TLS/SSL Server OCSP Support
Abstract
z/VM 7.2 TLS/SSL enabled support of System SSL Online Certificate Status Protocol (OCSP) and Certificate Distribution Points (CDP). This support lets z/VM TCP/IP offload peer certificate validation, a step done during handshake, to an offload OCSP server. One workload was used to evaluate the changes. Using a Telnet connection ramp-up workload, with OCSP, as the number of existing connections increased to 600, total CPU time to establish a new connection decreased by 0.732 ms or 20% on average. This can be explained by validation being done on the offload OCSP server.
Method
A Telnet-connect workload was used to evaluate the additional cost of peer certificate cross-checking against external source. Figure 1 describes the Telnet-connect workload setup.
| Figure 1. 600 Secure Telnet Logo Connections. |
|
| Notes: CEC model 8561-T01, CP Assist for Cryptographic Function (CPACF) Support, z/VM 7.2. |
A Linux client driving the workload was running on LPAR 1. The Linux client opened a total of three VNC servers. Each VNC server established 200 Telnet connections on LPAR 2. The CMS-based SSL server was running on LPAR 2. The two LPARs communicated via OSA. On LPAR 1, Linux openssl was chosen as the OCSP responder. The OCSP responder listened at a specific port to respond to OCSP responder requests from z/VM SSL on LPAR 2.
The workload throughput was controlled by the Linux client initiating one Telnet connection every half a second.
A transaction was one successful Telnet connection.
IBM collected MONWRITE data during measurement steady state and reduced with Performance Toolkit for VM.
Guest CPU per transaction for the SSL server was calculated from the TCPU column in FCX162 USERLOG.
Results and Discussion
Chart 1 shows the SSL server CPU time, the TCPIP CPU time, and the combined CPU time to establish a new Telnet connection versus existing connections.
| Chart 1. 600 Secure Telnet Logo Connections. |
|
| Notes: CEC model 8561-T01, CP Assist for Cryptographic Function (CPACF) Support, z/VM 7.2 |
With OCSP enabled, SSL CPU time per connection decreased by 0.868 ms or 27% on average. Validation is being done on an offload server instead of in the SSL server. TCPIP CPU time per connection increased by 0.136 ms or 47% on average. There is additional communication when obtaining revocation information from the OCSP responder located on a different LPAR. Combined, the overall CPU time per connection decreased by 0.732 ms or 20% on average.
Summary
With OCSP, the total CPU time needed to establish a new Telnet connection decreased by 0.732 ms or 20% on average when compared back to an equivalent non-OCSP environment.