> Kind of stuck on this one. Had the CE come out and enable the Crypto > co-processor CPACF feature code for our z9-104 yesterday, then went to > define and use the feature in a Linux LPAR, but it doesn't work. We have > the libica code installed, but whether it's used or not we get the same > throughput from the openssl speed tests. I didn't think it took a POR to > get the feature recognized - is there something I'm missing here?
Enabling the crypto engine really might not help you much. How much help you'll get depends a lot on what you're trying to do with it. There are two components to a SSL transaction: the initial asymmetric crypto-ignition process at connection startup, and the ongoing symmetric process after the connection is established. Pre z9 BC/EC, depending on how you configured the crypto engine (as coprocessor or accelerator), you get enhancement of one or the other function. The BC and EC models can be configured in such a way to help somewhat with both tasks. If a majority of your transactions are short=lived connections, the SSL offload for the asymmetric step will help a lot. If you're doing long-lived sessions (like tn3270 wrapping), then you won't get a lot out of it, except after a network interruption when all the clients try to renegotiate keys at once. If you're expecting it to help with SSH sessions, it doesn't. Most of that is symmetric, or uses algorithms that CPACF doesn't yet know how to accelerate. (AFAIS, the openssl speed tests don't really do enough connection volume to show much of a difference even when the crypto engine is known to be working. ) ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
