I admit that I am not a SOA expert or pretend to be one ! Lately, I had a chance to explore few security features intended for securing XML Web Services and Java EE applications. With my little knowledge to SOA, I found that XML Web services play a vital role in SOA to enable loosely-coupled services and ensuring interoperability. From a security perspective, the core foundation of securing SOA solutions builds on XML Web Services Security standards and the underlying Java platform (unless you are using Microsoft .NET) . Last two weeks, Chad Prucha and I were test-driving SOA applications using Oracle Weblogic and Oracle Fusion Middleware on a Sun CMT server (T5440) particularly test driving SSL and WS-Security scenarios using WS-Policy/WS-SecurityPolicy standards. Our primary aim was to take advantage of On-chip Cryptographic acceleration provided by the UltraSPARC T2 processors of the T5440 server supporting the cryptographic mechanisms/cipher suites used by SSL and WS-SecurityPolicy. Believe it or not, it worked as piece of cake…. and the performance numbers were stunningly amazing. The Sun CMT servers (using its on-chip crypto accelerators) cruised on SSL and WS-Security with its cryptographic performance….RSA, AES, SHA2…too long to list here. If you consider yourself as a SOA enthusiast and have these following questions – Why should we care about Wire-speed Cryptographic acceleration for SOA or J2EE or XML Web Services performance ? Why it should even be considered in first place ? Is there is any security benefits ? If you do have those questions, then you may find this blog entry helpful otherwise please ignore.
Wire-speed Crypto Acceleration for SOA Security
Cryptographic operations plays a critical role in securing SOA application components particularly Java EE (formerly J2EE) applications and XML Web services supporting their transport-layer security (SSL) and message-layer security (WS-Security including XML Encryption, XML Digital Signature, WS-Policy, WS-SecurityPolicy) requirements. Adopting to cryptographic techniques helps IT organizations securing critical application infrastructures and adhere to industry-specific regulatory compliance mandates such as PCI DSS, HIPAA, FISMA and so forth.
But using Crypto for accomplishing SOA Message-level and Transport-level security induces significant performance degradation and taxes your CPU, Memory and Network bandwidth. SOA security experts often resort to using dedicated XML security appliances for delegating CPU intensive cryptographic operations such as Public-key cryptography (ex.RSA, DSA) based encryption and digital-signature, Symmetric-key based encryption (ex. AES, 3DES) to dedicated hardware-based accelarators – Which helps freeing up the main CPU resources and resulting significant performance gains in overall application throughput. In simpler terms, cryptographic accelerators and HSMs allows offloading computationally expensive cryptographic functions to dedicated hardware that supports cryptographic algorithms and handle cryptographic operations. Under the hood, the cryptographic functions are usually pushed through PKCS#11 standard interfaces using Solaris Cryptographic Framework (On Solaris) and OpenCryptoki (On Linux), or CryptoAPI framework (CAPI/CNG) in the case of Microsoft Windows environment. As a result, cryptographic accelerators proven to demonstrate significant gains in SOA application throughput and scalability by reducing the known CPU bottlenecks and related latency issues caused by cryptographic operations.
Over the past year I have become a big fan of Sun CMT Servers — and more specifically its Cryptographic capabilities, which makes it very compelling for delivering ultra-fast security for security sensitive SOA and Java EE applications.
On-chip Crypto Acceleration using Sun CMT Servers
Sun CMT servers are (Based On UltraSPARC T1/T2/T2Plus processors) based on Chip Multithreading Technology – CMT, which introduced on-chip cryptographic acceleration support through a dedicated cryptographic accelerator implemented on each core of the chip (8 Crypto Accelerators/Chip) – referred to as “Niagara Crypto Provider” (NCP). The introductory UltraSPARC T1 processor included a NCP implementation that facilitated public-key cryptographic mechanisms including RSA and DSA algorithms. The latest UltraSPARC T2 and T2+ processors extended more algorithms support by introducing symmetric-key based encryption/decryption mechanisms such as DES, 3DES, AES-128, AES-192, AES-256, RC4, Hashing operations such as MD5, SHA1, SHA256 and support for ECC algorithms (ECCp-160 and ECCb-163). In addition, the UltraSPARC T2 processors provides an on-chip Random Number Generator (N2RNG) to support random number generation operations intended for cryptographic applications. In practice, NCP makes use of Solaris Cryptographic Framework (SCF) for allowing user-level applications to offload their cryptographic operations and in effect the user applications can take advantage of NCP based on-chip cryptographic acceleration.
You had the gist of the story…now I am rushing out to catch the plane to Boston in an hour…… ! Yes, last three days I was attending Oracle Open World and co-presented with Chad on topic “Wire Speed Cryptography for SOA and Java EE applications” – In our presentation, we put together all the concepts and tried our best to illustrate the applied crypto mechanisms related to SOA security and the secret sauce configuration/deployment of Sun CMT based cryptographic acceleration for delivering wire-speed security performance for SOA and Java EE applications. You may find the presentation is tailored to Oracle SOA and Weblogic but frankly speaking it applies well to all Java EE based SOA application deployments.
Enjoy the slides for now ! Feel free to ping for questions………all I can promise now… is sooner you will see a detailed Sun Blueprint on this topic ! So please stay tuned.