On Thu, 24 Sep 2009 14:19:14 -0500, Neal Eckhardt <neckha...@penntraffic.com> wrote:
>... A 20 megabyte file takes about 9 seconds to transfer >without TLS and about 160 seconds with TLS. The transfer rates >are about 130 kbytes/sec with TLS and almost 2000 Kbytes/sec >without. > >Are there any tweaking knobs that we can turn to improve this? >... Wow! When we went to using encrypted data transfers we noticed very little increase. (This was not FTP, it was mostly CONNECT:Direct but the effect of encryption should be the same regardless of the actual product transferring the data. Do you have hardware encryption support? If so, make sure you specify cipher suites that use the hardware encryption. Are these large transfers, or many short transfers? The encryption process used in the TLS/SSL handshake and the encryption process used for data encryption/decryption are very different and use different encryption hardware. The encryption process used in the handshake is VERY cycle intensive if you do not have an encryption engine. The data encryption process is simpler, and uses CPACF instructions that are automatically avalable on Z9s (I think) and Z10s (definitely). I think the instruction support has to be manuall enabled though. Anyway, if you don't have a crypto card on your processors but are doing long transfers, the expensive TLS handshake is going to be lost in the backround noise. If you are doing many short transfers, those handshakes are going to kill your throughput. System SSL support in z/OS has a pretty good trace available that can help pinpoint encryption performmance problems. You have to run the GSKSRVR started task in order to take the trace. I think you should run a CTRACE writer, too, although I think the trace data can be extracted from a dump of the GSKSRVR address space (or maybe an associated data space) if you don't run the writer. You may need some help from IBM in interpretting it, but this help is available through IBMLink's "Ask a question" ETR support. I'm not always impressed with the help available through that part of IBMLink, but was very pleasantly surprised by the System SSL folks.) If the problem really is related specifically to FTP, you might consider posting your question on the IBMTCP list. Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html