CSP API Sets
User applications can utilize cryptographic services indirectly via i5/OS functions (SSL/TLS, VPN IPSec)
or directly via the following APIs:
y
The Common Cryptographic Architecture (CCA) API set is provided for running cryptographic
operations on a Cryptographic Coprocessor.
y
The i5/OS Cryptographic Services API set is provided for running cryptographic operations within
the Licensed Internal Code.
y
Java Cryptography Extension (JCE) is a standard extension to the Java Software Development Kit
(JDK).
y
GSS (Generic Security Services), Java GSS, and Kerberos APIs are part of the Network
Authentication Service that provides authentication and security services. These services include
session level encryption capability.
y
i5/OS SSL and JSSE support the Secure Sockets Layer Protocol. APIs provide session level
encryption capability.
y
Structured Query Language is used to access or modify information in a database. SQL supports
encryption/decryption of database fields.
8.2 Cryptography Performance Test Environment
All measurements were completed on an IBM System i5 570+ 8-Way (2.2 GHz). The system is
configured as an LPAR, and each test was performed on a single partition with one dedicated CPU. The
partition was solely dedicated to run each test. The IBM 4764 PCI-X Cryptographic Coprocessor card is
installed in a PCI-X slot.
This System i model is a POWER5 hardware system, which provides Simultaneous Multi-Threading. The
tools used to obtain this data are in some cases only single threaded (single instruction stream)
applications, which don’t take advantage of the performance benefits of SMT. See section 8.6 for
additional information.
Cryptperf is an IBM internal use primative-level cryptographic function test driver used to explore and
measure System i cryptographic performance. It supports parameterized calls to various i5/OS CSPs. See
section 8.6 for additional information.
Cipher:
Measures the performance of either symmetric or asymmetric key encrypt depending on
algorithm selected.
Digest:
Measures the performance of
hash functions.
Sign:
Measures the performance of hash with private key encrypt
.
Pin:
Measures encrypted PIN verify using the IBM 3624 PIN format with the IBM 3624 PIN
calculation method.
All i5/OS and JCE test cases run at a near 100% CPU utilization. The test cases that use the
Cryptographic Coprocessor will offload all cryptographic functions, so that CPU utilization is negligible.
The relative performance and recommendations found in this chapter are similar for other models, but the
data presented here is not representative of a specific customer environment. Cryptographic functions are
very CPU intensive and scale easily. Adding or removing CPU’s to an environment will change
performance, so results in other environments may vary significantly.
IBM i 6.1 Performance Capabilities Reference - January/April/October 2008
©
Copyright IBM Corp. 2008
Chapter 8 Cryptography Performance
143