivity, nor cause the associated TCP/IP stack server (or, a dependent application protocol server, such as an FTP server) to shut down.
- SSLADMIN (administrative) command improvements, that support the administration of multiple SSL pool servers, and which better convey the operational characteristics for such a group of servers (or, for a single such server). In addition, several new SSLADMIN commands are introduced to allow for interaction with a specific server or set of servers, and to provide selective server control, when needed.
The SSL Multiple Server Support z/VM Performance Report provides analysis results for this updated server implementation.
SSL Server Performance Considerations
A given SSL server virtual machine is limited to the use of a single CPU. Given this constraint, be aware of the considerations listed here. Additional considerations are discussed in the CMS-Based SSL Server z/VM Performance Report.
MAXSESSION (MAXUSERS) Settings
When the SSL server MAXSESSIONS value is increased above its default of 100, the following items should be given special consideration:
- To support a large number of concurrent connections, the virtual storage defined for the SSL server likely will need to be increased beyond the IBM-supplied default. Specific guidelines, regarding a fixed virtual storage to number of connection ratio are not available. Thus, appropriate local testing should be performed to confirm that a given virtual machine definition can accommodate the number of concurrent secure connections required for an installation.
- As the MAXSESSIONS value is increased, a corresponding increase in CPU utilization (per connection) by the SSL server can be expected, regardless of whether additional connections are actually used. This increase is associated with connection management processing and cannot be avoided. It is advised that one take a conservative approach when the MAXSESSIONS value is increased, so that the resulting value is only as large as is absolutely required for a given installation (with any "buffering" considerations kept to a minimum).
Cryptographic Key Sizes
While the use of larger key sizes will increase the security of encryption keys used for protected communications, CPU usage for handling such keys will also increase. For example, the most commonly used key size is 1024 (1K). One can expect that CPU usage will increase by a factor of 4.4 when this key size is doubled to 2048 (2K). The doubling of a 2K key size to 4096 (4K) will cause CPU consumption to increase by a factor of 6.7.