Your old recipe is still usable with the current version of those linux flavors on z14 I think - ie if you built the recipe on sles 11 on EC12 then if you had a sles 11 with current service on it on z14 you could do the same configuration and get hardware accelerated https working.
There are changes coming though - Boeblingen has gotten some of the hardware crypto exploitation moved closer to the packages that actually use it in their upstream versions, so at some point some of the steps in your existing recipe will not be needed. See Reinhard Buendgen's latest SHARE presentations for more detail : http://events.share.org/Summer2017/Public/SpeakerDetails.aspx?FromPage=Sessions.aspx&ContactID=4536 On Sat, Sep 2, 2017 at 5:39 AM, Michael MacIsaac <mike99...@gmail.com> wrote: > Wayne, Mark, Eric, > > > The "sluggishness" I encountered turned out to be nscd thrashing. When I > restarted it, the Web UI seemed as peppy as the http: version. I believe > the nscd issue is known and I'm working at getting a patch for that. > > Yes Eric, those charts are helpful. > > Thanks all for the appends. > > -Mike MacIsaac > > On Fri, Sep 1, 2017 at 7:38 PM, Eric Covener <cove...@gmail.com> wrote: > > > On Fri, Sep 1, 2017 at 12:48 PM, Michael MacIsaac <mike99...@gmail.com> > > wrote: > > > Hi, > > > > > > If I believe the marketing, I should get crypto magically when > switching > > > from HTTP to HTTPS using Apache under zLinux, just by buying a z14. > > > > > > Well we don't have any z14s and I'm not sure I believe the hype. Does > > > anyone know of a HOWTO on this? > > > > > > I did write up a "recipe" (26.4 Hardware cryptographic support for > > OpenSSH) > > > in a Cookbook years ago on using the library > openssl/engines/libibmca.so > > - > > > but I am under the impression this process is for OpenSSH, not Apache > > HTTPS. > > > > > > > There are a few good slides here: > > > > https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSP04731USEN > > > > > Focus on Transparent Enablement: > > > Transparently accelerate TLS & IPSec using CPACF & SIMD to leverage > > hardware performance gains > > > > But it's unclear to me if this means "without configuration [of > > PKCS11]" in things like Apache+mod_ssl+openssl. I don't get the > > impression that the new SIMD instructions they talk about are crypto > > related, those kinds of instructions are usually the only > > "configuration-free" crypto acceleration that I've seen on Linux. > > > > In addition, the deck talks about LUKS-like encrypted block devices > > backed by CPACF in the same way that datasets can now be encrypted at > > rest by policy in the Z14. > > > > ---------------------------------------------------------------------- > > For LINUX-390 subscribe / signoff / archive access instructions, > > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > > visit > > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > > For more information on Linux on System z, visit > > http://wiki.linuxvm.org/ > > > > > > -- > -Mike MacIsaac > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- Jay Brenneman ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
