On Wed, Apr 03, 2013 at 11:14:07AM -0400, Rob D wrote: > Hello. We are discussing setting up a crypto card implementation on our > RHEL based Z\EC12 setup. We are looking to offload SSL processing to the > crypto card. > We are looking to get an IFL savings, and hopefully a performance boost too. > > Does anyone out there have experience in setting this up under RHEL 6.x? > Were there any tricks or sticking points that you ran across?
I can't speak to Z12/RHEL 6, but I can speak to Z10/RHEL 5, and the main things to understand about the crypto facilities on the Zs are: 1/ The built-in functions of the Z processors will accelerate the algorithms used once a connection has been initiated. 2/ The crytpo cards will accelerate algorithms associated with initiating new SSL connections. Thus if you've got lots of persistent SSL connections (say HTTPS from an F5) you'll find the card is basically useless. If you've got lots of long-lived connections (SCP for example), again, the encryption cards are basically useless. You need to make sure you're using the onboard CPU acceleration functions for these. You can get some very good benefits on hose, incidentally; for an Apache server doing 80 hits/s I could cut the CPU utilisation but 80% by using the CPACF functions. The most important gotcha for me, though was: 3/ It's fairly easy to get any OpenSSL client to use accelerated functions, whether on the card or the processor. If a program uses a different SSL library it may not be able to use them. This third point became really important for us, because WebSphere 6.1 could not utilise the CPACF instructions, because the IBM crypto library didn't understand the Z10 CPU. This meant that IHS inbound, IHS<->WAS, and WAS<->WAS comms couldn't be accelerated, which made all that high-performance silicon dead weight. -- Rodger Donaldson [email protected] ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
