Scott,
You're saying you need Linux support from PKCS11 hardware devices, and
haven't found any? We're just now beginning to explore hardware
acceleration options for Java JCE, and I've heard rumblings of great
performance gains using PCI cards such as Eracom's ProtectServer line. The
line I was sold was "all you do is point your VM at the new JCE provider in
your java.security - it's just that easy."
I didn't think to ask about any OS specific device drivers that might be
required. Any experiences? And yeah - the OpenSSL bridge approach sounds
very cool indeed. Hats off and good luck.
-Jon
-----Original Message-----
From: Scott Cantor [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: RE: Using XML security slows down the Axis Call
> Some time ago (6 weeks or so) I did some performance measures (WSS4J has
> timing logs build in) and we see here that Verification/Signature
> is real time consuming, followed by public KEy encryption, followed
> by symmetrical encryption....this ordering comes with no surprise.
>
> Only the real time consumed is quite high.
In our SAML authority, we've found it totally unscalable, and some of our
contributors have been working with native code to bridge the JCE interface
to OpenSSL. This is nice mostly because other hardware solutions based on
PKCS11 don't get a lot of vendor support on anything but Windows and
Solaris, and OpenSSL's engine layer does. JDK 1.5 has the PKCS11 support,
but it doesn't do much good if you can't get the libcryptoki you need.
The speeds up are dramatic, and pretty much suggest Java's unusable for this
sort of thing, which is not a surprising conclusion to me.
Note I'm talking about supporting many signatures a second. If you don't
need that, Java's fine.
-- Scott
