Hardware Assisted Security: Cryptographic Acceleration for SOA and Java EE applications

I’ve spent the last few days attending Oracle OpenWorld conference at San Francisco..it is my second OOW experience, so it is not a surprise to see the conference was fully packed with people, hundreds of sessions and demos – I did have an opportunity to attend few and also present two sessions focused on Security topics featuring “Hardware Assisted Security Solution for SOA, XML Web Services and Java EE applications” – showcasing how “Hardware and Software Engineered together”.

During the conference, John Fowler – Oracle EVP, Systems announced the industry’s first 16 core processor introducing new SPARC T3 systems with integrated security and virtualization capabilities. Each SPARC T3 processor features 16 on-chip cryptographic accelerators that deliver cryptographic operations running in parallel at CPU speeds and offloading compute-intensive cryptographic functions from software – thus eliminating the need for additional special-purpose cryptographic accelerators such as PCIe cards or network appliances. The cryptographic operation offload and acceleration is accomplished using dedicated cryptographic accelerator drivers, called the Niagara Crypto Provider (NCP), Niagara 2 Crypto Provider (N2CP) and Niagara 2 Random Number Generator (N2RNG). In practice, the NCP and N2CP accelerators uses the Oracle Solaris Cryptographic Framework for enabling user-level applications to off-load cryptographic operations via PKCS#11 standard interfaces and take advantage of NCP and N2CP based on-chip cryptographic acceleration. The current UltraSPARC T3 processors provide acceleration support for public-key encryption mechanisms including RSA, DSA, DH and ECC algorithms,  symmetric key-based encryption amechanisms including DES, 3DES, AES and Kasumi algorthms and Message disgest/hashing mechanisms MD5, SHA1, SHA-256 and SHA-512 algorithms. The Solaris Cryptographic Framework (SCF) library plays a vital role for providing applications access to NCP and N2CP accelerators through a set of cryptographic services for kernel-level and user-level consumers. Using PKCS#11 interfaces of Solaris Cryptographic Framework, SOA and Java EE Applications (ex. Oracle Fusion Middleware, WebLogic, Glassfish, JBoss, Websphere)  can take advantage of NCP and N2CP based cryptography acceleration (Refer figure).

Hardware Assisted Cryptographic Acceleration using Solaris on UltraSPARC T3 Servers

Cryptographic Acceleration for SOA and Java EE Security

Both SOA/XML Web services and Java EE based applications can significantly gain on security performance by offloading and delegating their cryptographic operations to the on-chip cryptographic accelerators of Oracle SPARC Enterprise T-Series servers.

Applied Security Mechanisms and Usage Scenarios

To enhance security performance, both the Oracle WebLogic server and Oracle WSM secured applications can offload select cryptographic operations to address the following security scenarios.

  • Transport-layer Security
    • SSL/TLS acceleration offloads computationally intensive public-key cryptographic operations such as RSA, DH and ECC.
    • RMI over IIOP with SSL uses SSL/TLS to protect IIOP connections to RMI remote objects.
  • Message-Layer Security
    • Acceleration of cryptographic operations intended for supporting XML Web Services security standards such as WS-Security, WS-SecurityPolicy. XML Web services security relies on public-key encryption, digital signature (ex. RSA, DSA), bulk encryption (ex. AES, 3DES,DES) and message digest (ex. SHA-1, SHA-2, MD5) functions intended for supporting XML encryption, XML digital signature and related cryptographic operations.

Performance Characteristics

Based on a performance study, Oracle’s SPARC Enterprise T3-1 server was used to evaluate both SSL and WS-Security application performance of a SOA/XML Web Services application deployed on Oracle Fusion Middleware (WebLogic 10.3.3 and Oracle Web Services Manager).

  • Enabling on-chip acceleration for SSL (Cipher suite using RSA-1024/AES-256) and WS-Security (Algorithm suite using Basic256Rsa15) usecases  solidly delivered between 2X – 3X overall application throughput performance gain  in comparison with SSL and WS-Security usecases running with no acceleration.
  • Using Oracle Solaris KSSL as an SSL proxy provided an additional performance gain of about 25-30% outperforming WebLogic server SSL configured using Java SunPKCS11 provider for enabling cryptographic acceleration.

Now, you got the highlights,  if you are ready to dig deeper on the details and test-drive the solution – Please download and read the following two whitepapers (available from Oracle Technology network)  that explores the above solution from ground up.

If you are curious to see the OOW presentation – It is right here.

Thanks to Vikas Jain, Nitin Handa and Chad Prucha for all the help and support on this effort.

Don’t forget to let me know, if you had any comments and suggestions.

One thought on “Hardware Assisted Security: Cryptographic Acceleration for SOA and Java EE applications

Leave a Reply

Your email address will not be published. Required fields are marked *